c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db

General

Target

c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db.exe
Size

58KB
MD5

a89fcdcd4476a5ae324656780f3ffa04
SHA1

ddf66abb413827b88cc4adaee6d417aef78a8b9a
SHA256

c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db
SHA512

26fdccd6da6bb7b63a4eee23929e712fc580a426bd04fc921059e60994d240710a71fe1e878c9f6d41651d9a24916af3dc26fe420f6d938eeb498ca93dd754d9
SSDEEP

1536:P0zw4Qr37v8MGo8vLkCE/JUq3mDP3Sxua2EdhRCp+0/C2LZZGZ8E:8JMG/vLkBV3mr3SxusCda2LON

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

urdvxc.exeurdvxc.exeurdvxc.exeurdvxc.exe

pid process

432 urdvxc.exe
3028 urdvxc.exe
4564 urdvxc.exe
3248 urdvxc.exe

pid	process
432	urdvxc.exe
3028	urdvxc.exe
4564	urdvxc.exe
3248	urdvxc.exe

Drops file in System32 directory 3 IoCs

Processes:

c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db.exeurdvxc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\urdvxc.exe	c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db.exe
File opened for modification	C:\Windows\SysWOW64\urdvxc.exe	c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db.exe
File created	C:\Windows\SysWOW64\urdvxc.exe	urdvxc.exe

Modifies registry class 20 IoCs

Processes:

urdvxc.exeurdvxc.exeurdvxc.exeurdvxc.exec431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "cttrzvnxbllwxsqc"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "tkjbnnttqksvhxnx"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "ezbttzbbntvtjrxk"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F5F4724-EC2B-EB1E-0152-CB0D02FFEF9D}	c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F5F4724-EC2B-EB1E-0152-CB0D02FFEF9D}\ = "qchhebbskhlbblne"	c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F5F4724-EC2B-EB1E-0152-CB0D02FFEF9D}\LocalServer32	c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "nrthbktlwtsehvvv"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F5F4724-EC2B-EB1E-0152-CB0D02FFEF9D}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db.exe"	c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

urdvxc.exe

description pid process

Token: SeDebugPrivilege 432 urdvxc.exe

description	pid	process
Token: SeDebugPrivilege	432	urdvxc.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db.exe

description	pid	process	target process
PID 2724 wrote to memory of 432	2724	c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db.exe	urdvxc.exe
PID 2724 wrote to memory of 432	2724	c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db.exe	urdvxc.exe
PID 2724 wrote to memory of 432	2724	c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db.exe	urdvxc.exe
PID 2724 wrote to memory of 3028	2724	c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db.exe	urdvxc.exe
PID 2724 wrote to memory of 3028	2724	c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db.exe	urdvxc.exe
PID 2724 wrote to memory of 3028	2724	c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db.exe	urdvxc.exe
PID 2724 wrote to memory of 3248	2724	c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db.exe	urdvxc.exe
PID 2724 wrote to memory of 3248	2724	c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db.exe	urdvxc.exe
PID 2724 wrote to memory of 3248	2724	c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db.exe	urdvxc.exe

C:\Users\Admin\AppData\Local\Temp\c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db.exe
"C:\Users\Admin\AppData\Local\Temp\c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /installservice
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:432
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /start
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:3028
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /uninstallservice patch:C:\Users\Admin\AppData\Local\Temp\c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:3248

C:\Windows\SysWOW64\urdvxc.exe
"C:\Windows\SysWOW64\urdvxc.exe" /service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\urdvxc.exe

Filesize
58KB

MD5
a89fcdcd4476a5ae324656780f3ffa04

SHA1
ddf66abb413827b88cc4adaee6d417aef78a8b9a

SHA256
c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db

SHA512
26fdccd6da6bb7b63a4eee23929e712fc580a426bd04fc921059e60994d240710a71fe1e878c9f6d41651d9a24916af3dc26fe420f6d938eeb498ca93dd754d9

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
58KB

MD5
a89fcdcd4476a5ae324656780f3ffa04

SHA1
ddf66abb413827b88cc4adaee6d417aef78a8b9a

SHA256
c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db

SHA512
26fdccd6da6bb7b63a4eee23929e712fc580a426bd04fc921059e60994d240710a71fe1e878c9f6d41651d9a24916af3dc26fe420f6d938eeb498ca93dd754d9

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
58KB

MD5
a89fcdcd4476a5ae324656780f3ffa04

SHA1
ddf66abb413827b88cc4adaee6d417aef78a8b9a

SHA256
c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db

SHA512
26fdccd6da6bb7b63a4eee23929e712fc580a426bd04fc921059e60994d240710a71fe1e878c9f6d41651d9a24916af3dc26fe420f6d938eeb498ca93dd754d9

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
58KB

MD5
a89fcdcd4476a5ae324656780f3ffa04

SHA1
ddf66abb413827b88cc4adaee6d417aef78a8b9a

SHA256
c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db

SHA512
26fdccd6da6bb7b63a4eee23929e712fc580a426bd04fc921059e60994d240710a71fe1e878c9f6d41651d9a24916af3dc26fe420f6d938eeb498ca93dd754d9

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
58KB

MD5
a89fcdcd4476a5ae324656780f3ffa04

SHA1
ddf66abb413827b88cc4adaee6d417aef78a8b9a

SHA256
c431926603f4a2dbba0341ccd114da8c46bc94b10f0a2a38e26a50fd4db192db

SHA512
26fdccd6da6bb7b63a4eee23929e712fc580a426bd04fc921059e60994d240710a71fe1e878c9f6d41651d9a24916af3dc26fe420f6d938eeb498ca93dd754d9

Download Submit
memory/432-138-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/432-148-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/432-139-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/432-135-0x0000000000000000-mapping.dmp

Download
memory/2724-132-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2724-134-0x0000000000620000-0x000000000063F000-memory.dmp

Filesize
124KB

Download
memory/2724-133-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3028-144-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/3028-140-0x0000000000000000-mapping.dmp

Download
memory/3248-143-0x0000000000000000-mapping.dmp

Download
memory/3248-146-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/4564-147-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4564-149-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads