e1dd79580c6fc141e0f8c6fdc6194ceb09e30cefeac88e89cdfc7362d698ef4e

General

Target

e1dd79580c6fc141e0f8c6fdc6194ceb09e30cefeac88e89cdfc7362d698ef4e.exe
Size

63KB
MD5

0c2824fe95a61e60da4746688b72c78a
SHA1

a68f8417c57cf9aba86e088b8c856edf88d27bdc
SHA256

e1dd79580c6fc141e0f8c6fdc6194ceb09e30cefeac88e89cdfc7362d698ef4e
SHA512

77a9e3ebd149317844c190d6b747708027aa5dcd6f46e4d6b7b2824fde5eb671582d57de981f4645d703a63da2bcc2fc02a4a38b2f2c413d6e2180f7cddde71d
SSDEEP

1536:mxjWEgAVEHUKjtJnW22PpNLNSbPQpZZXzyuVMz+iEJlfxHc2MwNa:mGAVEHUKpJn7wrLIbPyf7VMGJlfxHc28

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4940	urdvxc.exe
4844	urdvxc.exe
5096	urdvxc.exe
3464	urdvxc.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\urdvxc.exe	e1dd79580c6fc141e0f8c6fdc6194ceb09e30cefeac88e89cdfc7362d698ef4e.exe
File opened for modification	C:\Windows\SysWOW64\urdvxc.exe	e1dd79580c6fc141e0f8c6fdc6194ceb09e30cefeac88e89cdfc7362d698ef4e.exe
File created	C:\Windows\SysWOW64\urdvxc.exe	urdvxc.exe

Modifies registry class 20 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7EEB94B1-76A7-9B4B-62AD-D754A75A607E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e1dd79580c6fc141e0f8c6fdc6194ceb09e30cefeac88e89cdfc7362d698ef4e.exe"	e1dd79580c6fc141e0f8c6fdc6194ceb09e30cefeac88e89cdfc7362d698ef4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "ktvlrxhwvbllqbqs"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "kvhthstvecvkjrvw"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7EEB94B1-76A7-9B4B-62AD-D754A75A607E}\ = "qlcrklebsbtezjxx"	e1dd79580c6fc141e0f8c6fdc6194ceb09e30cefeac88e89cdfc7362d698ef4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "trqtelslhebkbljb"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7EEB94B1-76A7-9B4B-62AD-D754A75A607E}	e1dd79580c6fc141e0f8c6fdc6194ceb09e30cefeac88e89cdfc7362d698ef4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7EEB94B1-76A7-9B4B-62AD-D754A75A607E}\LocalServer32	e1dd79580c6fc141e0f8c6fdc6194ceb09e30cefeac88e89cdfc7362d698ef4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "qjhsvxrvllhhsnex"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4940	urdvxc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 4940	3952	e1dd79580c6fc141e0f8c6fdc6194ceb09e30cefeac88e89cdfc7362d698ef4e.exe	38
PID 3952 wrote to memory of 4940	3952	e1dd79580c6fc141e0f8c6fdc6194ceb09e30cefeac88e89cdfc7362d698ef4e.exe	38
PID 3952 wrote to memory of 4940	3952	e1dd79580c6fc141e0f8c6fdc6194ceb09e30cefeac88e89cdfc7362d698ef4e.exe	38
PID 3952 wrote to memory of 4844	3952	e1dd79580c6fc141e0f8c6fdc6194ceb09e30cefeac88e89cdfc7362d698ef4e.exe	56
PID 3952 wrote to memory of 4844	3952	e1dd79580c6fc141e0f8c6fdc6194ceb09e30cefeac88e89cdfc7362d698ef4e.exe	56
PID 3952 wrote to memory of 4844	3952	e1dd79580c6fc141e0f8c6fdc6194ceb09e30cefeac88e89cdfc7362d698ef4e.exe	56
PID 3952 wrote to memory of 3464	3952	e1dd79580c6fc141e0f8c6fdc6194ceb09e30cefeac88e89cdfc7362d698ef4e.exe	75
PID 3952 wrote to memory of 3464	3952	e1dd79580c6fc141e0f8c6fdc6194ceb09e30cefeac88e89cdfc7362d698ef4e.exe	75
PID 3952 wrote to memory of 3464	3952	e1dd79580c6fc141e0f8c6fdc6194ceb09e30cefeac88e89cdfc7362d698ef4e.exe	75

