Malware Analysis Report

2025-03-14 23:42

Sample ID 240407-xf12hsbd5t
Target 1392dbbbb8163d293dfa2ae3166ed5b8ba14befa04eb6a1fa996870e24d1b4f5
SHA256 1392dbbbb8163d293dfa2ae3166ed5b8ba14befa04eb6a1fa996870e24d1b4f5
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

1392dbbbb8163d293dfa2ae3166ed5b8ba14befa04eb6a1fa996870e24d1b4f5

Threat Level: Likely malicious

The file 1392dbbbb8163d293dfa2ae3166ed5b8ba14befa04eb6a1fa996870e24d1b4f5 was found to be: Likely malicious.

Malicious Activity Summary

persistence

Modifies AppInit DLL entries

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:48

Reported

2024-04-07 18:51

Platform

win7-20240215-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1392dbbbb8163d293dfa2ae3166ed5b8ba14befa04eb6a1fa996870e24d1b4f5.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\racmzae.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\racmzae.exe C:\Users\Admin\AppData\Local\Temp\1392dbbbb8163d293dfa2ae3166ed5b8ba14befa04eb6a1fa996870e24d1b4f5.exe N/A
File created C:\PROGRA~3\Mozilla\ttbtowf.dll C:\PROGRA~3\Mozilla\racmzae.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2680 wrote to memory of 3056 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\racmzae.exe
PID 2680 wrote to memory of 3056 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\racmzae.exe
PID 2680 wrote to memory of 3056 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\racmzae.exe
PID 2680 wrote to memory of 3056 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\racmzae.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1392dbbbb8163d293dfa2ae3166ed5b8ba14befa04eb6a1fa996870e24d1b4f5.exe

"C:\Users\Admin\AppData\Local\Temp\1392dbbbb8163d293dfa2ae3166ed5b8ba14befa04eb6a1fa996870e24d1b4f5.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {1E8874E6-9B86-44C0-A6C7-08AEC106BC21} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\racmzae.exe

C:\PROGRA~3\Mozilla\racmzae.exe -cddhnyc

Network

N/A

Files

memory/1756-0-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1756-1-0x0000000002020000-0x000000000207B000-memory.dmp

memory/1756-7-0x0000000000400000-0x0000000000429000-memory.dmp

C:\PROGRA~3\Mozilla\racmzae.exe

MD5 acfbbc7e58fe031d2eebdd6ff3500632
SHA1 63903627373287f2ff8065d23d5c1e8a0cb10994
SHA256 826ecc90f3102e5fdbf920b06c8cf3d6548cd3e222d5fe65e09f7d3a2b9be6ec
SHA512 41050d48705891a414d9f3136f16d90046d6f1a921b8338497549b8621c972e23d10d1d731c1d2bb5f02a6d1f20f2943b52571a189f42626fb9799b91bd556fa

memory/3056-10-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3056-11-0x0000000000300000-0x000000000035B000-memory.dmp

memory/3056-17-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:48

Reported

2024-04-07 18:51

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1392dbbbb8163d293dfa2ae3166ed5b8ba14befa04eb6a1fa996870e24d1b4f5.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\ohfxkha.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\ohfxkha.exe C:\Users\Admin\AppData\Local\Temp\1392dbbbb8163d293dfa2ae3166ed5b8ba14befa04eb6a1fa996870e24d1b4f5.exe N/A
File created C:\PROGRA~3\Mozilla\hdgkqaj.dll C:\PROGRA~3\Mozilla\ohfxkha.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1392dbbbb8163d293dfa2ae3166ed5b8ba14befa04eb6a1fa996870e24d1b4f5.exe

"C:\Users\Admin\AppData\Local\Temp\1392dbbbb8163d293dfa2ae3166ed5b8ba14befa04eb6a1fa996870e24d1b4f5.exe"

C:\PROGRA~3\Mozilla\ohfxkha.exe

C:\PROGRA~3\Mozilla\ohfxkha.exe -jmpzska

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp

Files

memory/4940-0-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4940-1-0x0000000000A00000-0x0000000000A5B000-memory.dmp

C:\PROGRA~3\Mozilla\ohfxkha.exe

MD5 4e440949042f772035643fe5a1a579b1
SHA1 8ca37f8720a8fdf288a0435e8250214c87591f95
SHA256 eede4509e92851a84d91509d74085027d3f9077b7650bed9ddb51e8287e0ee41
SHA512 53ef4a75e657ba422f569cb3eb72ecb12275b1a102d818c352dd222420d3e4efb60812ef88dc7c17a9e4984d14c69fe995eae74ccddb4514f55f2be0e289329e

memory/4940-10-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3604-9-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3604-11-0x00000000005B0000-0x000000000060B000-memory.dmp

memory/3604-17-0x0000000000400000-0x0000000000429000-memory.dmp