Analysis Overview
SHA256
90eaffceff842f9a1f1eef8fb84e5d1f995a1592c371e039fc90b42754aded8e
Threat Level: Likely malicious
The file 90eaffceff842f9a1f1eef8fb84e5d1f995a1592c371e039fc90b42754aded8e was found to be: Likely malicious.
Malicious Activity Summary
Modifies AppInit DLL entries
Executes dropped EXE
Drops file in Program Files directory
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 23:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 23:23
Reported
2024-04-07 23:25
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Modifies AppInit DLL entries
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\hdxpvzc.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\hdxpvzc.exe | C:\Users\Admin\AppData\Local\Temp\90eaffceff842f9a1f1eef8fb84e5d1f995a1592c371e039fc90b42754aded8e.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\ydmvyrg.dll | C:\PROGRA~3\Mozilla\hdxpvzc.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\90eaffceff842f9a1f1eef8fb84e5d1f995a1592c371e039fc90b42754aded8e.exe
"C:\Users\Admin\AppData\Local\Temp\90eaffceff842f9a1f1eef8fb84e5d1f995a1592c371e039fc90b42754aded8e.exe"
C:\PROGRA~3\Mozilla\hdxpvzc.exe
C:\PROGRA~3\Mozilla\hdxpvzc.exe -ilrweca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
memory/1980-0-0x0000000000400000-0x0000000000469000-memory.dmp
memory/1980-1-0x00000000021F0000-0x000000000224B000-memory.dmp
memory/1980-2-0x0000000000400000-0x000000000045B000-memory.dmp
C:\ProgramData\Mozilla\hdxpvzc.exe
| MD5 | 21fceeeb79c4537a82fcebdaab3f2a6d |
| SHA1 | 24ce807092fe76471ec279c2de41f6cea58083e4 |
| SHA256 | f4eacfa110eef9f6b53e636f632f310cc6bc20add3d585661a9268e52817164d |
| SHA512 | 2907082264318776cb1b6d8db90ddbc405f705768275f52933f29604256f1abc924b0e24f5ee11b1214983f6e66f0b271de17e881ac530e879169de2423cc2f6 |
memory/4648-6-0x0000000000400000-0x0000000000469000-memory.dmp
memory/1980-8-0x0000000000400000-0x000000000045B000-memory.dmp
memory/4648-7-0x0000000000C20000-0x0000000000C7B000-memory.dmp
memory/1980-10-0x00000000021F0000-0x000000000224B000-memory.dmp
memory/4648-11-0x0000000000400000-0x000000000045B000-memory.dmp
memory/4648-13-0x0000000000400000-0x000000000045B000-memory.dmp
memory/4648-15-0x0000000000C20000-0x0000000000C7B000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 23:23
Reported
2024-04-07 23:25
Platform
win7-20240221-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Modifies AppInit DLL entries
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\mgbxiii.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\iudaoda.dll | C:\PROGRA~3\Mozilla\mgbxiii.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\mgbxiii.exe | C:\Users\Admin\AppData\Local\Temp\90eaffceff842f9a1f1eef8fb84e5d1f995a1592c371e039fc90b42754aded8e.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\90eaffceff842f9a1f1eef8fb84e5d1f995a1592c371e039fc90b42754aded8e.exe | N/A |
| N/A | N/A | C:\PROGRA~3\Mozilla\mgbxiii.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2680 wrote to memory of 2676 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\mgbxiii.exe |
| PID 2680 wrote to memory of 2676 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\mgbxiii.exe |
| PID 2680 wrote to memory of 2676 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\mgbxiii.exe |
| PID 2680 wrote to memory of 2676 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\mgbxiii.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\90eaffceff842f9a1f1eef8fb84e5d1f995a1592c371e039fc90b42754aded8e.exe
"C:\Users\Admin\AppData\Local\Temp\90eaffceff842f9a1f1eef8fb84e5d1f995a1592c371e039fc90b42754aded8e.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {355AEF1A-18A0-4054-8895-9D27A5FE4E0D} S-1-5-18:NT AUTHORITY\System:Service:
C:\PROGRA~3\Mozilla\mgbxiii.exe
C:\PROGRA~3\Mozilla\mgbxiii.exe -ccvrhxi
Network
Files
memory/2740-0-0x0000000000400000-0x0000000000469000-memory.dmp
memory/2740-1-0x0000000000260000-0x00000000002BB000-memory.dmp
memory/2740-2-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2740-4-0x0000000000400000-0x000000000045B000-memory.dmp
C:\PROGRA~3\Mozilla\mgbxiii.exe
| MD5 | 8aeb27dbda97ec5f94a3c3dc85abcf7b |
| SHA1 | 5cb21fb7ad8303fd0de2472012464799ed9da4d2 |
| SHA256 | c142293461ce70006fe37e05278030b92f2386b0aca1c6da28bc77d4265a8f00 |
| SHA512 | 6fa125961fceeb21e413aedd1c318b453388582eb5ee63508413ea90612664a3f848bba109b4c0f114ab427e4670da00870123d2639032dad21dad13f33e8aef |
memory/2676-7-0x0000000000400000-0x0000000000469000-memory.dmp
memory/2676-8-0x0000000000470000-0x00000000004CB000-memory.dmp
memory/2676-9-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2676-11-0x0000000000400000-0x000000000045B000-memory.dmp