Analysis Overview
SHA256
88dccf6e81d993027428c16a745199c189801b05c6ad8f1816dd826055d10040
Threat Level: Likely malicious
The file 88dccf6e81d993027428c16a745199c189801b05c6ad8f1816dd826055d10040 was found to be: Likely malicious.
Malicious Activity Summary
Modifies AppInit DLL entries
Executes dropped EXE
Drops file in Program Files directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 23:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 23:04
Reported
2024-04-07 23:07
Platform
win7-20240221-en
Max time kernel
119s
Max time network
134s
Command Line
Signatures
Modifies AppInit DLL entries
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\mgbxiii.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\mgbxiii.exe | C:\Users\Admin\AppData\Local\Temp\88dccf6e81d993027428c16a745199c189801b05c6ad8f1816dd826055d10040.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\iudaoda.dll | C:\PROGRA~3\Mozilla\mgbxiii.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2560 wrote to memory of 2652 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\mgbxiii.exe |
| PID 2560 wrote to memory of 2652 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\mgbxiii.exe |
| PID 2560 wrote to memory of 2652 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\mgbxiii.exe |
| PID 2560 wrote to memory of 2652 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\mgbxiii.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\88dccf6e81d993027428c16a745199c189801b05c6ad8f1816dd826055d10040.exe
"C:\Users\Admin\AppData\Local\Temp\88dccf6e81d993027428c16a745199c189801b05c6ad8f1816dd826055d10040.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {E50064A0-B0FB-4BA9-BBAD-088B07B7B3E9} S-1-5-18:NT AUTHORITY\System:Service:
C:\PROGRA~3\Mozilla\mgbxiii.exe
C:\PROGRA~3\Mozilla\mgbxiii.exe -ccvrhxi
Network
Files
memory/2208-0-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2208-1-0x0000000000220000-0x000000000027B000-memory.dmp
memory/2208-8-0x0000000000400000-0x0000000000426000-memory.dmp
C:\PROGRA~3\Mozilla\mgbxiii.exe
| MD5 | ccc758e04e0849566ad6fd6391638e54 |
| SHA1 | 4f23d947c6113a9716d431ec8a1242e7cc3abf14 |
| SHA256 | bd3bfe54e1db51c7ec8ce5394c3818f7f48758b57aa3c81bc539fc22407f1a23 |
| SHA512 | 071a6bda60cdd2b83a50d50ce95161725332ab2d36a6387da7aad0d7d92ed8117dcbe150dae04e046e3d6ee1612d8a2addf113b2baa4eb5e719ade845995b462 |
memory/2652-11-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2652-12-0x0000000000370000-0x00000000003CB000-memory.dmp
memory/2652-19-0x0000000000400000-0x0000000000426000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 23:04
Reported
2024-04-07 23:07
Platform
win10v2004-20240226-en
Max time kernel
92s
Max time network
125s
Command Line
Signatures
Modifies AppInit DLL entries
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\ohfxkha.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\ohfxkha.exe | C:\Users\Admin\AppData\Local\Temp\88dccf6e81d993027428c16a745199c189801b05c6ad8f1816dd826055d10040.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\hdgkqaj.dll | C:\PROGRA~3\Mozilla\ohfxkha.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\88dccf6e81d993027428c16a745199c189801b05c6ad8f1816dd826055d10040.exe
"C:\Users\Admin\AppData\Local\Temp\88dccf6e81d993027428c16a745199c189801b05c6ad8f1816dd826055d10040.exe"
C:\PROGRA~3\Mozilla\ohfxkha.exe
C:\PROGRA~3\Mozilla\ohfxkha.exe -jmpzska
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/2052-0-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2052-1-0x0000000000590000-0x00000000005EB000-memory.dmp
C:\PROGRA~3\Mozilla\ohfxkha.exe
| MD5 | 6dc70d596c5a0fcc397e91ae6fd5d3c2 |
| SHA1 | b91c9af9f3af747c6ca4d23e27b8eded5042cbe9 |
| SHA256 | 527713aecf1a45dadc45f10890f60afd108fefd5456ed7fc8b4da0f3b252f82f |
| SHA512 | 63188245905443e86bc1c4ac010e26ca6e5df8d6e406ddd4b70f7e14ce9bf12b9d1db4f4e0b815015a5c1331c501ccecb75996a89e19a6430ca4b0e0b87fc970 |
memory/2052-10-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3960-11-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3960-12-0x0000000000D10000-0x0000000000D6B000-memory.dmp
memory/3960-19-0x0000000000400000-0x0000000000426000-memory.dmp