Malware Analysis Report

2025-03-14 22:58

Sample ID 240406-3s3nrsee5v
Target 9d5138e9cdf0032d43319a261ad58c684191e590e7b39825e3012f08270c6809
SHA256 9d5138e9cdf0032d43319a261ad58c684191e590e7b39825e3012f08270c6809
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

9d5138e9cdf0032d43319a261ad58c684191e590e7b39825e3012f08270c6809

Threat Level: Likely malicious

The file 9d5138e9cdf0032d43319a261ad58c684191e590e7b39825e3012f08270c6809 was found to be: Likely malicious.

Malicious Activity Summary

persistence

Modifies AppInit DLL entries

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 23:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 23:47

Reported

2024-04-06 23:50

Platform

win7-20231129-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d5138e9cdf0032d43319a261ad58c684191e590e7b39825e3012f08270c6809.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\anhxrcb.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\fqurfhn.dll C:\PROGRA~3\Mozilla\anhxrcb.exe N/A
File created C:\PROGRA~3\Mozilla\anhxrcb.exe C:\Users\Admin\AppData\Local\Temp\9d5138e9cdf0032d43319a261ad58c684191e590e7b39825e3012f08270c6809.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d5138e9cdf0032d43319a261ad58c684191e590e7b39825e3012f08270c6809.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\anhxrcb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 2060 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\anhxrcb.exe
PID 2980 wrote to memory of 2060 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\anhxrcb.exe
PID 2980 wrote to memory of 2060 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\anhxrcb.exe
PID 2980 wrote to memory of 2060 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\anhxrcb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9d5138e9cdf0032d43319a261ad58c684191e590e7b39825e3012f08270c6809.exe

"C:\Users\Admin\AppData\Local\Temp\9d5138e9cdf0032d43319a261ad58c684191e590e7b39825e3012f08270c6809.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {96F60E18-3DD8-49E1-AE55-1BB90178E5CC} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\anhxrcb.exe

C:\PROGRA~3\Mozilla\anhxrcb.exe -wxojhrj

Network

N/A

Files

memory/2964-0-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2964-1-0x00000000002E0000-0x000000000033B000-memory.dmp

memory/2964-2-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2964-4-0x0000000000400000-0x000000000045B000-memory.dmp

C:\PROGRA~3\Mozilla\anhxrcb.exe

MD5 e88b0a58379dfc879bc9f408e7274646
SHA1 41fd12ab91077ed38824036a356332c6cfedbee2
SHA256 0687f8924b5cbdb5299b17d5183fd472e709abbcb412fcc76289ef6a39b6cf8e
SHA512 a53664548346adf9e2266686b3f087a4af470c1d7a19abb31d70b7122e2eb6b229e18358a03f930ed34861038940362a54f2745b3a8626328ee30caa481e9205

memory/2060-7-0x0000000000340000-0x000000000039B000-memory.dmp

memory/2060-8-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2060-10-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 23:47

Reported

2024-04-06 23:50

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d5138e9cdf0032d43319a261ad58c684191e590e7b39825e3012f08270c6809.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\ktyqhhb.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\ktyqhhb.exe C:\Users\Admin\AppData\Local\Temp\9d5138e9cdf0032d43319a261ad58c684191e590e7b39825e3012f08270c6809.exe N/A
File created C:\PROGRA~3\Mozilla\ixnvdrc.dll C:\PROGRA~3\Mozilla\ktyqhhb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9d5138e9cdf0032d43319a261ad58c684191e590e7b39825e3012f08270c6809.exe

"C:\Users\Admin\AppData\Local\Temp\9d5138e9cdf0032d43319a261ad58c684191e590e7b39825e3012f08270c6809.exe"

C:\PROGRA~3\Mozilla\ktyqhhb.exe

C:\PROGRA~3\Mozilla\ktyqhhb.exe -arwhcpc

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.239.69.13.in-addr.arpa udp

Files

memory/2080-0-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2080-1-0x00000000020A0000-0x00000000020FB000-memory.dmp

memory/2080-2-0x0000000000400000-0x000000000045B000-memory.dmp

C:\PROGRA~3\Mozilla\ktyqhhb.exe

MD5 d1e5582f18947dd73edc5d4135ed1440
SHA1 5ae499d9f895537119580306f76313fb2e1df47f
SHA256 49e579e1e74db67534e82193a306606feb2db92d9f40df5fd4f6c6b4e31f1b72
SHA512 563323d9d1e3f2a26f18232d925528618ea8060ed5de752f4a3c2f88caa74f0985d646d55b2cdb7a9fba8e9a5e5f8331b079d90c183f0656fc9757012107217d

memory/3248-6-0x0000000000400000-0x000000000045B000-memory.dmp

memory/3248-7-0x0000000000C90000-0x0000000000CEB000-memory.dmp

memory/2080-9-0x0000000000400000-0x000000000045B000-memory.dmp

memory/3248-8-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2080-11-0x00000000020A0000-0x00000000020FB000-memory.dmp

memory/3248-13-0x0000000000400000-0x000000000045B000-memory.dmp