Malware Analysis Report

2025-08-10 14:57

Sample ID 241112-pcwzdsselb
Target b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe
SHA256 b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e
Tags
discovery persistence privilege_escalation
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e

Threat Level: Likely malicious

The file b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence privilege_escalation

Event Triggered Execution: AppInit DLLs

Executes dropped EXE

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 12:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 12:11

Reported

2024-11-12 12:14

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe"

Signatures

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\cpfmqte.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\cpfmqte.exe C:\Users\Admin\AppData\Local\Temp\b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe N/A
File created C:\PROGRA~3\Mozilla\zbgopeh.dll C:\PROGRA~3\Mozilla\cpfmqte.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~3\Mozilla\cpfmqte.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\cpfmqte.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 2292 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\cpfmqte.exe
PID 1736 wrote to memory of 2292 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\cpfmqte.exe
PID 1736 wrote to memory of 2292 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\cpfmqte.exe
PID 1736 wrote to memory of 2292 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\cpfmqte.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe

"C:\Users\Admin\AppData\Local\Temp\b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {32765D10-93FE-40B9-90FE-AF68A0055532} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\cpfmqte.exe

C:\PROGRA~3\Mozilla\cpfmqte.exe -lecvesj

Network

N/A

Files

memory/2372-0-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2372-2-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2372-1-0x0000000000310000-0x000000000036C000-memory.dmp

memory/2372-4-0x0000000000400000-0x000000000045B000-memory.dmp

C:\PROGRA~3\Mozilla\cpfmqte.exe

MD5 ebabef3959c0b7659439ffb7c016c32f
SHA1 19ecb760e58c0fa2e8ab878cf08ae520d8d73dde
SHA256 b912a96355a3e86d30a5f242fba7f436f5c32675c26d63d44a236194ac23f549
SHA512 7ec32e6781161611bb34cc7fd5689142f1a58e0cbe52fae0ff217043296bb47c2a7984c8b3997d3720ef3bcf484c7fb80d144e16433aeb26a92985c9ce6b2b1e

memory/2292-7-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2292-8-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2292-10-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 12:11

Reported

2024-11-12 12:14

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe"

Signatures

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\nzlncpi.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\nzlncpi.exe C:\Users\Admin\AppData\Local\Temp\b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe N/A
File created C:\PROGRA~3\Mozilla\tozvehh.dll C:\PROGRA~3\Mozilla\nzlncpi.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\PROGRA~3\Mozilla\nzlncpi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe

"C:\Users\Admin\AppData\Local\Temp\b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe"

C:\PROGRA~3\Mozilla\nzlncpi.exe

C:\PROGRA~3\Mozilla\nzlncpi.exe -juyvuof

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 101.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/3004-0-0x0000000000400000-0x000000000045B000-memory.dmp

memory/3004-1-0x00000000020E0000-0x000000000213C000-memory.dmp

memory/3004-2-0x0000000000400000-0x000000000045B000-memory.dmp

C:\ProgramData\Mozilla\nzlncpi.exe

MD5 8785f530a923ce395c1215395746a758
SHA1 dd7a3e77c1a5b66a1cfbcb87c5b6bbd2079c5ede
SHA256 658d8f443bd3ed56696b076dce5ce471dc54cc6031a395a44bc965e9293fb7a8
SHA512 efc2ec8e54a68855f22c32c028c5dc5dcedaca0d5e928054f66bba0943553684531a97fa3e081045b03cd562baab2e3a8469c2b4389d2e97e1f2b8c2d9f515d9

memory/3004-6-0x0000000000400000-0x000000000045B000-memory.dmp

memory/3004-8-0x00000000020E0000-0x000000000213C000-memory.dmp

memory/5004-9-0x0000000000400000-0x000000000045B000-memory.dmp

memory/5004-10-0x0000000000400000-0x000000000045B000-memory.dmp

memory/5004-13-0x0000000000400000-0x000000000045B000-memory.dmp