Analysis Overview
SHA256
1392dbbbb8163d293dfa2ae3166ed5b8ba14befa04eb6a1fa996870e24d1b4f5
Threat Level: Likely malicious
The file 1392dbbbb8163d293dfa2ae3166ed5b8ba14befa04eb6a1fa996870e24d1b4f5 was found to be: Likely malicious.
Malicious Activity Summary
Modifies AppInit DLL entries
Executes dropped EXE
Drops file in Program Files directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 18:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 18:48
Reported
2024-04-07 18:51
Platform
win7-20240215-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Modifies AppInit DLL entries
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\racmzae.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\racmzae.exe | C:\Users\Admin\AppData\Local\Temp\1392dbbbb8163d293dfa2ae3166ed5b8ba14befa04eb6a1fa996870e24d1b4f5.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\ttbtowf.dll | C:\PROGRA~3\Mozilla\racmzae.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2680 wrote to memory of 3056 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\racmzae.exe |
| PID 2680 wrote to memory of 3056 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\racmzae.exe |
| PID 2680 wrote to memory of 3056 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\racmzae.exe |
| PID 2680 wrote to memory of 3056 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\racmzae.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1392dbbbb8163d293dfa2ae3166ed5b8ba14befa04eb6a1fa996870e24d1b4f5.exe
"C:\Users\Admin\AppData\Local\Temp\1392dbbbb8163d293dfa2ae3166ed5b8ba14befa04eb6a1fa996870e24d1b4f5.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {1E8874E6-9B86-44C0-A6C7-08AEC106BC21} S-1-5-18:NT AUTHORITY\System:Service:
C:\PROGRA~3\Mozilla\racmzae.exe
C:\PROGRA~3\Mozilla\racmzae.exe -cddhnyc
Network
Files
memory/1756-0-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1756-1-0x0000000002020000-0x000000000207B000-memory.dmp
memory/1756-7-0x0000000000400000-0x0000000000429000-memory.dmp
C:\PROGRA~3\Mozilla\racmzae.exe
| MD5 | acfbbc7e58fe031d2eebdd6ff3500632 |
| SHA1 | 63903627373287f2ff8065d23d5c1e8a0cb10994 |
| SHA256 | 826ecc90f3102e5fdbf920b06c8cf3d6548cd3e222d5fe65e09f7d3a2b9be6ec |
| SHA512 | 41050d48705891a414d9f3136f16d90046d6f1a921b8338497549b8621c972e23d10d1d731c1d2bb5f02a6d1f20f2943b52571a189f42626fb9799b91bd556fa |
memory/3056-10-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3056-11-0x0000000000300000-0x000000000035B000-memory.dmp
memory/3056-17-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 18:48
Reported
2024-04-07 18:51
Platform
win10v2004-20240226-en
Max time kernel
92s
Max time network
94s
Command Line
Signatures
Modifies AppInit DLL entries
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\ohfxkha.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\ohfxkha.exe | C:\Users\Admin\AppData\Local\Temp\1392dbbbb8163d293dfa2ae3166ed5b8ba14befa04eb6a1fa996870e24d1b4f5.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\hdgkqaj.dll | C:\PROGRA~3\Mozilla\ohfxkha.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1392dbbbb8163d293dfa2ae3166ed5b8ba14befa04eb6a1fa996870e24d1b4f5.exe
"C:\Users\Admin\AppData\Local\Temp\1392dbbbb8163d293dfa2ae3166ed5b8ba14befa04eb6a1fa996870e24d1b4f5.exe"
C:\PROGRA~3\Mozilla\ohfxkha.exe
C:\PROGRA~3\Mozilla\ohfxkha.exe -jmpzska
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
Files
memory/4940-0-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4940-1-0x0000000000A00000-0x0000000000A5B000-memory.dmp
C:\PROGRA~3\Mozilla\ohfxkha.exe
| MD5 | 4e440949042f772035643fe5a1a579b1 |
| SHA1 | 8ca37f8720a8fdf288a0435e8250214c87591f95 |
| SHA256 | eede4509e92851a84d91509d74085027d3f9077b7650bed9ddb51e8287e0ee41 |
| SHA512 | 53ef4a75e657ba422f569cb3eb72ecb12275b1a102d818c352dd222420d3e4efb60812ef88dc7c17a9e4984d14c69fe995eae74ccddb4514f55f2be0e289329e |
memory/4940-10-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3604-9-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3604-11-0x00000000005B0000-0x000000000060B000-memory.dmp
memory/3604-17-0x0000000000400000-0x0000000000429000-memory.dmp