Analysis Overview
SHA256
b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e
Threat Level: Likely malicious
The file b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe was found to be: Likely malicious.
Malicious Activity Summary
Event Triggered Execution: AppInit DLLs
Executes dropped EXE
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 12:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 12:11
Reported
2024-11-12 12:14
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Event Triggered Execution: AppInit DLLs
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\cpfmqte.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\cpfmqte.exe | C:\Users\Admin\AppData\Local\Temp\b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\zbgopeh.dll | C:\PROGRA~3\Mozilla\cpfmqte.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PROGRA~3\Mozilla\cpfmqte.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe | N/A |
| N/A | N/A | C:\PROGRA~3\Mozilla\cpfmqte.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1736 wrote to memory of 2292 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\cpfmqte.exe |
| PID 1736 wrote to memory of 2292 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\cpfmqte.exe |
| PID 1736 wrote to memory of 2292 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\cpfmqte.exe |
| PID 1736 wrote to memory of 2292 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\cpfmqte.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe
"C:\Users\Admin\AppData\Local\Temp\b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {32765D10-93FE-40B9-90FE-AF68A0055532} S-1-5-18:NT AUTHORITY\System:Service:
C:\PROGRA~3\Mozilla\cpfmqte.exe
C:\PROGRA~3\Mozilla\cpfmqte.exe -lecvesj
Network
Files
memory/2372-0-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2372-2-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2372-1-0x0000000000310000-0x000000000036C000-memory.dmp
memory/2372-4-0x0000000000400000-0x000000000045B000-memory.dmp
C:\PROGRA~3\Mozilla\cpfmqte.exe
| MD5 | ebabef3959c0b7659439ffb7c016c32f |
| SHA1 | 19ecb760e58c0fa2e8ab878cf08ae520d8d73dde |
| SHA256 | b912a96355a3e86d30a5f242fba7f436f5c32675c26d63d44a236194ac23f549 |
| SHA512 | 7ec32e6781161611bb34cc7fd5689142f1a58e0cbe52fae0ff217043296bb47c2a7984c8b3997d3720ef3bcf484c7fb80d144e16433aeb26a92985c9ce6b2b1e |
memory/2292-7-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2292-8-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2292-10-0x0000000000400000-0x000000000045B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 12:11
Reported
2024-11-12 12:14
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
135s
Command Line
Signatures
Event Triggered Execution: AppInit DLLs
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\nzlncpi.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\nzlncpi.exe | C:\Users\Admin\AppData\Local\Temp\b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\tozvehh.dll | C:\PROGRA~3\Mozilla\nzlncpi.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\PROGRA~3\Mozilla\nzlncpi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe
"C:\Users\Admin\AppData\Local\Temp\b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe"
C:\PROGRA~3\Mozilla\nzlncpi.exe
C:\PROGRA~3\Mozilla\nzlncpi.exe -juyvuof
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/3004-0-0x0000000000400000-0x000000000045B000-memory.dmp
memory/3004-1-0x00000000020E0000-0x000000000213C000-memory.dmp
memory/3004-2-0x0000000000400000-0x000000000045B000-memory.dmp
C:\ProgramData\Mozilla\nzlncpi.exe
| MD5 | 8785f530a923ce395c1215395746a758 |
| SHA1 | dd7a3e77c1a5b66a1cfbcb87c5b6bbd2079c5ede |
| SHA256 | 658d8f443bd3ed56696b076dce5ce471dc54cc6031a395a44bc965e9293fb7a8 |
| SHA512 | efc2ec8e54a68855f22c32c028c5dc5dcedaca0d5e928054f66bba0943553684531a97fa3e081045b03cd562baab2e3a8469c2b4389d2e97e1f2b8c2d9f515d9 |
memory/3004-6-0x0000000000400000-0x000000000045B000-memory.dmp
memory/3004-8-0x00000000020E0000-0x000000000213C000-memory.dmp
memory/5004-9-0x0000000000400000-0x000000000045B000-memory.dmp
memory/5004-10-0x0000000000400000-0x000000000045B000-memory.dmp
memory/5004-13-0x0000000000400000-0x000000000045B000-memory.dmp