Malware Analysis Report

2025-03-14 22:29

Sample ID 240407-22jftahd38
Target 88dccf6e81d993027428c16a745199c189801b05c6ad8f1816dd826055d10040
SHA256 88dccf6e81d993027428c16a745199c189801b05c6ad8f1816dd826055d10040
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

88dccf6e81d993027428c16a745199c189801b05c6ad8f1816dd826055d10040

Threat Level: Likely malicious

The file 88dccf6e81d993027428c16a745199c189801b05c6ad8f1816dd826055d10040 was found to be: Likely malicious.

Malicious Activity Summary

persistence

Modifies AppInit DLL entries

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:04

Reported

2024-04-07 23:07

Platform

win7-20240221-en

Max time kernel

119s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\88dccf6e81d993027428c16a745199c189801b05c6ad8f1816dd826055d10040.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\mgbxiii.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\mgbxiii.exe C:\Users\Admin\AppData\Local\Temp\88dccf6e81d993027428c16a745199c189801b05c6ad8f1816dd826055d10040.exe N/A
File created C:\PROGRA~3\Mozilla\iudaoda.dll C:\PROGRA~3\Mozilla\mgbxiii.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2560 wrote to memory of 2652 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\mgbxiii.exe
PID 2560 wrote to memory of 2652 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\mgbxiii.exe
PID 2560 wrote to memory of 2652 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\mgbxiii.exe
PID 2560 wrote to memory of 2652 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\mgbxiii.exe

Processes

C:\Users\Admin\AppData\Local\Temp\88dccf6e81d993027428c16a745199c189801b05c6ad8f1816dd826055d10040.exe

"C:\Users\Admin\AppData\Local\Temp\88dccf6e81d993027428c16a745199c189801b05c6ad8f1816dd826055d10040.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {E50064A0-B0FB-4BA9-BBAD-088B07B7B3E9} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\mgbxiii.exe

C:\PROGRA~3\Mozilla\mgbxiii.exe -ccvrhxi

Network

N/A

Files

memory/2208-0-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2208-1-0x0000000000220000-0x000000000027B000-memory.dmp

memory/2208-8-0x0000000000400000-0x0000000000426000-memory.dmp

C:\PROGRA~3\Mozilla\mgbxiii.exe

MD5 ccc758e04e0849566ad6fd6391638e54
SHA1 4f23d947c6113a9716d431ec8a1242e7cc3abf14
SHA256 bd3bfe54e1db51c7ec8ce5394c3818f7f48758b57aa3c81bc539fc22407f1a23
SHA512 071a6bda60cdd2b83a50d50ce95161725332ab2d36a6387da7aad0d7d92ed8117dcbe150dae04e046e3d6ee1612d8a2addf113b2baa4eb5e719ade845995b462

memory/2652-11-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2652-12-0x0000000000370000-0x00000000003CB000-memory.dmp

memory/2652-19-0x0000000000400000-0x0000000000426000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:04

Reported

2024-04-07 23:07

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\88dccf6e81d993027428c16a745199c189801b05c6ad8f1816dd826055d10040.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\ohfxkha.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\ohfxkha.exe C:\Users\Admin\AppData\Local\Temp\88dccf6e81d993027428c16a745199c189801b05c6ad8f1816dd826055d10040.exe N/A
File created C:\PROGRA~3\Mozilla\hdgkqaj.dll C:\PROGRA~3\Mozilla\ohfxkha.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\88dccf6e81d993027428c16a745199c189801b05c6ad8f1816dd826055d10040.exe

"C:\Users\Admin\AppData\Local\Temp\88dccf6e81d993027428c16a745199c189801b05c6ad8f1816dd826055d10040.exe"

C:\PROGRA~3\Mozilla\ohfxkha.exe

C:\PROGRA~3\Mozilla\ohfxkha.exe -jmpzska

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2052-0-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2052-1-0x0000000000590000-0x00000000005EB000-memory.dmp

C:\PROGRA~3\Mozilla\ohfxkha.exe

MD5 6dc70d596c5a0fcc397e91ae6fd5d3c2
SHA1 b91c9af9f3af747c6ca4d23e27b8eded5042cbe9
SHA256 527713aecf1a45dadc45f10890f60afd108fefd5456ed7fc8b4da0f3b252f82f
SHA512 63188245905443e86bc1c4ac010e26ca6e5df8d6e406ddd4b70f7e14ce9bf12b9d1db4f4e0b815015a5c1331c501ccecb75996a89e19a6430ca4b0e0b87fc970

memory/2052-10-0x0000000000400000-0x0000000000426000-memory.dmp

memory/3960-11-0x0000000000400000-0x0000000000426000-memory.dmp

memory/3960-12-0x0000000000D10000-0x0000000000D6B000-memory.dmp

memory/3960-19-0x0000000000400000-0x0000000000426000-memory.dmp