C:\Users\Admin\AppData\Local\Temp\e1dd79580c6fc141e0f8c6fdc6194ceb09e30cefeac88e89cdfc7362d698ef4e.exe
"C:\Users\Admin\AppData\Local\Temp\e1dd79580c6fc141e0f8c6fdc6194ceb09e30cefeac88e89cdfc7362d698ef4e.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /installservice
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:4940
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /start
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:4844
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /uninstallservice patch:C:\Users\Admin\AppData\Local\Temp\e1dd79580c6fc141e0f8c6fdc6194ceb09e30cefeac88e89cdfc7362d698ef4e.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:3464

C:\Windows\SysWOW64\urdvxc.exe
"C:\Windows\SysWOW64\urdvxc.exe" /service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5096

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\urdvxc.exe

Filesize
38KB

MD5
d29587dd37764b78b76ef0af188b42ea

SHA1
9f2427eab28d6ff7cd423f98889e06a9d36c31b1

SHA256
d905d164e486d03d25cd66c7d3fde2e4b7929289307d906520a1b644cea7f9bb

SHA512
fe80f455d1a3569a4881ec0f29ced2c9f26394eaeeca1041c29cdea5d9b83503e0e766f649742a3ad2193ce5a5094b1182c150d4cef93f6dd755f5991d19a933

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
12KB

MD5
cc64106a025971fbeac3dd285fa8b758

SHA1
ef55bc6634f55da6b83d7804fa57075c5d682e1e

SHA256
e4d4944b743f77e3cb93752ec9459102a4bc0cd591e8536663bc4add731904b2

SHA512
1b83a4148edd5c95a0c43167c4c0c88899d13db0b4b515ab5c2765d7c787f7719f80f27577096729d2519be496fdb6373b2d6039a37676d517cb1a1a912910f8

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
38KB

MD5
23b7058b23b70609d460c9d7155537e6

SHA1
f14b5232420ed45ed3c81e22b4b96586d94328cc

SHA256
1e70e8cd9337c4279a208ca75a9e32399f4ba09099a6ceb53130f5cd0fd1fc58

SHA512
735e6e1a683c54b6d99681304f8c929a3ef4f9e9fd23166b82cf0944b583b763ad15c43533378ea54f6dbae7a77a426f1dfe44751368621524ba11d7f190d145

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
45KB

MD5
c7e495f3b4af7faacea8913182a911b1

SHA1
0647d2e81647e3f4006d853e5cf205acd5345624

SHA256
06a1357f9c7fe06699aacdc8f86c6ff97524203548d87e6131807215c68ab382

SHA512
c383301ce48ecbef9071f4f36a8c6fd57fff30b2f0d8192e65aa2cc1de0f009ba0ca46464f1573a3a241031703d82dea22ec40291de806c71d876414cd807621

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
55KB

MD5
9653ec2b365aa480867e9f7db8e93068

SHA1
0267f849142d9d9ae6a1346d6b03a2873f01b951

SHA256
92ba02b479d3c12d882ac0b30218b8d74efaff31be5dcb3fe394117f7e85fbfa

SHA512
f64a64da8e3f23b158811ae741cf60c5093fe7832a0238a49ad79c884cbb668120861ca9fd8eed380239bf9fa2376c7e4ca103d351ca2228a2064ae3c20f7c91

Download Submit
memory/3464-145-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/3952-132-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3952-133-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4844-141-0x00000000001D0000-0x00000000001EF000-memory.dmp

Filesize
124KB

Download
memory/4940-137-0x0000000000610000-0x000000000062F000-memory.dmp

Filesize
124KB

Download
memory/5096-142-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/5096-146-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing