Analysis Overview
SHA256
07ba35f780682644df2db6af113404e5f42d57ffdac81a113d242a217603435a
Threat Level: Likely malicious
The file 07ba35f780682644df2db6af113404e5f42d57ffdac81a113d242a217603435a was found to be: Likely malicious.
Malicious Activity Summary
Modifies AppInit DLL entries
Executes dropped EXE
Drops file in Program Files directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 18:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 18:21
Reported
2024-04-07 18:23
Platform
win7-20240221-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Modifies AppInit DLL entries
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\tbckyxk.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\tbckyxk.exe | C:\Users\Admin\AppData\Local\Temp\07ba35f780682644df2db6af113404e5f42d57ffdac81a113d242a217603435a.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\newtrln.dll | C:\PROGRA~3\Mozilla\tbckyxk.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1784 wrote to memory of 1664 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\tbckyxk.exe |
| PID 1784 wrote to memory of 1664 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\tbckyxk.exe |
| PID 1784 wrote to memory of 1664 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\tbckyxk.exe |
| PID 1784 wrote to memory of 1664 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\tbckyxk.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\07ba35f780682644df2db6af113404e5f42d57ffdac81a113d242a217603435a.exe
"C:\Users\Admin\AppData\Local\Temp\07ba35f780682644df2db6af113404e5f42d57ffdac81a113d242a217603435a.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {3ED2D991-848E-479D-BF56-6FBCAEBA318E} S-1-5-18:NT AUTHORITY\System:Service:
C:\PROGRA~3\Mozilla\tbckyxk.exe
C:\PROGRA~3\Mozilla\tbckyxk.exe -gqpcbye
Network
Files
memory/1300-0-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1300-1-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1300-2-0x0000000000260000-0x00000000002BB000-memory.dmp
memory/1300-8-0x0000000000400000-0x0000000000424000-memory.dmp
C:\PROGRA~3\Mozilla\tbckyxk.exe
| MD5 | f64ec9815798e19b7c8e711a748546d2 |
| SHA1 | 4329e8199348ecdda6cb2ca92741dbace81133bd |
| SHA256 | f9252381a0790320b61b2886d41323730d1247d8895d52d261e8933e3dc66739 |
| SHA512 | e0f2b5ca9614bc3c378cd9a75b5af36c5abafa9f289a20d7dfbbd4ba3d3e0adc5074aef004112209c2e9b2ec6ab159207552f269541bd4322efe71af2f286bd9 |
memory/1664-11-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1664-12-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1664-13-0x0000000000430000-0x000000000048B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 18:21
Reported
2024-04-07 18:23
Platform
win10v2004-20240319-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Modifies AppInit DLL entries
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\jhifwqk.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\jhifwqk.exe | C:\Users\Admin\AppData\Local\Temp\07ba35f780682644df2db6af113404e5f42d57ffdac81a113d242a217603435a.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\biclnte.dll | C:\PROGRA~3\Mozilla\jhifwqk.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\07ba35f780682644df2db6af113404e5f42d57ffdac81a113d242a217603435a.exe
"C:\Users\Admin\AppData\Local\Temp\07ba35f780682644df2db6af113404e5f42d57ffdac81a113d242a217603435a.exe"
C:\PROGRA~3\Mozilla\jhifwqk.exe
C:\PROGRA~3\Mozilla\jhifwqk.exe -zmqutfb
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2228,i,8155065313278028490,17854605419281052753,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| NL | 142.250.179.202:443 | tcp | |
| IE | 94.245.104.56:443 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| GB | 51.140.242.104:443 | tcp | |
| GB | 51.140.244.186:443 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
memory/4872-0-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4872-1-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4872-2-0x00000000020C0000-0x000000000211B000-memory.dmp
C:\ProgramData\Mozilla\jhifwqk.exe
| MD5 | dc778ac7687dc9b48a3f3c0324d4d2a8 |
| SHA1 | f8b03a354a6555fb9157d747aa382026662aba92 |
| SHA256 | 231523b8141d4a72423a6b45a8e233e1a3c80802605a211de510a3c3cfac3398 |
| SHA512 | a82ac7ba7c2a439c88164b0e3582971c33be25545d2e8594248d5de0f511d838e3ba645dc8ea2e0332a4000f195ed6ebae9448018652ecaaebaded20e5894f67 |
memory/4872-10-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3832-11-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3832-12-0x0000000000C90000-0x0000000000CEB000-memory.dmp
memory/3832-18-0x0000000000400000-0x0000000000424000-memory.dmp