Analysis Overview
SHA256
9b2c47106e4c1902ee40ecde91ba305a88cfe93560eb225ab939984dab181602
Threat Level: Likely malicious
The file 9b2c47106e4c1902ee40ecde91ba305a88cfe93560eb225ab939984dab181602 was found to be: Likely malicious.
Malicious Activity Summary
Modifies AppInit DLL entries
Executes dropped EXE
Drops file in Program Files directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 23:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 23:42
Reported
2024-04-06 23:44
Platform
win7-20240221-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Modifies AppInit DLL entries
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\tbckyxk.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\tbckyxk.exe | C:\Users\Admin\AppData\Local\Temp\9b2c47106e4c1902ee40ecde91ba305a88cfe93560eb225ab939984dab181602.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\newtrln.dll | C:\PROGRA~3\Mozilla\tbckyxk.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1616 wrote to memory of 2500 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\tbckyxk.exe |
| PID 1616 wrote to memory of 2500 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\tbckyxk.exe |
| PID 1616 wrote to memory of 2500 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\tbckyxk.exe |
| PID 1616 wrote to memory of 2500 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\tbckyxk.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9b2c47106e4c1902ee40ecde91ba305a88cfe93560eb225ab939984dab181602.exe
"C:\Users\Admin\AppData\Local\Temp\9b2c47106e4c1902ee40ecde91ba305a88cfe93560eb225ab939984dab181602.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {96B5E806-585E-401C-B0B6-6426BE7EF058} S-1-5-18:NT AUTHORITY\System:Service:
C:\PROGRA~3\Mozilla\tbckyxk.exe
C:\PROGRA~3\Mozilla\tbckyxk.exe -gqpcbye
Network
Files
memory/2344-0-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2344-1-0x0000000000370000-0x00000000003CB000-memory.dmp
memory/2344-7-0x0000000000400000-0x0000000000424000-memory.dmp
C:\PROGRA~3\Mozilla\tbckyxk.exe
| MD5 | 72816af767f83f2feaa05d8a4bc98d5d |
| SHA1 | 661c24de43f218f218cd081d1904a1ab58d74e0f |
| SHA256 | fcb114277d0165ace400ac2050f484e06b6c953462cc24502f8bb2d167937c73 |
| SHA512 | 67bea9f0721f94e3b15fa66ca79ec6a172b109d6e0e9a18153438142f50542c1e6f20b0b51636df66550c3549fbf4f209f16b59f4d900729a1fd5bb93f5b41a3 |
memory/2500-10-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2500-11-0x0000000000320000-0x000000000037B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 23:42
Reported
2024-04-06 23:44
Platform
win10v2004-20240319-en
Max time kernel
136s
Max time network
132s
Command Line
Signatures
Modifies AppInit DLL entries
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\jhifwqk.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\jhifwqk.exe | C:\Users\Admin\AppData\Local\Temp\9b2c47106e4c1902ee40ecde91ba305a88cfe93560eb225ab939984dab181602.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\biclnte.dll | C:\PROGRA~3\Mozilla\jhifwqk.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\9b2c47106e4c1902ee40ecde91ba305a88cfe93560eb225ab939984dab181602.exe
"C:\Users\Admin\AppData\Local\Temp\9b2c47106e4c1902ee40ecde91ba305a88cfe93560eb225ab939984dab181602.exe"
C:\PROGRA~3\Mozilla\jhifwqk.exe
C:\PROGRA~3\Mozilla\jhifwqk.exe -zmqutfb
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2584 --field-trial-handle=3536,i,10914981530159316853,12381340356750224673,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.2.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/2112-0-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2112-1-0x0000000002570000-0x00000000025CB000-memory.dmp
C:\ProgramData\Mozilla\jhifwqk.exe
| MD5 | 63e3887844cec6e046928c3789501710 |
| SHA1 | e39844e32997e9d5d9dac52afac30da5422dbba5 |
| SHA256 | 3e5b9218facbda7d4548f2ebacbad93075c2c2ab3eecdf75c4ce4b293bc42a3a |
| SHA512 | 56f4890dbeeb0b7a28f7d742d06b005e775e8daaeec6d91af108fcae68b4d82b2b030bd07d696fbea8b912cb4cf29ff43444eeb4958dcdedaac941249729edbc |
memory/2112-9-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4328-10-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4328-11-0x0000000001000000-0x000000000105B000-memory.dmp