Analysis Overview
SHA256
a58fd625bf63b8a73ef378fe80f7570a26926089df7196dc4254011aaf3b4ed5
Threat Level: Known bad
The file a58fd625bf63b8a73ef378fe80f7570a26926089df7196dc4254011aaf3b4ed5 was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
Modifies AppInit DLL entries
UPX packed file
Executes dropped EXE
Drops file in Program Files directory
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 00:02
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 00:02
Reported
2024-04-07 00:05
Platform
win7-20240221-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies AppInit DLL entries
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\dbilzqh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\dbilzqh.exe | C:\Users\Admin\AppData\Local\Temp\a58fd625bf63b8a73ef378fe80f7570a26926089df7196dc4254011aaf3b4ed5.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\zxoabnc.dll | C:\PROGRA~3\Mozilla\dbilzqh.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58fd625bf63b8a73ef378fe80f7570a26926089df7196dc4254011aaf3b4ed5.exe | N/A |
| N/A | N/A | C:\PROGRA~3\Mozilla\dbilzqh.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2736 wrote to memory of 3000 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\dbilzqh.exe |
| PID 2736 wrote to memory of 3000 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\dbilzqh.exe |
| PID 2736 wrote to memory of 3000 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\dbilzqh.exe |
| PID 2736 wrote to memory of 3000 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\dbilzqh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a58fd625bf63b8a73ef378fe80f7570a26926089df7196dc4254011aaf3b4ed5.exe
"C:\Users\Admin\AppData\Local\Temp\a58fd625bf63b8a73ef378fe80f7570a26926089df7196dc4254011aaf3b4ed5.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {4C2F6653-F00B-438D-BADF-4376140E064E} S-1-5-18:NT AUTHORITY\System:Service:
C:\PROGRA~3\Mozilla\dbilzqh.exe
C:\PROGRA~3\Mozilla\dbilzqh.exe -kwinamg
Network
Files
memory/2228-2-0x0000000000260000-0x00000000002BB000-memory.dmp
memory/2228-1-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2228-0-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2228-4-0x0000000000400000-0x000000000045B000-memory.dmp
C:\PROGRA~3\Mozilla\dbilzqh.exe
| MD5 | 3de42d2c27e8afdc9ad904efdb8f1e1a |
| SHA1 | 08a975e9c4b5eafee5de4b467951c4d2512029a2 |
| SHA256 | 6281858ed0d197650b5a5f18d1adc24ad384b96bf2cdeb0b6a5762a99f36ee5e |
| SHA512 | 7ddd724e405d72987b5cfb16485d20059dbd6d641cd93d81518b3f4fd2475e4935a37e807d1458e1c61b65f2cac011ce20bc287453b334bbe9a824b531680025 |
memory/3000-7-0x0000000000400000-0x000000000045F000-memory.dmp
memory/3000-8-0x00000000003A0000-0x00000000003FB000-memory.dmp
memory/3000-9-0x0000000000400000-0x000000000045B000-memory.dmp
memory/3000-11-0x0000000000400000-0x000000000045B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 00:02
Reported
2024-04-07 00:05
Platform
win10v2004-20231215-en
Max time kernel
87s
Max time network
153s
Command Line
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies AppInit DLL entries
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\frviiqj.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\frviiqj.exe | C:\Users\Admin\AppData\Local\Temp\a58fd625bf63b8a73ef378fe80f7570a26926089df7196dc4254011aaf3b4ed5.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\sjqrgse.dll | C:\PROGRA~3\Mozilla\frviiqj.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a58fd625bf63b8a73ef378fe80f7570a26926089df7196dc4254011aaf3b4ed5.exe
"C:\Users\Admin\AppData\Local\Temp\a58fd625bf63b8a73ef378fe80f7570a26926089df7196dc4254011aaf3b4ed5.exe"
C:\PROGRA~3\Mozilla\frviiqj.exe
C:\PROGRA~3\Mozilla\frviiqj.exe -myayasb
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| GB | 23.44.234.16:80 | tcp | |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/2428-0-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2428-2-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2428-1-0x0000000002200000-0x000000000225B000-memory.dmp
memory/2428-5-0x0000000000400000-0x000000000045B000-memory.dmp
C:\ProgramData\Mozilla\frviiqj.exe
| MD5 | c9634b9e4dac3039731c06cf47449034 |
| SHA1 | 4db197c901064b885714091b3195050059059ab7 |
| SHA256 | 536d929d73cd8e4bbef9f046c0abd2e4c4dd09039053b6d5b9f54f54c0978b61 |
| SHA512 | 55e5f1c2496a2784bf752fff783b02a895d547d4bab070d5afbc7bbb191a8bb85b1d03397a273c88c599fa9ade6d99639b95f88f8cae8faa78796d2c3cb305a7 |
memory/2644-8-0x0000000000400000-0x000000000045F000-memory.dmp
memory/2644-9-0x0000000000C50000-0x0000000000CAB000-memory.dmp
memory/2644-10-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2644-13-0x0000000000400000-0x000000000045B000-memory.dmp