Analysis Overview
SHA256
ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22
Threat Level: Likely malicious
The file ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe was found to be: Likely malicious.
Malicious Activity Summary
Event Triggered Execution: AppInit DLLs
Executes dropped EXE
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 12:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 12:07
Reported
2024-11-12 12:10
Platform
win7-20241023-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Event Triggered Execution: AppInit DLLs
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\grzejjh.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\grzejjh.exe | C:\Users\Admin\AppData\Local\Temp\ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\clclgsb.dll | C:\PROGRA~3\Mozilla\grzejjh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PROGRA~3\Mozilla\grzejjh.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe | N/A |
| N/A | N/A | C:\PROGRA~3\Mozilla\grzejjh.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2084 wrote to memory of 1712 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\grzejjh.exe |
| PID 2084 wrote to memory of 1712 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\grzejjh.exe |
| PID 2084 wrote to memory of 1712 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\grzejjh.exe |
| PID 2084 wrote to memory of 1712 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\grzejjh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe
"C:\Users\Admin\AppData\Local\Temp\ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {5A5015BD-78BC-4DD8-8B85-9CFB0C5B2C81} S-1-5-18:NT AUTHORITY\System:Service:
C:\PROGRA~3\Mozilla\grzejjh.exe
C:\PROGRA~3\Mozilla\grzejjh.exe -kaflank
Network
Files
memory/2604-2-0x00000000002E0000-0x000000000033C000-memory.dmp
memory/2604-1-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2604-0-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2604-4-0x0000000000400000-0x000000000045B000-memory.dmp
C:\PROGRA~3\Mozilla\grzejjh.exe
| MD5 | 4f1aa7b4ffba0ecd24ae0a9beb099b09 |
| SHA1 | 4bf164f844716963c1ed43ddf6998c692b813d13 |
| SHA256 | 6639d36141d41fc306fe9af096b5395d086df976c2ee0a66fdd6e65c0fd97693 |
| SHA512 | 5b8236b7ad8d382385c328a29dcad6ebabeeb352bc82ed7d0f002373bc56f9b7a8cf7c792ae46a7fc2734b4950361a0414a9a607b25440024580bfbc68ef2af8 |
memory/1712-7-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1712-9-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1712-8-0x0000000000460000-0x00000000004BC000-memory.dmp
memory/1712-11-0x0000000000400000-0x000000000045B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 12:07
Reported
2024-11-12 12:10
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
151s
Command Line
Signatures
Event Triggered Execution: AppInit DLLs
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\hqortka.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\hqortka.exe | C:\Users\Admin\AppData\Local\Temp\ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\osxrmrb.dll | C:\PROGRA~3\Mozilla\hqortka.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PROGRA~3\Mozilla\hqortka.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe
"C:\Users\Admin\AppData\Local\Temp\ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe"
C:\PROGRA~3\Mozilla\hqortka.exe
C:\PROGRA~3\Mozilla\hqortka.exe -tayspuk
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
memory/4804-0-0x0000000000400000-0x000000000045B000-memory.dmp
memory/4804-1-0x00000000021F0000-0x000000000224C000-memory.dmp
memory/4804-2-0x0000000000400000-0x000000000045B000-memory.dmp
C:\PROGRA~3\Mozilla\hqortka.exe
| MD5 | ec239d7050e5774d5dc35bfcdb97e09b |
| SHA1 | e55bb0437a7149e1444995c3e1e1f51705c16a34 |
| SHA256 | 8874b464e3a1088ff011801a567f9bc6154fdb2b5431c123964e2ebc3332fab6 |
| SHA512 | e295738a18abfcda4f42a056c3f9bdf7a8a3111dd3a9b0dc64ab6d63519e3013e104358f04f989a69c9b19ba80c9c518c73e1e795a5b966d4ffdfc6dbd8142c6 |
memory/4804-9-0x00000000021F0000-0x000000000224C000-memory.dmp
memory/4804-8-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1272-10-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1272-11-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1272-13-0x0000000000400000-0x000000000045B000-memory.dmp