Malware Analysis Report

2025-03-14 23:42

Sample ID 240407-xdjdpabf68
Target 12276eefd206665f0c43b73282bb25576aff4e665b84e0851282726c42de0fdd
SHA256 12276eefd206665f0c43b73282bb25576aff4e665b84e0851282726c42de0fdd
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

12276eefd206665f0c43b73282bb25576aff4e665b84e0851282726c42de0fdd

Threat Level: Likely malicious

The file 12276eefd206665f0c43b73282bb25576aff4e665b84e0851282726c42de0fdd was found to be: Likely malicious.

Malicious Activity Summary

persistence

Modifies AppInit DLL entries

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:44

Reported

2024-04-07 18:46

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\12276eefd206665f0c43b73282bb25576aff4e665b84e0851282726c42de0fdd.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\nhadrjb.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\nhadrjb.exe C:\Users\Admin\AppData\Local\Temp\12276eefd206665f0c43b73282bb25576aff4e665b84e0851282726c42de0fdd.exe N/A
File created C:\PROGRA~3\Mozilla\mrcfdgn.dll C:\PROGRA~3\Mozilla\nhadrjb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2664 wrote to memory of 2152 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\nhadrjb.exe
PID 2664 wrote to memory of 2152 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\nhadrjb.exe
PID 2664 wrote to memory of 2152 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\nhadrjb.exe
PID 2664 wrote to memory of 2152 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\nhadrjb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\12276eefd206665f0c43b73282bb25576aff4e665b84e0851282726c42de0fdd.exe

"C:\Users\Admin\AppData\Local\Temp\12276eefd206665f0c43b73282bb25576aff4e665b84e0851282726c42de0fdd.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {F9CE67F5-E40C-42C0-947A-A6CF88491456} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\nhadrjb.exe

C:\PROGRA~3\Mozilla\nhadrjb.exe -giukxrm

Network

N/A

Files

memory/1644-0-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1644-1-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1644-2-0x0000000000320000-0x000000000037B000-memory.dmp

memory/1644-8-0x0000000000400000-0x0000000000426000-memory.dmp

C:\PROGRA~3\Mozilla\nhadrjb.exe

MD5 987e71d74ceb3df9c021690a2d110c43
SHA1 fd498be4bba82b6b08c24a13358b0c4c9b7e101b
SHA256 2b19a98a0086c51c1dd3fd0dcf46eb0e0604efe016155e8315bf4f87ebb35604
SHA512 ba0db47cd5a042adbead66b844de43f112dbd2b1ec1ddc2a04ca902244b2399fb7ee0a48eb419cce7b3709631fa79ddbcd587d2c242944631e0089ff4dc0d137

memory/2152-12-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2152-13-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2152-14-0x0000000000430000-0x000000000048B000-memory.dmp

memory/2152-20-0x0000000000400000-0x0000000000426000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:44

Reported

2024-04-07 18:46

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\12276eefd206665f0c43b73282bb25576aff4e665b84e0851282726c42de0fdd.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\frviiqj.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\frviiqj.exe C:\Users\Admin\AppData\Local\Temp\12276eefd206665f0c43b73282bb25576aff4e665b84e0851282726c42de0fdd.exe N/A
File created C:\PROGRA~3\Mozilla\sjqrgse.dll C:\PROGRA~3\Mozilla\frviiqj.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\12276eefd206665f0c43b73282bb25576aff4e665b84e0851282726c42de0fdd.exe

"C:\Users\Admin\AppData\Local\Temp\12276eefd206665f0c43b73282bb25576aff4e665b84e0851282726c42de0fdd.exe"

C:\PROGRA~3\Mozilla\frviiqj.exe

C:\PROGRA~3\Mozilla\frviiqj.exe -myayasb

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 199.111.78.13.in-addr.arpa udp

Files

memory/2044-0-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2044-1-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2044-2-0x00000000025A0000-0x00000000025FB000-memory.dmp

memory/2044-10-0x0000000000400000-0x0000000000426000-memory.dmp

C:\PROGRA~3\Mozilla\frviiqj.exe

MD5 38e1c48745ed4b0bd13fc22976e5d18f
SHA1 1fc8ca6447e4cd23203c3afb7d23f40bf53f5f91
SHA256 e766ae6356a1d86aad134a7e8efbbf6da3db628a34937ef1c6afc7d8b40749b1
SHA512 c40a6213dec8c11182efa1abea29da109b4b26a38aa6d749f4ffeb0efc10822fc503ddafe0e6f054a243c0cea73edf9b8d864793945bbf7dbc90571b8f3723c6

memory/2292-11-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2292-12-0x0000000001230000-0x000000000128B000-memory.dmp

memory/2292-18-0x0000000000400000-0x0000000000426000-memory.dmp