Analysis Overview
SHA256
67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae
Threat Level: Known bad
The file 67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae was found to be: Known bad.
Malicious Activity Summary
Detects executables packed with ASPack
Detects executables packed with ASPack
Modifies AppInit DLL entries
ASPack v2.12-2.42
Executes dropped EXE
Drops file in Program Files directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-15 22:58
Signatures
Detects executables packed with ASPack
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-15 22:58
Reported
2024-05-15 23:00
Platform
win7-20240221-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Detects executables packed with ASPack
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies AppInit DLL entries
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\dbilzqh.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\dbilzqh.exe | C:\Users\Admin\AppData\Local\Temp\67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\zxoabnc.dll | C:\PROGRA~3\Mozilla\dbilzqh.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae.exe | N/A |
| N/A | N/A | C:\PROGRA~3\Mozilla\dbilzqh.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2756 wrote to memory of 2140 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\dbilzqh.exe |
| PID 2756 wrote to memory of 2140 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\dbilzqh.exe |
| PID 2756 wrote to memory of 2140 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\dbilzqh.exe |
| PID 2756 wrote to memory of 2140 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\dbilzqh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae.exe
"C:\Users\Admin\AppData\Local\Temp\67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {964F5C60-9C9F-4CD4-9B5B-0337396C44B7} S-1-5-18:NT AUTHORITY\System:Service:
C:\PROGRA~3\Mozilla\dbilzqh.exe
C:\PROGRA~3\Mozilla\dbilzqh.exe -kwinamg
Network
Files
memory/1924-4-0x0000000000370000-0x00000000003CB000-memory.dmp
memory/1924-3-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1924-2-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1924-1-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1924-0-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1924-6-0x0000000000400000-0x000000000045B000-memory.dmp
C:\PROGRA~3\Mozilla\dbilzqh.exe
| MD5 | 8346cff904bddb28c9c135287ea00fa6 |
| SHA1 | e480fce63d9ed52ec6105de6387333a07033224b |
| SHA256 | 3c4addbb4b022a444dd1256471f77c15090dd1d138a25147d66ee32b2e5fd69b |
| SHA512 | b4d5cc3051bca0db26772cb30799d50b0ad0cde44ad0763089702aadb7154d94252347b28b05b1e746e32bddb4cb69e91fba9104bf740e71a34622e454c64252 |
memory/2140-11-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2140-12-0x0000000000460000-0x00000000004BB000-memory.dmp
memory/2140-13-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2140-15-0x0000000000400000-0x000000000045B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-15 22:58
Reported
2024-05-15 23:00
Platform
win10v2004-20240508-en
Max time kernel
138s
Max time network
103s
Command Line
Signatures
Detects executables packed with ASPack
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies AppInit DLL entries
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\ywswmda.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\ywswmda.exe | C:\Users\Admin\AppData\Local\Temp\67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\dzldqrl.dll | C:\PROGRA~3\Mozilla\ywswmda.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae.exe
"C:\Users\Admin\AppData\Local\Temp\67029a3e4710b8ef5633a14c3e4692257898367cfa41c7a831769ed4d7efcfae.exe"
C:\PROGRA~3\Mozilla\ywswmda.exe
C:\PROGRA~3\Mozilla\ywswmda.exe -zhzkoil
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| BE | 2.17.107.98:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/2752-0-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2752-1-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2752-4-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2752-3-0x00000000005C0000-0x000000000061B000-memory.dmp
memory/2752-2-0x0000000000400000-0x000000000045E000-memory.dmp
C:\ProgramData\Mozilla\ywswmda.exe
| MD5 | 22bf184b346b0874c23d5130075185cd |
| SHA1 | f3619428f261c0feb663e58a97a23bff143a2094 |
| SHA256 | 7f46b5b673ca3f9cb7cff6714f04f5d15e48936daed965f09fdaf90b19010805 |
| SHA512 | da335846c0e2e9dba1bcc09dac144960c1a8d303906caf4ac7c28348287814e340fda83348d3f12540ebe841ec456876b49ced67e1b5d91d513a462a3aa06191 |
memory/752-8-0x0000000000400000-0x000000000045E000-memory.dmp
memory/752-9-0x0000000000400000-0x000000000045E000-memory.dmp
memory/752-12-0x0000000000400000-0x000000000045E000-memory.dmp
memory/752-10-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2752-13-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2752-14-0x00000000005C0000-0x000000000061B000-memory.dmp
memory/752-17-0x0000000000400000-0x000000000045B000-memory.dmp