Analysis Overview
SHA256
5ceed17b58d235ae00bca61a9ddd9ddc6e7248b1141e2848eff909ee2765b66c
Threat Level: Likely malicious
The file 5ceed17b58d235ae00bca61a9ddd9ddc6e7248b1141e2848eff909ee2765b66c was found to be: Likely malicious.
Malicious Activity Summary
Modifies AppInit DLL entries
Executes dropped EXE
Drops file in Program Files directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 22:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 22:04
Reported
2024-06-03 22:06
Platform
win7-20240220-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Modifies AppInit DLL entries
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\wrvdfyg.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\wrvdfyg.exe | C:\Users\Admin\AppData\Local\Temp\5ceed17b58d235ae00bca61a9ddd9ddc6e7248b1141e2848eff909ee2765b66c.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\klztrnd.dll | C:\PROGRA~3\Mozilla\wrvdfyg.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1408 wrote to memory of 3064 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\wrvdfyg.exe |
| PID 1408 wrote to memory of 3064 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\wrvdfyg.exe |
| PID 1408 wrote to memory of 3064 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\wrvdfyg.exe |
| PID 1408 wrote to memory of 3064 | N/A | C:\Windows\system32\taskeng.exe | C:\PROGRA~3\Mozilla\wrvdfyg.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5ceed17b58d235ae00bca61a9ddd9ddc6e7248b1141e2848eff909ee2765b66c.exe
"C:\Users\Admin\AppData\Local\Temp\5ceed17b58d235ae00bca61a9ddd9ddc6e7248b1141e2848eff909ee2765b66c.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {9508D4DC-2DFB-44CB-9053-6C191B1774BD} S-1-5-18:NT AUTHORITY\System:Service:
C:\PROGRA~3\Mozilla\wrvdfyg.exe
C:\PROGRA~3\Mozilla\wrvdfyg.exe -hzyjzia
Network
Files
memory/2360-0-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2360-1-0x00000000002E0000-0x000000000033B000-memory.dmp
memory/2360-8-0x0000000000400000-0x0000000000427000-memory.dmp
C:\PROGRA~3\Mozilla\wrvdfyg.exe
| MD5 | 28da87b320ba11290b805ceaef0f051f |
| SHA1 | 23fb8b60f4c098e2183a09ee39692a791d2e99c6 |
| SHA256 | 70514a0da2bddc7198a5d81e6a472b4e4a8f9147e932b1f90382e11e10f9cedb |
| SHA512 | 1fd1fd687523623c44dda702f075625a65d52d5f7e7ab0a4a70a5b3046362953973473487db5852951ebaa64ea89e6747e1e0c338e85efd743a7f51ee17698e1 |
memory/3064-11-0x0000000000400000-0x0000000000427000-memory.dmp
memory/3064-12-0x0000000000430000-0x000000000048B000-memory.dmp
memory/3064-18-0x0000000000400000-0x0000000000427000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 22:04
Reported
2024-06-03 22:06
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
158s
Command Line
Signatures
Modifies AppInit DLL entries
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~3\Mozilla\crdkdxb.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Mozilla\crdkdxb.exe | C:\Users\Admin\AppData\Local\Temp\5ceed17b58d235ae00bca61a9ddd9ddc6e7248b1141e2848eff909ee2765b66c.exe | N/A |
| File created | C:\PROGRA~3\Mozilla\xczzoaa.dll | C:\PROGRA~3\Mozilla\crdkdxb.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5ceed17b58d235ae00bca61a9ddd9ddc6e7248b1141e2848eff909ee2765b66c.exe
"C:\Users\Admin\AppData\Local\Temp\5ceed17b58d235ae00bca61a9ddd9ddc6e7248b1141e2848eff909ee2765b66c.exe"
C:\PROGRA~3\Mozilla\crdkdxb.exe
C:\PROGRA~3\Mozilla\crdkdxb.exe -ofessij
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
Files
memory/3176-0-0x0000000000400000-0x0000000000427000-memory.dmp
memory/3176-2-0x0000000002190000-0x00000000021EB000-memory.dmp
C:\ProgramData\Mozilla\crdkdxb.exe
| MD5 | f70c3c1c82e41deaea58035dd498d444 |
| SHA1 | 06c197c43df6130eb53ab1368e9f155440ec9739 |
| SHA256 | cf175e4d5024ba7640fc2591313104b7ad7037afa9a7fe52d3c318be71b7468c |
| SHA512 | 62e903e25970fa37edee9e4d32b3b8c65df870ecf52611fbf2fdf6990fbfd8de071d3d65b1c271fe95f73601da896be225f618a342af62a6f7d61a81358bfc87 |
memory/3432-9-0x0000000000400000-0x0000000000427000-memory.dmp
memory/3176-10-0x0000000000400000-0x0000000000427000-memory.dmp
memory/3432-11-0x0000000000C80000-0x0000000000CDB000-memory.dmp
memory/3432-17-0x0000000000400000-0x0000000000427000-memory.dmp