Malware Analysis Report

2025-03-14 22:57

Sample ID 240406-1ysdwacc9w
Target 6bf2759852d14687f4506b2a6f12f0eaf78c60238cdd403b2ea20402f1f0a139
SHA256 6bf2759852d14687f4506b2a6f12f0eaf78c60238cdd403b2ea20402f1f0a139
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6bf2759852d14687f4506b2a6f12f0eaf78c60238cdd403b2ea20402f1f0a139

Threat Level: Likely malicious

The file 6bf2759852d14687f4506b2a6f12f0eaf78c60238cdd403b2ea20402f1f0a139 was found to be: Likely malicious.

Malicious Activity Summary

persistence

Modifies AppInit DLL entries

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 22:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 22:03

Reported

2024-04-06 22:06

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6bf2759852d14687f4506b2a6f12f0eaf78c60238cdd403b2ea20402f1f0a139.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\tbckyxk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\tbckyxk.exe C:\Users\Admin\AppData\Local\Temp\6bf2759852d14687f4506b2a6f12f0eaf78c60238cdd403b2ea20402f1f0a139.exe N/A
File created C:\PROGRA~3\Mozilla\newtrln.dll C:\PROGRA~3\Mozilla\tbckyxk.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6bf2759852d14687f4506b2a6f12f0eaf78c60238cdd403b2ea20402f1f0a139.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\tbckyxk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 2316 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\tbckyxk.exe
PID 2280 wrote to memory of 2316 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\tbckyxk.exe
PID 2280 wrote to memory of 2316 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\tbckyxk.exe
PID 2280 wrote to memory of 2316 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\tbckyxk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6bf2759852d14687f4506b2a6f12f0eaf78c60238cdd403b2ea20402f1f0a139.exe

"C:\Users\Admin\AppData\Local\Temp\6bf2759852d14687f4506b2a6f12f0eaf78c60238cdd403b2ea20402f1f0a139.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {B90936FB-C976-4183-9BCC-94C94F151B10} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\tbckyxk.exe

C:\PROGRA~3\Mozilla\tbckyxk.exe -gqpcbye

Network

N/A

Files

memory/1100-0-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1100-2-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1100-1-0x0000000000310000-0x000000000036C000-memory.dmp

memory/1100-4-0x0000000000400000-0x000000000045B000-memory.dmp

C:\PROGRA~3\Mozilla\tbckyxk.exe

MD5 521e64c9c35122a97aaa6d16b4689034
SHA1 9ae8a9eb82a061e18eabcefa22201348c088c94b
SHA256 8a493ac89847feae24c1d41cbc54c3e2110ba2fbb8b0cdeac24bf7284ac5dabf
SHA512 03cf68d1a0d66d2baa09d568b2f8f1ae6cd4853675fe9d2fec45194743d7d6867276f76cff12dd2177f1e7ab58a8c0e9f27c0d29e9cd723440701dd304a9e6e0

memory/2316-7-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2316-9-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2316-8-0x0000000000470000-0x00000000004CC000-memory.dmp

memory/2316-11-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 22:03

Reported

2024-04-06 22:06

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6bf2759852d14687f4506b2a6f12f0eaf78c60238cdd403b2ea20402f1f0a139.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\gfuniul.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\gfuniul.exe C:\Users\Admin\AppData\Local\Temp\6bf2759852d14687f4506b2a6f12f0eaf78c60238cdd403b2ea20402f1f0a139.exe N/A
File created C:\PROGRA~3\Mozilla\kzlcazd.dll C:\PROGRA~3\Mozilla\gfuniul.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6bf2759852d14687f4506b2a6f12f0eaf78c60238cdd403b2ea20402f1f0a139.exe

"C:\Users\Admin\AppData\Local\Temp\6bf2759852d14687f4506b2a6f12f0eaf78c60238cdd403b2ea20402f1f0a139.exe"

C:\PROGRA~3\Mozilla\gfuniul.exe

C:\PROGRA~3\Mozilla\gfuniul.exe -lfdzfzd

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 17.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/1420-0-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1420-1-0x0000000000630000-0x000000000068C000-memory.dmp

memory/1420-2-0x0000000000400000-0x000000000045B000-memory.dmp

C:\PROGRA~3\Mozilla\gfuniul.exe

MD5 53318006e16f2aa855eab514b4b66fbc
SHA1 cf9bfd649d7bb4f7c632b2487e63e69bba060edb
SHA256 0045db14b54fb2e0b5c67a68e2bac0e63289a2ce728662533538258167c4e087
SHA512 58f33ae2b9d96d7efe1fba5d046357bb3f63df86a6ce97bf83b8328796371aa578d56f1fed40ce594c5029267c47b3c3ed221f344a2a8ee9453610dbeff980b6

memory/1420-6-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1420-8-0x0000000000630000-0x000000000068C000-memory.dmp

memory/4320-9-0x0000000000600000-0x000000000065C000-memory.dmp

memory/4320-10-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4320-12-0x0000000000400000-0x000000000045B000-memory.dmp