Analysis Overview
SHA256
a3d6f4702aafcf599b22575bef00bc4085969ba61cd906407f8a3961c84ff5f3
Threat Level: Known bad
The file a3d6f4702aafcf599b22575bef00bc4085969ba61cd906407f8a3961c84ff5f3 was found to be: Known bad.
Malicious Activity Summary
Detects executables packed with ASPack
Detects executables packed with ASPack
Modifies AppInit DLL entries
Executes dropped EXE
ASPack v2.12-2.42
Drops file in Program Files directory
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 01:06
Signatures
Detects executables packed with ASPack
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 01:06
Reported
2024-05-10 01:08
Platform
win7-20240221-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Detects executables packed with ASPack
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies AppInit DLL entries
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\gjsfhjk.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\gjsfhjk.exe | C:\Users\Admin\AppData\Local\Temp\a3d6f4702aafcf599b22575bef00bc4085969ba61cd906407f8a3961c84ff5f3.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\eurgebe.dll | C:\PROGRA~3\Mozilla\gjsfhjk.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a3d6f4702aafcf599b22575bef00bc4085969ba61cd906407f8a3961c84ff5f3.exe | N/A |
| N/A | N/A | C:\PROGRA~3\Mozilla\gjsfhjk.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1248 wrote to memory of 2492 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\gjsfhjk.exe |
| PID 1248 wrote to memory of 2492 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\gjsfhjk.exe |
| PID 1248 wrote to memory of 2492 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\gjsfhjk.exe |
| PID 1248 wrote to memory of 2492 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\gjsfhjk.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a3d6f4702aafcf599b22575bef00bc4085969ba61cd906407f8a3961c84ff5f3.exe
"C:\Users\Admin\AppData\Local\Temp\a3d6f4702aafcf599b22575bef00bc4085969ba61cd906407f8a3961c84ff5f3.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {5A427E5C-F009-4146-9259-2346746A8C52} S-1-5-18:NT AUTHORITY\System:Service:
C:\PROGRA~3\Mozilla\gjsfhjk.exe
C:\PROGRA~3\Mozilla\gjsfhjk.exe -tuxiydl
Network
Files
memory/112-0-0x0000000000400000-0x000000000045E000-memory.dmp
memory/112-1-0x0000000000400000-0x000000000045E000-memory.dmp
memory/112-2-0x00000000002F0000-0x000000000034B000-memory.dmp
memory/112-3-0x0000000000400000-0x000000000045B000-memory.dmp
memory/112-5-0x0000000000400000-0x000000000045B000-memory.dmp
memory/112-6-0x00000000002F0000-0x000000000034B000-memory.dmp
C:\PROGRA~3\Mozilla\gjsfhjk.exe
| MD5 | 5059ba1ba808ecd5cc117978a3ff1e6c |
| SHA1 | fbb107354c9b9ad5a5aa0f5970afa46eede44302 |
| SHA256 | ccc9bd54e05a8ccbfaaab31c031aef25528db215da636ec506cf94af2ae8cdf7 |
| SHA512 | 143bc11da52884b7ae68f761ba37d4e1e42abd0c8a3ffc4e4cd8d7223a4c0f995170c04e84dadc9b2f5a5cf79da3bfa0cacfd739adb3d0a81d427a879fe79d63 |
memory/2492-9-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2492-10-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2492-11-0x0000000000590000-0x00000000005EB000-memory.dmp
memory/2492-12-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2492-14-0x0000000000400000-0x000000000045B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 01:06
Reported
2024-05-10 01:09
Platform
win10v2004-20240508-en
Max time kernel
125s
Max time network
131s
Command Line
Signatures
Detects executables packed with ASPack
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies AppInit DLL entries
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\teoghah.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\nvzdrxb.dll | C:\PROGRA~3\Mozilla\teoghah.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\teoghah.exe | C:\Users\Admin\AppData\Local\Temp\a3d6f4702aafcf599b22575bef00bc4085969ba61cd906407f8a3961c84ff5f3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a3d6f4702aafcf599b22575bef00bc4085969ba61cd906407f8a3961c84ff5f3.exe
"C:\Users\Admin\AppData\Local\Temp\a3d6f4702aafcf599b22575bef00bc4085969ba61cd906407f8a3961c84ff5f3.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4220,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:8
C:\PROGRA~3\Mozilla\teoghah.exe
C:\PROGRA~3\Mozilla\teoghah.exe -cjiekkn
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/3984-0-0x0000000000400000-0x000000000045E000-memory.dmp
memory/3984-1-0x0000000000400000-0x000000000045E000-memory.dmp
memory/3984-2-0x0000000001FB0000-0x000000000200B000-memory.dmp
memory/3984-3-0x0000000000400000-0x000000000045B000-memory.dmp
C:\ProgramData\Mozilla\teoghah.exe
| MD5 | 697421a934c78b96a8d43da5a8141379 |
| SHA1 | 2116daa637bb7c64e2f40187067d9bf295a68da3 |
| SHA256 | b0f1a5f1322d61a02d6251a2a515901555279c13d90f2e6c0fa0a550c7de0eff |
| SHA512 | 3ea30f65c4efc440c2ad3e5232105f488531d656c460403c0b8ac77f978a5f953e0dbe134eda35f339f23c5bd670a7bd9b8cefc758d0b59ea9de0758bf7718d9 |
memory/4428-7-0x0000000000400000-0x000000000045E000-memory.dmp
memory/4428-10-0x0000000000400000-0x000000000045E000-memory.dmp
memory/4428-9-0x0000000000400000-0x000000000045E000-memory.dmp
memory/3984-12-0x0000000000400000-0x000000000045B000-memory.dmp
memory/4428-15-0x0000000000400000-0x000000000045B000-memory.dmp