Analysis Overview
SHA256
9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71
Threat Level: Known bad
The file 9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71 was found to be: Known bad.
Malicious Activity Summary
Detects executables packed with ASPack
Detects executables packed with ASPack
Modifies AppInit DLL entries
ASPack v2.12-2.42
Executes dropped EXE
Drops file in Program Files directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-16 00:55
Signatures
Detects executables packed with ASPack
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-16 00:55
Reported
2024-05-16 00:57
Platform
win7-20240220-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Detects executables packed with ASPack
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies AppInit DLL entries
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\wrvdfyg.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\wrvdfyg.exe | C:\Users\Admin\AppData\Local\Temp\9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\klztrnd.dll | C:\PROGRA~3\Mozilla\wrvdfyg.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71.exe | N/A |
| N/A | N/A | C:\PROGRA~3\Mozilla\wrvdfyg.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2172 wrote to memory of 3036 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\wrvdfyg.exe |
| PID 2172 wrote to memory of 3036 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\wrvdfyg.exe |
| PID 2172 wrote to memory of 3036 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\wrvdfyg.exe |
| PID 2172 wrote to memory of 3036 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\wrvdfyg.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71.exe
"C:\Users\Admin\AppData\Local\Temp\9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {95425B78-01E2-46EA-B8C4-53B69FD23985} S-1-5-18:NT AUTHORITY\System:Service:
C:\PROGRA~3\Mozilla\wrvdfyg.exe
C:\PROGRA~3\Mozilla\wrvdfyg.exe -hzyjzia
Network
Files
memory/1640-0-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1640-2-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1640-1-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1640-4-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1640-3-0x0000000000270000-0x00000000002CB000-memory.dmp
memory/1640-6-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1640-7-0x0000000000270000-0x00000000002CB000-memory.dmp
C:\PROGRA~3\Mozilla\wrvdfyg.exe
| MD5 | bf01c0405456924eee998af527198bd5 |
| SHA1 | 2fc3f90fdc139ca7fafbc42f09fd9686be545278 |
| SHA256 | 2e50d0ce7891ff26bc720133f573829946c97a6ac772f3015daa6b42a9f17b8e |
| SHA512 | d288730cf00c16aed104043adfc1785d114e491f9d2aadb7adb7f541dea2cd36c9362b835c55a342114638d47c8b4b93ffdff19f33d48f776c12561bb52d5204 |
memory/3036-10-0x0000000000400000-0x000000000045E000-memory.dmp
memory/3036-13-0x00000000002A0000-0x00000000002FB000-memory.dmp
memory/3036-14-0x0000000000400000-0x000000000045B000-memory.dmp
memory/3036-16-0x0000000000400000-0x000000000045B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-16 00:55
Reported
2024-05-16 00:57
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detects executables packed with ASPack
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies AppInit DLL entries
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\iodncyc.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\iodncyc.exe | C:\Users\Admin\AppData\Local\Temp\9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\lrtatsc.dll | C:\PROGRA~3\Mozilla\iodncyc.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71.exe
"C:\Users\Admin\AppData\Local\Temp\9399024a407b940e462170e3610211919abb44f5b075f8db1ddba46a3e0eae71.exe"
C:\PROGRA~3\Mozilla\iodncyc.exe
C:\PROGRA~3\Mozilla\iodncyc.exe -szcyzql
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
memory/2168-0-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2168-1-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2168-2-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2168-4-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2168-3-0x0000000001F60000-0x0000000001FBB000-memory.dmp
C:\ProgramData\Mozilla\iodncyc.exe
| MD5 | 66cae745ca1a9a48fae3b8c3de5e1c11 |
| SHA1 | 88c1ae678462f54fbc4c3068714e4e94b41c8d5f |
| SHA256 | af5cb06ef4d427a2a62b486c54c7a05fb5577fa21e0145640f4eccfd54850b9d |
| SHA512 | 8141e16b738d6c0974bb67a3085b4fdcb02bf013c79d0bf8d7d5f910392480516b4e6ac81cb4ee7933f6d9755285d03c2fa49094cc83f8ceff1617fc95a2f604 |
memory/2636-9-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2168-10-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2636-12-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2636-11-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2636-13-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2636-16-0x0000000000400000-0x000000000045B000-memory.dmp