1872055dae40f24c9028016b6eeb52237b16e476195c080fbe2d0b1b88baddfa

General

Target

42b807e15ca29f24bd45af1ef429de60_exe32.exe
Size

66KB
MD5

42b807e15ca29f24bd45af1ef429de60
SHA1

3ea5430f64e3d56a78edbc3b807c8cb91c533918
SHA256

1872055dae40f24c9028016b6eeb52237b16e476195c080fbe2d0b1b88baddfa
SHA512

67b213352013be70a3c64eb05bbe8e35d2ede65c75b0e191eec236ade02d386a872378fdc5a675300878580167067b3995f447d885f2dcba428d42cc1bf90428
SSDEEP

1536:f9L9l0VK6lohDfcurb7b9HcDEF2J6WBxlvDBmfohXmI3pv/QKEyvG:f9LrM2Dk8HcBJ5BxFBY02u9rG

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4668	urdvxc.exe
4364	urdvxc.exe
2244	urdvxc.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\urdvxc.exe	42b807e15ca29f24bd45af1ef429de60_exe32.exe
File opened for modification	C:\Windows\SysWOW64\urdvxc.exe	42b807e15ca29f24bd45af1ef429de60_exe32.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "vehnnlsskjrlkbxw"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{917DA702-9F28-3D05-F6FC-769499E2B641}\ = "nhjbstlsjxkjvkws"	42b807e15ca29f24bd45af1ef429de60_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{917DA702-9F28-3D05-F6FC-769499E2B641}\LocalServer32	42b807e15ca29f24bd45af1ef429de60_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{917DA702-9F28-3D05-F6FC-769499E2B641}	42b807e15ca29f24bd45af1ef429de60_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{917DA702-9F28-3D05-F6FC-769499E2B641}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\42b807e15ca29f24bd45af1ef429de60_exe32.exe"	42b807e15ca29f24bd45af1ef429de60_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "jjkjesjlshtrlqnj"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "skwvkknslesktetq"	urdvxc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4668	urdvxc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 4668	1692	42b807e15ca29f24bd45af1ef429de60_exe32.exe	85
PID 1692 wrote to memory of 4668	1692	42b807e15ca29f24bd45af1ef429de60_exe32.exe	85
PID 1692 wrote to memory of 4668	1692	42b807e15ca29f24bd45af1ef429de60_exe32.exe	85
PID 1692 wrote to memory of 4364	1692	42b807e15ca29f24bd45af1ef429de60_exe32.exe	86
PID 1692 wrote to memory of 4364	1692	42b807e15ca29f24bd45af1ef429de60_exe32.exe	86
PID 1692 wrote to memory of 4364	1692	42b807e15ca29f24bd45af1ef429de60_exe32.exe	86
PID 1692 wrote to memory of 2244	1692	42b807e15ca29f24bd45af1ef429de60_exe32.exe	87
PID 1692 wrote to memory of 2244	1692	42b807e15ca29f24bd45af1ef429de60_exe32.exe	87
PID 1692 wrote to memory of 2244	1692	42b807e15ca29f24bd45af1ef429de60_exe32.exe	87

C:\Users\Admin\AppData\Local\Temp\42b807e15ca29f24bd45af1ef429de60_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\42b807e15ca29f24bd45af1ef429de60_exe32.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /installservice
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:4668
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /start
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:4364
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /uninstallservice patch:C:\Users\Admin\AppData\Local\Temp\42b807e15ca29f24bd45af1ef429de60_exe32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:2244

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\urdvxc.exe

Filesize
66KB

MD5
42b807e15ca29f24bd45af1ef429de60

SHA1
3ea5430f64e3d56a78edbc3b807c8cb91c533918

SHA256
1872055dae40f24c9028016b6eeb52237b16e476195c080fbe2d0b1b88baddfa

SHA512
67b213352013be70a3c64eb05bbe8e35d2ede65c75b0e191eec236ade02d386a872378fdc5a675300878580167067b3995f447d885f2dcba428d42cc1bf90428

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
66KB

MD5
42b807e15ca29f24bd45af1ef429de60

SHA1
3ea5430f64e3d56a78edbc3b807c8cb91c533918

SHA256
1872055dae40f24c9028016b6eeb52237b16e476195c080fbe2d0b1b88baddfa

SHA512
67b213352013be70a3c64eb05bbe8e35d2ede65c75b0e191eec236ade02d386a872378fdc5a675300878580167067b3995f447d885f2dcba428d42cc1bf90428

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
66KB

MD5
42b807e15ca29f24bd45af1ef429de60

SHA1
3ea5430f64e3d56a78edbc3b807c8cb91c533918

SHA256
1872055dae40f24c9028016b6eeb52237b16e476195c080fbe2d0b1b88baddfa

SHA512
67b213352013be70a3c64eb05bbe8e35d2ede65c75b0e191eec236ade02d386a872378fdc5a675300878580167067b3995f447d885f2dcba428d42cc1bf90428

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
66KB

MD5
42b807e15ca29f24bd45af1ef429de60

SHA1
3ea5430f64e3d56a78edbc3b807c8cb91c533918

SHA256
1872055dae40f24c9028016b6eeb52237b16e476195c080fbe2d0b1b88baddfa

SHA512
67b213352013be70a3c64eb05bbe8e35d2ede65c75b0e191eec236ade02d386a872378fdc5a675300878580167067b3995f447d885f2dcba428d42cc1bf90428

Download Submit
memory/1692-1-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1692-2-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1692-3-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1692-14-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1692-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2244-12-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/4364-11-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/4364-15-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/4668-13-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4668-8-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing