Malware Analysis Report

2025-03-14 23:27

Sample ID 240407-wzas1aag9z
Target 07ba35f780682644df2db6af113404e5f42d57ffdac81a113d242a217603435a
SHA256 07ba35f780682644df2db6af113404e5f42d57ffdac81a113d242a217603435a
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

07ba35f780682644df2db6af113404e5f42d57ffdac81a113d242a217603435a

Threat Level: Likely malicious

The file 07ba35f780682644df2db6af113404e5f42d57ffdac81a113d242a217603435a was found to be: Likely malicious.

Malicious Activity Summary

persistence

Modifies AppInit DLL entries

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:21

Reported

2024-04-07 18:23

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\07ba35f780682644df2db6af113404e5f42d57ffdac81a113d242a217603435a.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\tbckyxk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\tbckyxk.exe C:\Users\Admin\AppData\Local\Temp\07ba35f780682644df2db6af113404e5f42d57ffdac81a113d242a217603435a.exe N/A
File created C:\PROGRA~3\Mozilla\newtrln.dll C:\PROGRA~3\Mozilla\tbckyxk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1784 wrote to memory of 1664 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\tbckyxk.exe
PID 1784 wrote to memory of 1664 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\tbckyxk.exe
PID 1784 wrote to memory of 1664 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\tbckyxk.exe
PID 1784 wrote to memory of 1664 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\tbckyxk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\07ba35f780682644df2db6af113404e5f42d57ffdac81a113d242a217603435a.exe

"C:\Users\Admin\AppData\Local\Temp\07ba35f780682644df2db6af113404e5f42d57ffdac81a113d242a217603435a.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {3ED2D991-848E-479D-BF56-6FBCAEBA318E} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\tbckyxk.exe

C:\PROGRA~3\Mozilla\tbckyxk.exe -gqpcbye

Network

N/A

Files

memory/1300-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1300-1-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1300-2-0x0000000000260000-0x00000000002BB000-memory.dmp

memory/1300-8-0x0000000000400000-0x0000000000424000-memory.dmp

C:\PROGRA~3\Mozilla\tbckyxk.exe

MD5 f64ec9815798e19b7c8e711a748546d2
SHA1 4329e8199348ecdda6cb2ca92741dbace81133bd
SHA256 f9252381a0790320b61b2886d41323730d1247d8895d52d261e8933e3dc66739
SHA512 e0f2b5ca9614bc3c378cd9a75b5af36c5abafa9f289a20d7dfbbd4ba3d3e0adc5074aef004112209c2e9b2ec6ab159207552f269541bd4322efe71af2f286bd9

memory/1664-11-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1664-12-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1664-13-0x0000000000430000-0x000000000048B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:21

Reported

2024-04-07 18:23

Platform

win10v2004-20240319-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\07ba35f780682644df2db6af113404e5f42d57ffdac81a113d242a217603435a.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\jhifwqk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\jhifwqk.exe C:\Users\Admin\AppData\Local\Temp\07ba35f780682644df2db6af113404e5f42d57ffdac81a113d242a217603435a.exe N/A
File created C:\PROGRA~3\Mozilla\biclnte.dll C:\PROGRA~3\Mozilla\jhifwqk.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\07ba35f780682644df2db6af113404e5f42d57ffdac81a113d242a217603435a.exe

"C:\Users\Admin\AppData\Local\Temp\07ba35f780682644df2db6af113404e5f42d57ffdac81a113d242a217603435a.exe"

C:\PROGRA~3\Mozilla\jhifwqk.exe

C:\PROGRA~3\Mozilla\jhifwqk.exe -zmqutfb

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2228,i,8155065313278028490,17854605419281052753,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
NL 142.250.179.202:443 tcp
IE 94.245.104.56:443 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
GB 51.140.242.104:443 tcp
GB 51.140.244.186:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

memory/4872-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4872-1-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4872-2-0x00000000020C0000-0x000000000211B000-memory.dmp

C:\ProgramData\Mozilla\jhifwqk.exe

MD5 dc778ac7687dc9b48a3f3c0324d4d2a8
SHA1 f8b03a354a6555fb9157d747aa382026662aba92
SHA256 231523b8141d4a72423a6b45a8e233e1a3c80802605a211de510a3c3cfac3398
SHA512 a82ac7ba7c2a439c88164b0e3582971c33be25545d2e8594248d5de0f511d838e3ba645dc8ea2e0332a4000f195ed6ebae9448018652ecaaebaded20e5894f67

memory/4872-10-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3832-11-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3832-12-0x0000000000C90000-0x0000000000CEB000-memory.dmp

memory/3832-18-0x0000000000400000-0x0000000000424000-memory.dmp