Malware Analysis Report

2025-03-14 22:32

Sample ID 240406-1tn6nacg89
Target 6a1dfa83de4d60c09fc0aa5809d0c695c02e4f2cc27a861e75f686325d54c476
SHA256 6a1dfa83de4d60c09fc0aa5809d0c695c02e4f2cc27a861e75f686325d54c476
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a1dfa83de4d60c09fc0aa5809d0c695c02e4f2cc27a861e75f686325d54c476

Threat Level: Known bad

The file 6a1dfa83de4d60c09fc0aa5809d0c695c02e4f2cc27a861e75f686325d54c476 was found to be: Known bad.

Malicious Activity Summary

persistence

Detects executables built or packed with MPress PE compressor

Detects executables built or packed with MPress PE compressor

Modifies AppInit DLL entries

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:56

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:56

Reported

2024-04-06 21:59

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a1dfa83de4d60c09fc0aa5809d0c695c02e4f2cc27a861e75f686325d54c476.exe"

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\tbckyxk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\tbckyxk.exe C:\Users\Admin\AppData\Local\Temp\6a1dfa83de4d60c09fc0aa5809d0c695c02e4f2cc27a861e75f686325d54c476.exe N/A
File created C:\PROGRA~3\Mozilla\newtrln.dll C:\PROGRA~3\Mozilla\tbckyxk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 1664 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\tbckyxk.exe
PID 1760 wrote to memory of 1664 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\tbckyxk.exe
PID 1760 wrote to memory of 1664 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\tbckyxk.exe
PID 1760 wrote to memory of 1664 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\tbckyxk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6a1dfa83de4d60c09fc0aa5809d0c695c02e4f2cc27a861e75f686325d54c476.exe

"C:\Users\Admin\AppData\Local\Temp\6a1dfa83de4d60c09fc0aa5809d0c695c02e4f2cc27a861e75f686325d54c476.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {3ED2D991-848E-479D-BF56-6FBCAEBA318E} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\tbckyxk.exe

C:\PROGRA~3\Mozilla\tbckyxk.exe -gqpcbye

Network

N/A

Files

memory/1932-0-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1932-1-0x0000000000220000-0x000000000027B000-memory.dmp

memory/1932-7-0x0000000000400000-0x000000000042C000-memory.dmp

C:\PROGRA~3\Mozilla\tbckyxk.exe

MD5 585397c50bdfbdc3cac8f48d28d95c2e
SHA1 7e4d49a08dd5b80d604cafc6b257706ae3753a3d
SHA256 c1d9cefb0735008ad5db3f1e4e5d0a5135faa27896e2cda16ce8f2e881904abd
SHA512 af0e6084efdd9f18475513ffe33b27fb0c2eac90541c4327a848b76e2bf68c8c683cc066e2a637baf0c88c2d297825defb7109d7cf6bc137e5d2a153d95d8e8e

memory/1664-10-0x0000000000430000-0x000000000048B000-memory.dmp

memory/1664-16-0x0000000000400000-0x000000000042C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:56

Reported

2024-04-06 21:59

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a1dfa83de4d60c09fc0aa5809d0c695c02e4f2cc27a861e75f686325d54c476.exe"

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\zonasdl.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\zonasdl.exe C:\Users\Admin\AppData\Local\Temp\6a1dfa83de4d60c09fc0aa5809d0c695c02e4f2cc27a861e75f686325d54c476.exe N/A
File created C:\PROGRA~3\Mozilla\eggeazi.dll C:\PROGRA~3\Mozilla\zonasdl.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6a1dfa83de4d60c09fc0aa5809d0c695c02e4f2cc27a861e75f686325d54c476.exe

"C:\Users\Admin\AppData\Local\Temp\6a1dfa83de4d60c09fc0aa5809d0c695c02e4f2cc27a861e75f686325d54c476.exe"

C:\PROGRA~3\Mozilla\zonasdl.exe

C:\PROGRA~3\Mozilla\zonasdl.exe -ufdnlxl

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/4372-0-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4372-1-0x0000000002080000-0x00000000020DB000-memory.dmp

C:\ProgramData\Mozilla\zonasdl.exe

MD5 693b9fd492896c32648469c7fa017536
SHA1 d4f8acf09bce2cd059792bd3aee73fcf11bfae45
SHA256 11b84c97737baf65f923bdbbe8bbec963035000b7be959c2c53ab953a27fa5ec
SHA512 c6a1ab124befb903220baf06cde621423e9fd5efddcbadc05cb15b46df69094a386c03c36ebe487a0b190ccf61061ede39eaa722ce3ffb8cdcec5388ef944810

memory/4372-9-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3164-10-0x0000000000D00000-0x0000000000D5B000-memory.dmp

memory/3164-16-0x0000000000400000-0x000000000042C000-memory.dmp