Malware Analysis Report

2025-08-10 14:58

Sample ID 241112-patq9asdrf
Target ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe
SHA256 ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22
Tags
discovery persistence privilege_escalation
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22

Threat Level: Likely malicious

The file ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence privilege_escalation

Event Triggered Execution: AppInit DLLs

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 12:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 12:07

Reported

2024-11-12 12:10

Platform

win7-20241023-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe"

Signatures

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\grzejjh.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\grzejjh.exe C:\Users\Admin\AppData\Local\Temp\ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe N/A
File created C:\PROGRA~3\Mozilla\clclgsb.dll C:\PROGRA~3\Mozilla\grzejjh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~3\Mozilla\grzejjh.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\grzejjh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 1712 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\grzejjh.exe
PID 2084 wrote to memory of 1712 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\grzejjh.exe
PID 2084 wrote to memory of 1712 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\grzejjh.exe
PID 2084 wrote to memory of 1712 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\grzejjh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe

"C:\Users\Admin\AppData\Local\Temp\ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {5A5015BD-78BC-4DD8-8B85-9CFB0C5B2C81} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\grzejjh.exe

C:\PROGRA~3\Mozilla\grzejjh.exe -kaflank

Network

N/A

Files

memory/2604-2-0x00000000002E0000-0x000000000033C000-memory.dmp

memory/2604-1-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2604-0-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2604-4-0x0000000000400000-0x000000000045B000-memory.dmp

C:\PROGRA~3\Mozilla\grzejjh.exe

MD5 4f1aa7b4ffba0ecd24ae0a9beb099b09
SHA1 4bf164f844716963c1ed43ddf6998c692b813d13
SHA256 6639d36141d41fc306fe9af096b5395d086df976c2ee0a66fdd6e65c0fd97693
SHA512 5b8236b7ad8d382385c328a29dcad6ebabeeb352bc82ed7d0f002373bc56f9b7a8cf7c792ae46a7fc2734b4950361a0414a9a607b25440024580bfbc68ef2af8

memory/1712-7-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1712-9-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1712-8-0x0000000000460000-0x00000000004BC000-memory.dmp

memory/1712-11-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 12:07

Reported

2024-11-12 12:10

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe"

Signatures

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\hqortka.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\hqortka.exe C:\Users\Admin\AppData\Local\Temp\ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe N/A
File created C:\PROGRA~3\Mozilla\osxrmrb.dll C:\PROGRA~3\Mozilla\hqortka.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~3\Mozilla\hqortka.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe

"C:\Users\Admin\AppData\Local\Temp\ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe"

C:\PROGRA~3\Mozilla\hqortka.exe

C:\PROGRA~3\Mozilla\hqortka.exe -tayspuk

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

memory/4804-0-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4804-1-0x00000000021F0000-0x000000000224C000-memory.dmp

memory/4804-2-0x0000000000400000-0x000000000045B000-memory.dmp

C:\PROGRA~3\Mozilla\hqortka.exe

MD5 ec239d7050e5774d5dc35bfcdb97e09b
SHA1 e55bb0437a7149e1444995c3e1e1f51705c16a34
SHA256 8874b464e3a1088ff011801a567f9bc6154fdb2b5431c123964e2ebc3332fab6
SHA512 e295738a18abfcda4f42a056c3f9bdf7a8a3111dd3a9b0dc64ab6d63519e3013e104358f04f989a69c9b19ba80c9c518c73e1e795a5b966d4ffdfc6dbd8142c6

memory/4804-9-0x00000000021F0000-0x000000000224C000-memory.dmp

memory/4804-8-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1272-10-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1272-11-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1272-13-0x0000000000400000-0x000000000045B000-memory.dmp