Malware Analysis Report

2025-03-14 22:29

Sample ID 240407-2y312shb2s
Target 86ebfcd811dd3454885c62eec4f63d3d7e7da5c001e04bd0a2a65628c8bfb090
SHA256 86ebfcd811dd3454885c62eec4f63d3d7e7da5c001e04bd0a2a65628c8bfb090
Tags
upx persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

86ebfcd811dd3454885c62eec4f63d3d7e7da5c001e04bd0a2a65628c8bfb090

Threat Level: Known bad

The file 86ebfcd811dd3454885c62eec4f63d3d7e7da5c001e04bd0a2a65628c8bfb090 was found to be: Known bad.

Malicious Activity Summary

upx persistence

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Modifies AppInit DLL entries

Executes dropped EXE

UPX packed file

Drops file in Program Files directory

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:00

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:00

Reported

2024-04-07 23:03

Platform

win7-20240221-en

Max time kernel

122s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86ebfcd811dd3454885c62eec4f63d3d7e7da5c001e04bd0a2a65628c8bfb090.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\mgbxiii.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\mgbxiii.exe C:\Users\Admin\AppData\Local\Temp\86ebfcd811dd3454885c62eec4f63d3d7e7da5c001e04bd0a2a65628c8bfb090.exe N/A
File created C:\PROGRA~3\Mozilla\iudaoda.dll C:\PROGRA~3\Mozilla\mgbxiii.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\86ebfcd811dd3454885c62eec4f63d3d7e7da5c001e04bd0a2a65628c8bfb090.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\mgbxiii.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 2628 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\mgbxiii.exe
PID 3040 wrote to memory of 2628 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\mgbxiii.exe
PID 3040 wrote to memory of 2628 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\mgbxiii.exe
PID 3040 wrote to memory of 2628 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\mgbxiii.exe

Processes

C:\Users\Admin\AppData\Local\Temp\86ebfcd811dd3454885c62eec4f63d3d7e7da5c001e04bd0a2a65628c8bfb090.exe

"C:\Users\Admin\AppData\Local\Temp\86ebfcd811dd3454885c62eec4f63d3d7e7da5c001e04bd0a2a65628c8bfb090.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {AA68100D-7F91-428A-8896-1CECAF2F46E1} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\mgbxiii.exe

C:\PROGRA~3\Mozilla\mgbxiii.exe -ccvrhxi

Network

N/A

Files

memory/2216-0-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2216-1-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2216-2-0x0000000000250000-0x00000000002AB000-memory.dmp

memory/2216-4-0x0000000000400000-0x000000000045B000-memory.dmp

C:\PROGRA~3\Mozilla\mgbxiii.exe

MD5 0112c6cfb1e3a8b3dcd3c3c2cbb1bc92
SHA1 5fb06dc9cd1d87ee0f2ef9fdfa2a2a023f31dcf5
SHA256 3609dfb4da5fe710fa7adf942ea2b10b983119bbd1a2a4e6eafe2414568807fe
SHA512 c0164091b20e0e05cc78342692526fcfd09a6e551ac50a70d2fba66d8931085fb0770b8965a4bfd5aeaf1aacd4580552cdc63c1f869e882b7400134c8d0635f9

memory/2628-7-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2628-8-0x0000000000310000-0x000000000036B000-memory.dmp

memory/2628-9-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2628-11-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:00

Reported

2024-04-07 23:02

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\86ebfcd811dd3454885c62eec4f63d3d7e7da5c001e04bd0a2a65628c8bfb090.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\gfuniul.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\gfuniul.exe C:\Users\Admin\AppData\Local\Temp\86ebfcd811dd3454885c62eec4f63d3d7e7da5c001e04bd0a2a65628c8bfb090.exe N/A
File created C:\PROGRA~3\Mozilla\kzlcazd.dll C:\PROGRA~3\Mozilla\gfuniul.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\86ebfcd811dd3454885c62eec4f63d3d7e7da5c001e04bd0a2a65628c8bfb090.exe

"C:\Users\Admin\AppData\Local\Temp\86ebfcd811dd3454885c62eec4f63d3d7e7da5c001e04bd0a2a65628c8bfb090.exe"

C:\PROGRA~3\Mozilla\gfuniul.exe

C:\PROGRA~3\Mozilla\gfuniul.exe -lfdzfzd

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/2952-0-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2952-2-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2952-1-0x0000000000630000-0x000000000068B000-memory.dmp

C:\PROGRA~3\Mozilla\gfuniul.exe

MD5 e42b1cfc36530cd40b2f4f94ea2ee7cc
SHA1 5d160420121d91f7662a8f6e7d49473b92105270
SHA256 d2ecfc2cea914cc3d3d35180110f941ddf573b0f646224a0cf83b30381bc4c5f
SHA512 3c71d763df61bac92e4bb93bd0b8cd6525b3eb790440b60caedb96fba8be3dabd6a3fd08a52460a266a7bff714249ab4bb5ba313ae9b23003424a567691a5222

memory/2952-7-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2284-9-0x00000000008C0000-0x000000000091B000-memory.dmp

memory/2952-8-0x0000000000630000-0x000000000068B000-memory.dmp

memory/2284-10-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2284-13-0x00000000008C0000-0x000000000091B000-memory.dmp

memory/2284-14-0x0000000000400000-0x000000000045B000-memory.dmp