Malware Analysis Report

2025-01-22 12:25

Sample ID 240515-2xstpagg36
Target 67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae
SHA256 67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae
Tags
aspackv2 persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae

Threat Level: Known bad

The file 67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence

Detects executables packed with ASPack

Detects executables packed with ASPack

Modifies AppInit DLL entries

ASPack v2.12-2.42

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 22:58

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 22:58

Reported

2024-05-15 23:00

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae.exe"

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies AppInit DLL entries

persistence

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\dbilzqh.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\dbilzqh.exe C:\Users\Admin\AppData\Local\Temp\67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae.exe N/A
File created C:\PROGRA~3\Mozilla\zxoabnc.dll C:\PROGRA~3\Mozilla\dbilzqh.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\dbilzqh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2756 wrote to memory of 2140 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe
PID 2756 wrote to memory of 2140 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe
PID 2756 wrote to memory of 2140 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe
PID 2756 wrote to memory of 2140 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae.exe

"C:\Users\Admin\AppData\Local\Temp\67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {964F5C60-9C9F-4CD4-9B5B-0337396C44B7} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\dbilzqh.exe

C:\PROGRA~3\Mozilla\dbilzqh.exe -kwinamg

Network

N/A

Files

memory/1924-4-0x0000000000370000-0x00000000003CB000-memory.dmp

memory/1924-3-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1924-2-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1924-1-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1924-0-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1924-6-0x0000000000400000-0x000000000045B000-memory.dmp

C:\PROGRA~3\Mozilla\dbilzqh.exe

MD5 8346cff904bddb28c9c135287ea00fa6
SHA1 e480fce63d9ed52ec6105de6387333a07033224b
SHA256 3c4addbb4b022a444dd1256471f77c15090dd1d138a25147d66ee32b2e5fd69b
SHA512 b4d5cc3051bca0db26772cb30799d50b0ad0cde44ad0763089702aadb7154d94252347b28b05b1e746e32bddb4cb69e91fba9104bf740e71a34622e454c64252

memory/2140-11-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2140-12-0x0000000000460000-0x00000000004BB000-memory.dmp

memory/2140-13-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2140-15-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 22:58

Reported

2024-05-15 23:00

Platform

win10v2004-20240508-en

Max time kernel

138s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae.exe"

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies AppInit DLL entries

persistence

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\ywswmda.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\ywswmda.exe C:\Users\Admin\AppData\Local\Temp\67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae.exe N/A
File created C:\PROGRA~3\Mozilla\dzldqrl.dll C:\PROGRA~3\Mozilla\ywswmda.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae.exe

"C:\Users\Admin\AppData\Local\Temp\67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae.exe"

C:\PROGRA~3\Mozilla\ywswmda.exe

C:\PROGRA~3\Mozilla\ywswmda.exe -zhzkoil

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
BE 2.17.107.98:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 98.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/2752-0-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2752-1-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2752-4-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2752-3-0x00000000005C0000-0x000000000061B000-memory.dmp

memory/2752-2-0x0000000000400000-0x000000000045E000-memory.dmp

C:\ProgramData\Mozilla\ywswmda.exe

MD5 22bf184b346b0874c23d5130075185cd
SHA1 f3619428f261c0feb663e58a97a23bff143a2094
SHA256 7f46b5b673ca3f9cb7cff6714f04f5d15e48936daed965f09fdaf90b19010805
SHA512 da335846c0e2e9dba1bcc09dac144960c1a8d303906caf4ac7c28348287814e340fda83348d3f12540ebe841ec456876b49ced67e1b5d91d513a462a3aa06191

memory/752-8-0x0000000000400000-0x000000000045E000-memory.dmp

memory/752-9-0x0000000000400000-0x000000000045E000-memory.dmp

memory/752-12-0x0000000000400000-0x000000000045E000-memory.dmp

memory/752-10-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2752-13-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2752-14-0x00000000005C0000-0x000000000061B000-memory.dmp

memory/752-17-0x0000000000400000-0x000000000045B000-memory.dmp