756410912ae27fa2cb3f93b26fdf34908e38a07fe47098e997bbb3b089af6309

General

Target

756410912ae27fa2cb3f93b26fdf34908e38a07fe47098e997bbb3b089af6309.exe
Size

66KB
MD5

09e094c42a038eec129dbfc6676a9700
SHA1

d2a170330298b1a1a3b2e409bcb3d456487d6692
SHA256

756410912ae27fa2cb3f93b26fdf34908e38a07fe47098e997bbb3b089af6309
SHA512

d5c9f8369fd926ed8ff4ced59d94ab74bdae906785ecec98501ecebc962bb4d426acb3ccf678cafefb22d9a2e5e670df8d9000bb127df50b5bbcf5a3509bdb07
SSDEEP

1536:LClsM3gYGgG8rDMeVeb5h3dyl0jh6y+5hiF2:LOsM3gY1Nihg0b+5hI2

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4428	urdvxc.exe
4400	urdvxc.exe
1592	urdvxc.exe
3572	urdvxc.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\urdvxc.exe	756410912ae27fa2cb3f93b26fdf34908e38a07fe47098e997bbb3b089af6309.exe
File opened for modification	C:\Windows\SysWOW64\urdvxc.exe	756410912ae27fa2cb3f93b26fdf34908e38a07fe47098e997bbb3b089af6309.exe
File created	C:\Windows\SysWOW64\urdvxc.exe	urdvxc.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\sekbhrbe.exe	urdvxc.exe
File opened for modification	C:\Program Files\ClearSet.mhtml	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\qrhljwvn.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\RELEASE-NOTES.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\Welcome.html	urdvxc.exe

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "xtzlsweljsrxnsrb"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7774BDCB-BC2A-526E-C798-34FA771E21D1}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\db\\qrhljwvn.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "qcrtwlnbntlclwch"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E88A8DA-6487-F103-FFE5-C2B0648486DC}\ = "lnqkjwnjresksscc"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "xrtsesjntqtnwsek"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7774BDCB-BC2A-526E-C798-34FA771E21D1}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7774BDCB-BC2A-526E-C798-34FA771E21D1}\ = "njvchzkzlkslwwql"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E88A8DA-6487-F103-FFE5-C2B0648486DC}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\jre\\sekbhrbe.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{29CBFA7A-A515-D19D-5F99-6E62910D27E9}\LocalServer32	756410912ae27fa2cb3f93b26fdf34908e38a07fe47098e997bbb3b089af6309.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{29CBFA7A-A515-D19D-5F99-6E62910D27E9}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\756410912ae27fa2cb3f93b26fdf34908e38a07fe47098e997bbb3b089af6309.exe"	756410912ae27fa2cb3f93b26fdf34908e38a07fe47098e997bbb3b089af6309.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E88A8DA-6487-F103-FFE5-C2B0648486DC}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{29CBFA7A-A515-D19D-5F99-6E62910D27E9}\ = "esjssnensrkhqnrj"	756410912ae27fa2cb3f93b26fdf34908e38a07fe47098e997bbb3b089af6309.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{29CBFA7A-A515-D19D-5F99-6E62910D27E9}	756410912ae27fa2cb3f93b26fdf34908e38a07fe47098e997bbb3b089af6309.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E88A8DA-6487-F103-FFE5-C2B0648486DC}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7774BDCB-BC2A-526E-C798-34FA771E21D1}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "hbtksbhtesqzwlnz"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4428	urdvxc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 4428	3624	756410912ae27fa2cb3f93b26fdf34908e38a07fe47098e997bbb3b089af6309.exe	82
PID 3624 wrote to memory of 4428	3624	756410912ae27fa2cb3f93b26fdf34908e38a07fe47098e997bbb3b089af6309.exe	82
PID 3624 wrote to memory of 4428	3624	756410912ae27fa2cb3f93b26fdf34908e38a07fe47098e997bbb3b089af6309.exe	82
PID 3624 wrote to memory of 4400	3624	756410912ae27fa2cb3f93b26fdf34908e38a07fe47098e997bbb3b089af6309.exe	83
PID 3624 wrote to memory of 4400	3624	756410912ae27fa2cb3f93b26fdf34908e38a07fe47098e997bbb3b089af6309.exe	83
PID 3624 wrote to memory of 4400	3624	756410912ae27fa2cb3f93b26fdf34908e38a07fe47098e997bbb3b089af6309.exe	83
PID 3624 wrote to memory of 3572	3624	756410912ae27fa2cb3f93b26fdf34908e38a07fe47098e997bbb3b089af6309.exe	85
PID 3624 wrote to memory of 3572	3624	756410912ae27fa2cb3f93b26fdf34908e38a07fe47098e997bbb3b089af6309.exe	85
PID 3624 wrote to memory of 3572	3624	756410912ae27fa2cb3f93b26fdf34908e38a07fe47098e997bbb3b089af6309.exe	85

C:\Users\Admin\AppData\Local\Temp\756410912ae27fa2cb3f93b26fdf34908e38a07fe47098e997bbb3b089af6309.exe
"C:\Users\Admin\AppData\Local\Temp\756410912ae27fa2cb3f93b26fdf34908e38a07fe47098e997bbb3b089af6309.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /installservice
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:4428
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /start
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:4400
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /uninstallservice patch:C:\Users\Admin\AppData\Local\Temp\756410912ae27fa2cb3f93b26fdf34908e38a07fe47098e997bbb3b089af6309.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:3572

C:\Windows\SysWOW64\urdvxc.exe
"C:\Windows\SysWOW64\urdvxc.exe" /service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
PID:1592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\urdvxc.exe

Filesize
66KB

MD5
09e094c42a038eec129dbfc6676a9700

SHA1
d2a170330298b1a1a3b2e409bcb3d456487d6692

SHA256
756410912ae27fa2cb3f93b26fdf34908e38a07fe47098e997bbb3b089af6309

SHA512
d5c9f8369fd926ed8ff4ced59d94ab74bdae906785ecec98501ecebc962bb4d426acb3ccf678cafefb22d9a2e5e670df8d9000bb127df50b5bbcf5a3509bdb07

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
66KB

MD5
09e094c42a038eec129dbfc6676a9700

SHA1
d2a170330298b1a1a3b2e409bcb3d456487d6692

SHA256
756410912ae27fa2cb3f93b26fdf34908e38a07fe47098e997bbb3b089af6309

SHA512
d5c9f8369fd926ed8ff4ced59d94ab74bdae906785ecec98501ecebc962bb4d426acb3ccf678cafefb22d9a2e5e670df8d9000bb127df50b5bbcf5a3509bdb07

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
66KB

MD5
09e094c42a038eec129dbfc6676a9700

SHA1
d2a170330298b1a1a3b2e409bcb3d456487d6692

SHA256
756410912ae27fa2cb3f93b26fdf34908e38a07fe47098e997bbb3b089af6309

SHA512
d5c9f8369fd926ed8ff4ced59d94ab74bdae906785ecec98501ecebc962bb4d426acb3ccf678cafefb22d9a2e5e670df8d9000bb127df50b5bbcf5a3509bdb07

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
66KB

MD5
09e094c42a038eec129dbfc6676a9700

SHA1
d2a170330298b1a1a3b2e409bcb3d456487d6692

SHA256
756410912ae27fa2cb3f93b26fdf34908e38a07fe47098e997bbb3b089af6309

SHA512
d5c9f8369fd926ed8ff4ced59d94ab74bdae906785ecec98501ecebc962bb4d426acb3ccf678cafefb22d9a2e5e670df8d9000bb127df50b5bbcf5a3509bdb07

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
66KB

MD5
09e094c42a038eec129dbfc6676a9700

SHA1
d2a170330298b1a1a3b2e409bcb3d456487d6692

SHA256
756410912ae27fa2cb3f93b26fdf34908e38a07fe47098e997bbb3b089af6309

SHA512
d5c9f8369fd926ed8ff4ced59d94ab74bdae906785ecec98501ecebc962bb4d426acb3ccf678cafefb22d9a2e5e670df8d9000bb127df50b5bbcf5a3509bdb07

Download Submit
memory/1592-146-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1592-147-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3572-145-0x00000000001D0000-0x00000000001EF000-memory.dmp

Filesize
124KB

Download
memory/3624-132-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3624-133-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4400-142-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/4428-137-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4428-138-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing