Malware Analysis Report

2025-03-15 05:42

Sample ID 240510-bf868sda64
Target a3d6f4702aafcf599b22575bef00bc4085969ba61cd906407f8a3961c84ff5f3
SHA256 a3d6f4702aafcf599b22575bef00bc4085969ba61cd906407f8a3961c84ff5f3
Tags
aspackv2 persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a3d6f4702aafcf599b22575bef00bc4085969ba61cd906407f8a3961c84ff5f3

Threat Level: Known bad

The file a3d6f4702aafcf599b22575bef00bc4085969ba61cd906407f8a3961c84ff5f3 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence

Detects executables packed with ASPack

Detects executables packed with ASPack

Modifies AppInit DLL entries

Executes dropped EXE

ASPack v2.12-2.42

Drops file in Program Files directory

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 01:06

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 01:06

Reported

2024-05-10 01:08

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3d6f4702aafcf599b22575bef00bc4085969ba61cd906407f8a3961c84ff5f3.exe"

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies AppInit DLL entries

persistence

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\gjsfhjk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\gjsfhjk.exe C:\Users\Admin\AppData\Local\Temp\a3d6f4702aafcf599b22575bef00bc4085969ba61cd906407f8a3961c84ff5f3.exe N/A
File created C:\PROGRA~3\Mozilla\eurgebe.dll C:\PROGRA~3\Mozilla\gjsfhjk.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3d6f4702aafcf599b22575bef00bc4085969ba61cd906407f8a3961c84ff5f3.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\gjsfhjk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1248 wrote to memory of 2492 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\gjsfhjk.exe
PID 1248 wrote to memory of 2492 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\gjsfhjk.exe
PID 1248 wrote to memory of 2492 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\gjsfhjk.exe
PID 1248 wrote to memory of 2492 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\gjsfhjk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a3d6f4702aafcf599b22575bef00bc4085969ba61cd906407f8a3961c84ff5f3.exe

"C:\Users\Admin\AppData\Local\Temp\a3d6f4702aafcf599b22575bef00bc4085969ba61cd906407f8a3961c84ff5f3.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {5A427E5C-F009-4146-9259-2346746A8C52} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\gjsfhjk.exe

C:\PROGRA~3\Mozilla\gjsfhjk.exe -tuxiydl

Network

N/A

Files

memory/112-0-0x0000000000400000-0x000000000045E000-memory.dmp

memory/112-1-0x0000000000400000-0x000000000045E000-memory.dmp

memory/112-2-0x00000000002F0000-0x000000000034B000-memory.dmp

memory/112-3-0x0000000000400000-0x000000000045B000-memory.dmp

memory/112-5-0x0000000000400000-0x000000000045B000-memory.dmp

memory/112-6-0x00000000002F0000-0x000000000034B000-memory.dmp

C:\PROGRA~3\Mozilla\gjsfhjk.exe

MD5 5059ba1ba808ecd5cc117978a3ff1e6c
SHA1 fbb107354c9b9ad5a5aa0f5970afa46eede44302
SHA256 ccc9bd54e05a8ccbfaaab31c031aef25528db215da636ec506cf94af2ae8cdf7
SHA512 143bc11da52884b7ae68f761ba37d4e1e42abd0c8a3ffc4e4cd8d7223a4c0f995170c04e84dadc9b2f5a5cf79da3bfa0cacfd739adb3d0a81d427a879fe79d63

memory/2492-9-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2492-10-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2492-11-0x0000000000590000-0x00000000005EB000-memory.dmp

memory/2492-12-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2492-14-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 01:06

Reported

2024-05-10 01:09

Platform

win10v2004-20240508-en

Max time kernel

125s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3d6f4702aafcf599b22575bef00bc4085969ba61cd906407f8a3961c84ff5f3.exe"

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies AppInit DLL entries

persistence

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\teoghah.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\nvzdrxb.dll C:\PROGRA~3\Mozilla\teoghah.exe N/A
File created C:\PROGRA~3\Mozilla\teoghah.exe C:\Users\Admin\AppData\Local\Temp\a3d6f4702aafcf599b22575bef00bc4085969ba61cd906407f8a3961c84ff5f3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a3d6f4702aafcf599b22575bef00bc4085969ba61cd906407f8a3961c84ff5f3.exe

"C:\Users\Admin\AppData\Local\Temp\a3d6f4702aafcf599b22575bef00bc4085969ba61cd906407f8a3961c84ff5f3.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4220,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:8

C:\PROGRA~3\Mozilla\teoghah.exe

C:\PROGRA~3\Mozilla\teoghah.exe -cjiekkn

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3984-0-0x0000000000400000-0x000000000045E000-memory.dmp

memory/3984-1-0x0000000000400000-0x000000000045E000-memory.dmp

memory/3984-2-0x0000000001FB0000-0x000000000200B000-memory.dmp

memory/3984-3-0x0000000000400000-0x000000000045B000-memory.dmp

C:\ProgramData\Mozilla\teoghah.exe

MD5 697421a934c78b96a8d43da5a8141379
SHA1 2116daa637bb7c64e2f40187067d9bf295a68da3
SHA256 b0f1a5f1322d61a02d6251a2a515901555279c13d90f2e6c0fa0a550c7de0eff
SHA512 3ea30f65c4efc440c2ad3e5232105f488531d656c460403c0b8ac77f978a5f953e0dbe134eda35f339f23c5bd670a7bd9b8cefc758d0b59ea9de0758bf7718d9

memory/4428-7-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4428-10-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4428-9-0x0000000000400000-0x000000000045E000-memory.dmp

memory/3984-12-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4428-15-0x0000000000400000-0x000000000045B000-memory.dmp