Malware Analysis Report

2025-04-03 13:11

Sample ID 241109-11dcqswmcm
Target 4dbe2ea6934752b7bb9ab02740f5984c0d38db944c56631d27b69eeac56fdc18
SHA256 4dbe2ea6934752b7bb9ab02740f5984c0d38db944c56631d27b69eeac56fdc18
Tags
discovery persistence privilege_escalation
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4dbe2ea6934752b7bb9ab02740f5984c0d38db944c56631d27b69eeac56fdc18

Threat Level: Likely malicious

The file 4dbe2ea6934752b7bb9ab02740f5984c0d38db944c56631d27b69eeac56fdc18 was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence privilege_escalation

Event Triggered Execution: AppInit DLLs

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 22:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 22:06

Reported

2024-11-09 22:09

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4dbe2ea6934752b7bb9ab02740f5984c0d38db944c56631d27b69eeac56fdc18.exe"

Signatures

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\vuhvodg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\vuhvodg.exe C:\Users\Admin\AppData\Local\Temp\4dbe2ea6934752b7bb9ab02740f5984c0d38db944c56631d27b69eeac56fdc18.exe N/A
File created C:\PROGRA~3\Mozilla\zcwirze.dll C:\PROGRA~3\Mozilla\vuhvodg.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~3\Mozilla\vuhvodg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4dbe2ea6934752b7bb9ab02740f5984c0d38db944c56631d27b69eeac56fdc18.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4dbe2ea6934752b7bb9ab02740f5984c0d38db944c56631d27b69eeac56fdc18.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\vuhvodg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 1908 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\vuhvodg.exe
PID 2040 wrote to memory of 1908 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\vuhvodg.exe
PID 2040 wrote to memory of 1908 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\vuhvodg.exe
PID 2040 wrote to memory of 1908 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\vuhvodg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4dbe2ea6934752b7bb9ab02740f5984c0d38db944c56631d27b69eeac56fdc18.exe

"C:\Users\Admin\AppData\Local\Temp\4dbe2ea6934752b7bb9ab02740f5984c0d38db944c56631d27b69eeac56fdc18.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {6598E0A7-15C8-4C2B-9C91-978C5F927925} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\vuhvodg.exe

C:\PROGRA~3\Mozilla\vuhvodg.exe -nwlnhvb

Network

N/A

Files

memory/1924-2-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1924-1-0x00000000004D0000-0x000000000052B000-memory.dmp

memory/1924-0-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1924-4-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1924-5-0x00000000004D0000-0x000000000052B000-memory.dmp

C:\PROGRA~3\Mozilla\vuhvodg.exe

MD5 12e2879b0cd955477cca7ab03bd56bb6
SHA1 013675dcba2614b622860a7a8fffc4bfce163425
SHA256 953173810ce10fb03aed3abd6e4bfda872cd42dca0639b54a9af8aa633b814bf
SHA512 ce11e94d5e31b6c666d59daebed1a338944b6fd3204dc96b7b152de235fa88b391676a5a50e035737bb7a35df3ec5b80f911c699505e7f427b40c42d4dd725ad

memory/1908-8-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1908-9-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1908-11-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 22:06

Reported

2024-11-09 22:09

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4dbe2ea6934752b7bb9ab02740f5984c0d38db944c56631d27b69eeac56fdc18.exe"

Signatures

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\kifkuel.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\kifkuel.exe C:\Users\Admin\AppData\Local\Temp\4dbe2ea6934752b7bb9ab02740f5984c0d38db944c56631d27b69eeac56fdc18.exe N/A
File created C:\PROGRA~3\Mozilla\vrazdod.dll C:\PROGRA~3\Mozilla\kifkuel.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4dbe2ea6934752b7bb9ab02740f5984c0d38db944c56631d27b69eeac56fdc18.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~3\Mozilla\kifkuel.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4dbe2ea6934752b7bb9ab02740f5984c0d38db944c56631d27b69eeac56fdc18.exe

"C:\Users\Admin\AppData\Local\Temp\4dbe2ea6934752b7bb9ab02740f5984c0d38db944c56631d27b69eeac56fdc18.exe"

C:\PROGRA~3\Mozilla\kifkuel.exe

C:\PROGRA~3\Mozilla\kifkuel.exe -dljjxbn

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp

Files

memory/4112-0-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4112-1-0x0000000000630000-0x000000000068B000-memory.dmp

memory/4112-2-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4112-6-0x0000000000400000-0x000000000045B000-memory.dmp

C:\PROGRA~3\Mozilla\kifkuel.exe

MD5 70ce56de7ba8f7cbbbe1717f4997ea57
SHA1 ca9aea708b91b6ca097ea6f596d572ab5991ca78
SHA256 86d58056f73fa230ba90a6cfb5a4e0c81d7fda1d0932c94fb3674d519e8a303d
SHA512 843e7941d7028db4aa801d1cfc723417755ae7c3815148fb8e5466f3e2ce7166de02c5be36a9c19944245c7831eb0f28f1100eb54750187f7cb9075a5796c5b6

memory/1164-8-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1164-10-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4112-9-0x0000000000630000-0x000000000068B000-memory.dmp

memory/1164-13-0x0000000000400000-0x000000000045B000-memory.dmp