61b44f60b62fd8ef1ab86bf7be9c1ecdcf5230b41e2f5f6b419ab1317ab8642d

Analysis

max time kernel
159s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16/10/2023, 18:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.bf893707505ba989b6616fbc05343760.exe
Size

66KB
MD5

bf893707505ba989b6616fbc05343760
SHA1

9a5c99654686170f5d2bd0a7ddc06219eaac44bd
SHA256

61b44f60b62fd8ef1ab86bf7be9c1ecdcf5230b41e2f5f6b419ab1317ab8642d
SHA512

e94bcabd9d6432be0c3de82053b9292f114500bd1d7c1a782ef1a7950af11d154e86224b96b7036330c05248a83ee3627d65b4cd030fd2febe10dc296ce9eadb
SSDEEP

1536:3UHYo5arwfSJpgGRhS/tveE2pPDRKonsMRa5/UE2UIdgJbm:3UHY7fgGKwDRKQ8aiJbm

Score

8^/10

discovery

Malware Config

Signatures

Contacts a large (548) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Deletes itself 1 IoCs

pid	Process
5100	urdvxc.exe

Executes dropped EXE 5 IoCs

pid	Process
4288	urdvxc.exe
1408	urdvxc.exe
4860	urdvxc.exe
5100	urdvxc.exe
3800	urdvxc.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\urdvxc.exe	NEAS.bf893707505ba989b6616fbc05343760.exe
File opened for modification	C:\Windows\SysWOW64\urdvxc.exe	NEAS.bf893707505ba989b6616fbc05343760.exe
File created	C:\Windows\SysWOW64\urdvxc.exe	urdvxc.exe
File created	C:\Windows\SysWOW64\urdvxc.exe	urdvxc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\qrhljwvn.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\Welcome.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\ExpandUse.htm	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bklnbknw.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\nsstljje.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\njqrsbcq.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\README.html	urdvxc.exe
File opened for modification	C:\Program Files\ExpandUse.htm	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\RELEASE-NOTES.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\jtlnctqk.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\RELEASE-NOTES.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPP.HTM	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\tsbknceh.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\nsstljje.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\sekbhrbe.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\Welcome.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\rvhrjtnt.exe	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html	urdvxc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html	urdvxc.exe

Modifies registry class 61 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "rtejelhxxeewekne"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C803653-A26A-88C7-574B-3B28BF06C94C}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\bklnbknw.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "shzsztwwenbhrlet"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7774BDCB-BC2A-526E-C798-34FA771E21D1}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E88A8DA-6487-F103-FFE5-C2B0648486DC}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\jre\\sekbhrbe.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7774BDCB-BC2A-526E-C798-34FA771E21D1}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\db\\qrhljwvn.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}\ = "thlsrkcncqjjsjbl"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CA91ECD-564C-3E29-5336-C066EB2FABF6}\ = "bwqbkvkjllcklqws"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "selnwbkrlblesrkk"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7774BDCB-BC2A-526E-C798-34FA771E21D1}\ = "bsnexktrswxrtbxb"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\lib\\missioncontrol\\features\\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\\njqrsbcq.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C803653-A26A-88C7-574B-3B28BF06C94C}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}\LocalServer32\ = "C:\\Program Files\\Microsoft Office\\root\\Office16\\PersonaSpy\\tsbknceh.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{242BB339-8764-BD7C-9CAF-453E345EC3D3}	NEAS.bf893707505ba989b6616fbc05343760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{242BB339-8764-BD7C-9CAF-453E345EC3D3}\ = "wnettjsvcerllrts"	NEAS.bf893707505ba989b6616fbc05343760.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E88A8DA-6487-F103-FFE5-C2B0648486DC}\ = "lzqntrcztrtztebn"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C803653-A26A-88C7-574B-3B28BF06C94C}\ = "kbvhslhrbeszbhcn"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7774BDCB-BC2A-526E-C798-34FA771E21D1}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}\ = "hwebhlxwenkkqtjb"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}\ = "rxejjktjhhnetnnj"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9E5B2A0-6DA4-8211-3F09-7196AABBE564}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{242BB339-8764-BD7C-9CAF-453E345EC3D3}\LocalServer32	NEAS.bf893707505ba989b6616fbc05343760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "sjqbkkkcchwkvblk"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\lib\\missioncontrol\\features\\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\\nsstljje.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{242BB339-8764-BD7C-9CAF-453E345EC3D3}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.bf893707505ba989b6616fbc05343760.exe"	NEAS.bf893707505ba989b6616fbc05343760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}\ = "ljsscbjxcntbkzrh"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}\LocalServer32\ = "C:\\Program Files\\Java\\jdk1.8.0_66\\lib\\missioncontrol\\features\\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\\nsstljje.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB4470BE-3A35-A218-C7F6-4398C8694892}\LocalServer32\ = "C:\\Program Files\\Microsoft Office\\root\\vfs\\ProgramFilesCommonX64\\Microsoft Shared\\Smart Tag\\1033\\rvhrjtnt.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E88A8DA-6487-F103-FFE5-C2B0648486DC}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{17B30228-FEAE-52CE-E831-3379C40FDBE8}\ = "hcssslwkblvjsrxc"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C803653-A26A-88C7-574B-3B28BF06C94C}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CA91ECD-564C-3E29-5336-C066EB2FABF6}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CA91ECD-564C-3E29-5336-C066EB2FABF6}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "qvslcrhsnrxkkehk"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E88A8DA-6487-F103-FFE5-C2B0648486DC}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CA91ECD-564C-3E29-5336-C066EB2FABF6}\LocalServer32\ = "C:\\Program Files\\Java\\jre1.8.0_66\\jtlnctqk.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58F22A6B-E9C1-CE13-9AB2-6E6A8B42D5FD}\ = "jbsqrxkslsthjxnt"	urdvxc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4288	urdvxc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 4288	4788	NEAS.bf893707505ba989b6616fbc05343760.exe	82
PID 4788 wrote to memory of 4288	4788	NEAS.bf893707505ba989b6616fbc05343760.exe	82
PID 4788 wrote to memory of 4288	4788	NEAS.bf893707505ba989b6616fbc05343760.exe	82
PID 4788 wrote to memory of 1408	4788	NEAS.bf893707505ba989b6616fbc05343760.exe	83
PID 4788 wrote to memory of 1408	4788	NEAS.bf893707505ba989b6616fbc05343760.exe	83
PID 4788 wrote to memory of 1408	4788	NEAS.bf893707505ba989b6616fbc05343760.exe	83
PID 4788 wrote to memory of 5100	4788	NEAS.bf893707505ba989b6616fbc05343760.exe	86
PID 4788 wrote to memory of 5100	4788	NEAS.bf893707505ba989b6616fbc05343760.exe	86
PID 4788 wrote to memory of 5100	4788	NEAS.bf893707505ba989b6616fbc05343760.exe	86

