Analysis Overview
SHA256
12276eefd206665f0c43b73282bb25576aff4e665b84e0851282726c42de0fdd
Threat Level: Likely malicious
The file 12276eefd206665f0c43b73282bb25576aff4e665b84e0851282726c42de0fdd was found to be: Likely malicious.
Malicious Activity Summary
Modifies AppInit DLL entries
Executes dropped EXE
Drops file in Program Files directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 18:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 18:44
Reported
2024-04-07 18:46
Platform
win7-20240221-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Modifies AppInit DLL entries
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\nhadrjb.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\nhadrjb.exe | C:\Users\Admin\AppData\Local\Temp\12276eefd206665f0c43b73282bb25576aff4e665b84e0851282726c42de0fdd.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\mrcfdgn.dll | C:\PROGRA~3\Mozilla\nhadrjb.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2664 wrote to memory of 2152 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\nhadrjb.exe |
| PID 2664 wrote to memory of 2152 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\nhadrjb.exe |
| PID 2664 wrote to memory of 2152 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\nhadrjb.exe |
| PID 2664 wrote to memory of 2152 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\nhadrjb.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\12276eefd206665f0c43b73282bb25576aff4e665b84e0851282726c42de0fdd.exe
"C:\Users\Admin\AppData\Local\Temp\12276eefd206665f0c43b73282bb25576aff4e665b84e0851282726c42de0fdd.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {F9CE67F5-E40C-42C0-947A-A6CF88491456} S-1-5-18:NT AUTHORITY\System:Service:
C:\PROGRA~3\Mozilla\nhadrjb.exe
C:\PROGRA~3\Mozilla\nhadrjb.exe -giukxrm
Network
Files
memory/1644-0-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1644-1-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1644-2-0x0000000000320000-0x000000000037B000-memory.dmp
memory/1644-8-0x0000000000400000-0x0000000000426000-memory.dmp
C:\PROGRA~3\Mozilla\nhadrjb.exe
| MD5 | 987e71d74ceb3df9c021690a2d110c43 |
| SHA1 | fd498be4bba82b6b08c24a13358b0c4c9b7e101b |
| SHA256 | 2b19a98a0086c51c1dd3fd0dcf46eb0e0604efe016155e8315bf4f87ebb35604 |
| SHA512 | ba0db47cd5a042adbead66b844de43f112dbd2b1ec1ddc2a04ca902244b2399fb7ee0a48eb419cce7b3709631fa79ddbcd587d2c242944631e0089ff4dc0d137 |
memory/2152-12-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2152-13-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2152-14-0x0000000000430000-0x000000000048B000-memory.dmp
memory/2152-20-0x0000000000400000-0x0000000000426000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 18:44
Reported
2024-04-07 18:46
Platform
win10v2004-20231215-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Modifies AppInit DLL entries
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\frviiqj.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\frviiqj.exe | C:\Users\Admin\AppData\Local\Temp\12276eefd206665f0c43b73282bb25576aff4e665b84e0851282726c42de0fdd.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\sjqrgse.dll | C:\PROGRA~3\Mozilla\frviiqj.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\12276eefd206665f0c43b73282bb25576aff4e665b84e0851282726c42de0fdd.exe
"C:\Users\Admin\AppData\Local\Temp\12276eefd206665f0c43b73282bb25576aff4e665b84e0851282726c42de0fdd.exe"
C:\PROGRA~3\Mozilla\frviiqj.exe
C:\PROGRA~3\Mozilla\frviiqj.exe -myayasb
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.111.78.13.in-addr.arpa | udp |
Files
memory/2044-0-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2044-1-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2044-2-0x00000000025A0000-0x00000000025FB000-memory.dmp
memory/2044-10-0x0000000000400000-0x0000000000426000-memory.dmp
C:\PROGRA~3\Mozilla\frviiqj.exe
| MD5 | 38e1c48745ed4b0bd13fc22976e5d18f |
| SHA1 | 1fc8ca6447e4cd23203c3afb7d23f40bf53f5f91 |
| SHA256 | e766ae6356a1d86aad134a7e8efbbf6da3db628a34937ef1c6afc7d8b40749b1 |
| SHA512 | c40a6213dec8c11182efa1abea29da109b4b26a38aa6d749f4ffeb0efc10822fc503ddafe0e6f054a243c0cea73edf9b8d864793945bbf7dbc90571b8f3723c6 |
memory/2292-11-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2292-12-0x0000000001230000-0x000000000128B000-memory.dmp
memory/2292-18-0x0000000000400000-0x0000000000426000-memory.dmp