Malware Analysis Report

2025-03-14 23:12

Sample ID 240407-acnwfsff48
Target a69981a878709618f303c86cbd049a173cea8270aeac6fbffee91e7e80dd6afc
SHA256 a69981a878709618f303c86cbd049a173cea8270aeac6fbffee91e7e80dd6afc
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a69981a878709618f303c86cbd049a173cea8270aeac6fbffee91e7e80dd6afc

Threat Level: Likely malicious

The file a69981a878709618f303c86cbd049a173cea8270aeac6fbffee91e7e80dd6afc was found to be: Likely malicious.

Malicious Activity Summary

persistence

Modifies AppInit DLL entries

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 00:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 00:04

Reported

2024-04-07 00:06

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a69981a878709618f303c86cbd049a173cea8270aeac6fbffee91e7e80dd6afc.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\dbilzqh.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\dbilzqh.exe C:\Users\Admin\AppData\Local\Temp\a69981a878709618f303c86cbd049a173cea8270aeac6fbffee91e7e80dd6afc.exe N/A
File created C:\PROGRA~3\Mozilla\zxoabnc.dll C:\PROGRA~3\Mozilla\dbilzqh.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a69981a878709618f303c86cbd049a173cea8270aeac6fbffee91e7e80dd6afc.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\dbilzqh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 2508 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe
PID 3032 wrote to memory of 2508 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe
PID 3032 wrote to memory of 2508 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe
PID 3032 wrote to memory of 2508 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a69981a878709618f303c86cbd049a173cea8270aeac6fbffee91e7e80dd6afc.exe

"C:\Users\Admin\AppData\Local\Temp\a69981a878709618f303c86cbd049a173cea8270aeac6fbffee91e7e80dd6afc.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {5A5B34DD-27FA-4447-B287-7EBA640C83D9} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\dbilzqh.exe

C:\PROGRA~3\Mozilla\dbilzqh.exe -kwinamg

Network

N/A

Files

memory/1740-0-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1740-2-0x0000000000250000-0x00000000002AB000-memory.dmp

memory/1740-1-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1740-4-0x0000000000400000-0x000000000045B000-memory.dmp

C:\PROGRA~3\Mozilla\dbilzqh.exe

MD5 0936f6a6e29c04c7b04992f710489c52
SHA1 d037928930275ab3280eaec739d790b54f5c8c05
SHA256 fa02ca6db00c07400929f7ca37bf2d57c65d05b777e1cd86e8b10585465542ad
SHA512 2b3d63251e8ace444481403af20aad88df14aaa81cb782f3c2c2f2c42c026e697f9111066cd8ca71d8d68f47dd6fd710e70b2d2bdb7c003b239a142436e8a5c1

memory/2508-7-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2508-8-0x0000000000310000-0x000000000036B000-memory.dmp

memory/2508-9-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2508-11-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 00:04

Reported

2024-04-07 00:06

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a69981a878709618f303c86cbd049a173cea8270aeac6fbffee91e7e80dd6afc.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\ktyqhhb.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\ixnvdrc.dll C:\PROGRA~3\Mozilla\ktyqhhb.exe N/A
File created C:\PROGRA~3\Mozilla\ktyqhhb.exe C:\Users\Admin\AppData\Local\Temp\a69981a878709618f303c86cbd049a173cea8270aeac6fbffee91e7e80dd6afc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a69981a878709618f303c86cbd049a173cea8270aeac6fbffee91e7e80dd6afc.exe

"C:\Users\Admin\AppData\Local\Temp\a69981a878709618f303c86cbd049a173cea8270aeac6fbffee91e7e80dd6afc.exe"

C:\PROGRA~3\Mozilla\ktyqhhb.exe

C:\PROGRA~3\Mozilla\ktyqhhb.exe -arwhcpc

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/5116-0-0x0000000000400000-0x000000000045B000-memory.dmp

memory/5116-1-0x0000000002090000-0x00000000020EB000-memory.dmp

memory/5116-2-0x0000000000400000-0x000000000045B000-memory.dmp

C:\ProgramData\Mozilla\ktyqhhb.exe

MD5 79270eddd673b4bc3c54d5ed6f8eac9d
SHA1 48724738bb182ddc8776c9ed13aefe3dc2fec8a1
SHA256 8847b9dd3fc0f998ced95c9fc4d7228cd4e6c742b96e0a9f5b6b77a4ae428f09
SHA512 7739799c832a0465b7fd718b5cc8f85a32a56dae7d086e4f252d4d702532b92a8647b1a5b08020a810e986335babbb4097846151a9798c939084d5de6a46bc49

memory/5116-6-0x0000000000400000-0x000000000045B000-memory.dmp

memory/5116-8-0x0000000002090000-0x00000000020EB000-memory.dmp

memory/1372-9-0x0000000000CA0000-0x0000000000CFB000-memory.dmp

memory/1372-10-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1372-12-0x0000000000400000-0x000000000045B000-memory.dmp