Analysis Overview
SHA256
a5cb0ce193b7041a4c0b899dd0642c6a4816c85bdc28c29d31ae3abc6c50d78b
Threat Level: Likely malicious
The file a5cb0ce193b7041a4c0b899dd0642c6a4816c85bdc28c29d31ae3abc6c50d78b was found to be: Likely malicious.
Malicious Activity Summary
Modifies AppInit DLL entries
Executes dropped EXE
Drops file in Program Files directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 00:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 00:02
Reported
2024-04-07 00:05
Platform
win10v2004-20240226-en
Max time kernel
92s
Max time network
110s
Command Line
Signatures
Modifies AppInit DLL entries
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\qhdqeom.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\qhdqeom.exe | C:\Users\Admin\AppData\Local\Temp\a5cb0ce193b7041a4c0b899dd0642c6a4816c85bdc28c29d31ae3abc6c50d78b.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\ijdurdi.dll | C:\PROGRA~3\Mozilla\qhdqeom.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a5cb0ce193b7041a4c0b899dd0642c6a4816c85bdc28c29d31ae3abc6c50d78b.exe
"C:\Users\Admin\AppData\Local\Temp\a5cb0ce193b7041a4c0b899dd0642c6a4816c85bdc28c29d31ae3abc6c50d78b.exe"
C:\PROGRA~3\Mozilla\qhdqeom.exe
C:\PROGRA~3\Mozilla\qhdqeom.exe -tgbfvga
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/5084-0-0x0000000000400000-0x0000000000463000-memory.dmp
memory/5084-1-0x0000000000400000-0x0000000000463000-memory.dmp
memory/5084-2-0x00000000004F0000-0x00000000004F2000-memory.dmp
memory/5084-3-0x0000000000400000-0x0000000000463000-memory.dmp
memory/5084-9-0x0000000000400000-0x0000000000463000-memory.dmp
C:\PROGRA~3\Mozilla\qhdqeom.exe
| MD5 | 64fa377fb3e18cb5d8c17085b20a4f23 |
| SHA1 | 5da1a85ec686576babada76ed0f9d341aaaafd29 |
| SHA256 | 650bc67ff05eacc5f5752d8d87f7392a9b338804ccb05d095e3e95d72a9255fc |
| SHA512 | 6e8b0235d883358eb1b8ee6cf89d8e6154c15b6036d87037359ef9444276d2492faa262a5a37985b5ef3267f639098da84762e3526f409fd7271f071bf82a39f |
memory/2732-10-0x0000000000400000-0x0000000000463000-memory.dmp
memory/2732-11-0x0000000000400000-0x0000000000463000-memory.dmp
memory/2732-12-0x0000000000400000-0x0000000000463000-memory.dmp
memory/2732-16-0x0000000000400000-0x0000000000463000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 00:02
Reported
2024-04-07 00:05
Platform
win7-20240221-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Modifies AppInit DLL entries
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\dbilzqh.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\dbilzqh.exe | C:\Users\Admin\AppData\Local\Temp\a5cb0ce193b7041a4c0b899dd0642c6a4816c85bdc28c29d31ae3abc6c50d78b.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\zxoabnc.dll | C:\PROGRA~3\Mozilla\dbilzqh.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2204 wrote to memory of 2620 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\dbilzqh.exe |
| PID 2204 wrote to memory of 2620 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\dbilzqh.exe |
| PID 2204 wrote to memory of 2620 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\dbilzqh.exe |
| PID 2204 wrote to memory of 2620 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\dbilzqh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a5cb0ce193b7041a4c0b899dd0642c6a4816c85bdc28c29d31ae3abc6c50d78b.exe
"C:\Users\Admin\AppData\Local\Temp\a5cb0ce193b7041a4c0b899dd0642c6a4816c85bdc28c29d31ae3abc6c50d78b.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {446108CA-636F-40BF-AE8A-97768ADA40B4} S-1-5-18:NT AUTHORITY\System:Service:
C:\PROGRA~3\Mozilla\dbilzqh.exe
C:\PROGRA~3\Mozilla\dbilzqh.exe -kwinamg
Network
Files
memory/1296-0-0x0000000000400000-0x0000000000463000-memory.dmp
memory/1296-1-0x0000000000400000-0x0000000000463000-memory.dmp
memory/1296-2-0x0000000000400000-0x0000000000463000-memory.dmp
memory/1296-4-0x0000000000240000-0x0000000000242000-memory.dmp
memory/1296-7-0x0000000000400000-0x0000000000463000-memory.dmp
C:\PROGRA~3\Mozilla\dbilzqh.exe
| MD5 | 3fa9433b2c1335ef0ed5cf4ee5f9fdab |
| SHA1 | cd2a7070fea6b62b1f73d6ec83583d30f6422f07 |
| SHA256 | d96f663bbf104d673961c4c7862fdaa2fa10311735a2b6159cdd680a384bfcf9 |
| SHA512 | 652afef22abe00782c29144795a7853867312711ebde094d683b5f10991a42b37b7fcc2be7595191b42a462a09741f69a15e0b826e26ab530a064c5a53503be7 |
memory/2620-10-0x0000000000400000-0x0000000000463000-memory.dmp
memory/2620-11-0x0000000000400000-0x0000000000463000-memory.dmp
memory/2620-16-0x0000000000400000-0x0000000000463000-memory.dmp