Malware Analysis Report

2025-03-14 22:10

Sample ID 240407-27fl4she79
Target 8caeb50d631ef445fba537aa1765f1ab3ad07e2588f315841fd320c1b919dc10
SHA256 8caeb50d631ef445fba537aa1765f1ab3ad07e2588f315841fd320c1b919dc10
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8caeb50d631ef445fba537aa1765f1ab3ad07e2588f315841fd320c1b919dc10

Threat Level: Known bad

The file 8caeb50d631ef445fba537aa1765f1ab3ad07e2588f315841fd320c1b919dc10 was found to be: Known bad.

Malicious Activity Summary

persistence

Detects executables packed with ASPack

Detects executables packed with ASPack

Modifies AppInit DLL entries

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:13

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:13

Reported

2024-04-07 23:15

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8caeb50d631ef445fba537aa1765f1ab3ad07e2588f315841fd320c1b919dc10.exe"

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\frviiqj.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\frviiqj.exe C:\Users\Admin\AppData\Local\Temp\8caeb50d631ef445fba537aa1765f1ab3ad07e2588f315841fd320c1b919dc10.exe N/A
File created C:\PROGRA~3\Mozilla\sjqrgse.dll C:\PROGRA~3\Mozilla\frviiqj.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8caeb50d631ef445fba537aa1765f1ab3ad07e2588f315841fd320c1b919dc10.exe

"C:\Users\Admin\AppData\Local\Temp\8caeb50d631ef445fba537aa1765f1ab3ad07e2588f315841fd320c1b919dc10.exe"

C:\PROGRA~3\Mozilla\frviiqj.exe

C:\PROGRA~3\Mozilla\frviiqj.exe -myayasb

Network

Country Destination Domain Proto
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

memory/2192-0-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2192-1-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2192-2-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2192-3-0x00000000020B0000-0x000000000210B000-memory.dmp

memory/2192-4-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2192-9-0x0000000000400000-0x000000000045B000-memory.dmp

C:\PROGRA~3\Mozilla\frviiqj.exe

MD5 7c5cd4db9b458f4373ce79da24f9ff74
SHA1 a639d5c3c5d3ffe28fc08799124962b550f1f7e1
SHA256 23f98c904d6dc14cb42dfd5945944409b11f0a142c1940843887e3ce3e89bed7
SHA512 23420a9f719ca0872b241902eeb041bbec5173674ec560cbac9dabd9fad4ef418743c233517b20b297cfc2d9be509b471975844382bd98a297b4e6c27e0dd8d3

memory/2192-10-0x00000000020B0000-0x000000000210B000-memory.dmp

memory/772-12-0x0000000000400000-0x000000000045E000-memory.dmp

memory/772-11-0x0000000000400000-0x000000000045E000-memory.dmp

memory/772-13-0x0000000000540000-0x000000000059B000-memory.dmp

memory/772-14-0x0000000000400000-0x000000000045B000-memory.dmp

memory/772-17-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:13

Reported

2024-04-07 23:15

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8caeb50d631ef445fba537aa1765f1ab3ad07e2588f315841fd320c1b919dc10.exe"

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\dbilzqh.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\dbilzqh.exe C:\Users\Admin\AppData\Local\Temp\8caeb50d631ef445fba537aa1765f1ab3ad07e2588f315841fd320c1b919dc10.exe N/A
File created C:\PROGRA~3\Mozilla\zxoabnc.dll C:\PROGRA~3\Mozilla\dbilzqh.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8caeb50d631ef445fba537aa1765f1ab3ad07e2588f315841fd320c1b919dc10.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\dbilzqh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 2612 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe
PID 1728 wrote to memory of 2612 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe
PID 1728 wrote to memory of 2612 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe
PID 1728 wrote to memory of 2612 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8caeb50d631ef445fba537aa1765f1ab3ad07e2588f315841fd320c1b919dc10.exe

"C:\Users\Admin\AppData\Local\Temp\8caeb50d631ef445fba537aa1765f1ab3ad07e2588f315841fd320c1b919dc10.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {D9809C36-5248-4AF7-8815-C30F44AF9FCA} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\dbilzqh.exe

C:\PROGRA~3\Mozilla\dbilzqh.exe -kwinamg

Network

N/A

Files

memory/2288-0-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2288-1-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2288-2-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2288-4-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2288-3-0x0000000000250000-0x00000000002AB000-memory.dmp

memory/2288-6-0x0000000000400000-0x000000000045B000-memory.dmp

C:\PROGRA~3\Mozilla\dbilzqh.exe

MD5 fd5c76540fb865119397689e1ce890e8
SHA1 0f058b1ed1715ba5ceeb284a12928ea8879b2ee6
SHA256 91b6cb4fe325c74f3d2f4b74db5891040fbddadcad3edca4a3bf2e4a19756f11
SHA512 e042b44b162d9518771aeb0f19c2a4288e059735e4daa0508bd5878bb2dc3985e57597e42b5e2ecbbe0d886dc9adc7dc5236a7ef0eefc4bd29e312acdc1b151b

memory/2612-11-0x00000000003A0000-0x00000000003FB000-memory.dmp

memory/2612-12-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2612-14-0x0000000000400000-0x000000000045B000-memory.dmp