Malware Analysis Report

2025-03-14 23:12

Sample ID 240407-abr7gseg9v
Target a5cb0ce193b7041a4c0b899dd0642c6a4816c85bdc28c29d31ae3abc6c50d78b
SHA256 a5cb0ce193b7041a4c0b899dd0642c6a4816c85bdc28c29d31ae3abc6c50d78b
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a5cb0ce193b7041a4c0b899dd0642c6a4816c85bdc28c29d31ae3abc6c50d78b

Threat Level: Likely malicious

The file a5cb0ce193b7041a4c0b899dd0642c6a4816c85bdc28c29d31ae3abc6c50d78b was found to be: Likely malicious.

Malicious Activity Summary

persistence

Modifies AppInit DLL entries

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 00:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 00:02

Reported

2024-04-07 00:05

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5cb0ce193b7041a4c0b899dd0642c6a4816c85bdc28c29d31ae3abc6c50d78b.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\qhdqeom.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\qhdqeom.exe C:\Users\Admin\AppData\Local\Temp\a5cb0ce193b7041a4c0b899dd0642c6a4816c85bdc28c29d31ae3abc6c50d78b.exe N/A
File created C:\PROGRA~3\Mozilla\ijdurdi.dll C:\PROGRA~3\Mozilla\qhdqeom.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a5cb0ce193b7041a4c0b899dd0642c6a4816c85bdc28c29d31ae3abc6c50d78b.exe

"C:\Users\Admin\AppData\Local\Temp\a5cb0ce193b7041a4c0b899dd0642c6a4816c85bdc28c29d31ae3abc6c50d78b.exe"

C:\PROGRA~3\Mozilla\qhdqeom.exe

C:\PROGRA~3\Mozilla\qhdqeom.exe -tgbfvga

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/5084-0-0x0000000000400000-0x0000000000463000-memory.dmp

memory/5084-1-0x0000000000400000-0x0000000000463000-memory.dmp

memory/5084-2-0x00000000004F0000-0x00000000004F2000-memory.dmp

memory/5084-3-0x0000000000400000-0x0000000000463000-memory.dmp

memory/5084-9-0x0000000000400000-0x0000000000463000-memory.dmp

C:\PROGRA~3\Mozilla\qhdqeom.exe

MD5 64fa377fb3e18cb5d8c17085b20a4f23
SHA1 5da1a85ec686576babada76ed0f9d341aaaafd29
SHA256 650bc67ff05eacc5f5752d8d87f7392a9b338804ccb05d095e3e95d72a9255fc
SHA512 6e8b0235d883358eb1b8ee6cf89d8e6154c15b6036d87037359ef9444276d2492faa262a5a37985b5ef3267f639098da84762e3526f409fd7271f071bf82a39f

memory/2732-10-0x0000000000400000-0x0000000000463000-memory.dmp

memory/2732-11-0x0000000000400000-0x0000000000463000-memory.dmp

memory/2732-12-0x0000000000400000-0x0000000000463000-memory.dmp

memory/2732-16-0x0000000000400000-0x0000000000463000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 00:02

Reported

2024-04-07 00:05

Platform

win7-20240221-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5cb0ce193b7041a4c0b899dd0642c6a4816c85bdc28c29d31ae3abc6c50d78b.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\dbilzqh.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\dbilzqh.exe C:\Users\Admin\AppData\Local\Temp\a5cb0ce193b7041a4c0b899dd0642c6a4816c85bdc28c29d31ae3abc6c50d78b.exe N/A
File created C:\PROGRA~3\Mozilla\zxoabnc.dll C:\PROGRA~3\Mozilla\dbilzqh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 2620 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe
PID 2204 wrote to memory of 2620 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe
PID 2204 wrote to memory of 2620 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe
PID 2204 wrote to memory of 2620 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a5cb0ce193b7041a4c0b899dd0642c6a4816c85bdc28c29d31ae3abc6c50d78b.exe

"C:\Users\Admin\AppData\Local\Temp\a5cb0ce193b7041a4c0b899dd0642c6a4816c85bdc28c29d31ae3abc6c50d78b.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {446108CA-636F-40BF-AE8A-97768ADA40B4} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\dbilzqh.exe

C:\PROGRA~3\Mozilla\dbilzqh.exe -kwinamg

Network

N/A

Files

memory/1296-0-0x0000000000400000-0x0000000000463000-memory.dmp

memory/1296-1-0x0000000000400000-0x0000000000463000-memory.dmp

memory/1296-2-0x0000000000400000-0x0000000000463000-memory.dmp

memory/1296-4-0x0000000000240000-0x0000000000242000-memory.dmp

memory/1296-7-0x0000000000400000-0x0000000000463000-memory.dmp

C:\PROGRA~3\Mozilla\dbilzqh.exe

MD5 3fa9433b2c1335ef0ed5cf4ee5f9fdab
SHA1 cd2a7070fea6b62b1f73d6ec83583d30f6422f07
SHA256 d96f663bbf104d673961c4c7862fdaa2fa10311735a2b6159cdd680a384bfcf9
SHA512 652afef22abe00782c29144795a7853867312711ebde094d683b5f10991a42b37b7fcc2be7595191b42a462a09741f69a15e0b826e26ab530a064c5a53503be7

memory/2620-10-0x0000000000400000-0x0000000000463000-memory.dmp

memory/2620-11-0x0000000000400000-0x0000000000463000-memory.dmp

memory/2620-16-0x0000000000400000-0x0000000000463000-memory.dmp