C:\Users\Admin\AppData\Local\Temp\NEAS.bf893707505ba989b6616fbc05343760.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.bf893707505ba989b6616fbc05343760.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /installservice
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:4288
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /start
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:1408
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /uninstallservice patch:C:\Users\Admin\AppData\Local\Temp\NEAS.bf893707505ba989b6616fbc05343760.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies registry class
  PID:5100

C:\Windows\SysWOW64\urdvxc.exe
"C:\Windows\SysWOW64\urdvxc.exe" /service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
PID:4860

C:\Windows\SysWOW64\urdvxc.exe
"C:\Windows\SysWOW64\urdvxc.exe" /service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html

Filesize
1012B

MD5
661986eb37cc9cfc2f17614e81d71a6d

SHA1
6f5a8828691bfabda2656ba5435c39db61933cba

SHA256
5edb9dd67373164b6d5297e4fad9846c712451a74f8a8a965c39c61c19646a03

SHA512
11da83092eebe57cc2493d37f480bf706880883a1c4c7af910fe1e2d1fa3c923b7f6cca99d8bfc61255879ef146af94b0925cc07ca53c431b4ef1f24d36e970e

Download Submit
C:\Program Files\Java\jdk1.8.0_66\jre\Welcome.html

Filesize
1KB

MD5
d5c02e93c84d349ba40f77c49514f857

SHA1
0d6a0efe894a2e39e0b8acc3bf48ce64c5e62d8c

SHA256
ff650f7ca6350aef7e6ce9e89499155471d8a663ebb96ad3382241c609b7a1b8

SHA512
67dcff25a19748b4874f095262adca9273809c345671431ed064098ec8130a5910dc6dc54ee2d5969560796ac3a0ff4e27b6de0b6880dca276f708ab7d082edb

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html

Filesize
1KB

MD5
7915168e1915f03c8db93427bb9362af

SHA1
9cca121c448a9a38f815653014da4bd9f323596c

SHA256
b9b7298e796bee7942b808d120c1da2f40508b719d0f57c792f6898963036ae7

SHA512
fbae43dc5b5c1ececfcde9a92abe7caf8848b8a3d2d3a2663490bec65afbfcd0ecd2e6059e34fdc3af07c206deb45c9b3e4b85776e87ff7e19d96ee756fe843a

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\nsstljje.exe

Filesize
66KB

MD5
e82b341074871c6e9ff0a246ec9b50ab

SHA1
42d193581a683f810cb906df57b14b29955b474c

SHA256
c915356250b7ae4b7677d31b5fca63ea2e4f8543cd361252e77c23fc9600a5fb

SHA512
fd4d7cfd8da5d7965166de869b72669c8013136996535d5a129ca5cb521b3158c704120fe5bb829a82cdd783b203b3bc9784a322a69b17d698a572c19bfe170a

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
66KB

MD5
bf893707505ba989b6616fbc05343760

SHA1
9a5c99654686170f5d2bd0a7ddc06219eaac44bd

SHA256
61b44f60b62fd8ef1ab86bf7be9c1ecdcf5230b41e2f5f6b419ab1317ab8642d

SHA512
e94bcabd9d6432be0c3de82053b9292f114500bd1d7c1a782ef1a7950af11d154e86224b96b7036330c05248a83ee3627d65b4cd030fd2febe10dc296ce9eadb

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
66KB

MD5
bf893707505ba989b6616fbc05343760

SHA1
9a5c99654686170f5d2bd0a7ddc06219eaac44bd

SHA256
61b44f60b62fd8ef1ab86bf7be9c1ecdcf5230b41e2f5f6b419ab1317ab8642d

SHA512
e94bcabd9d6432be0c3de82053b9292f114500bd1d7c1a782ef1a7950af11d154e86224b96b7036330c05248a83ee3627d65b4cd030fd2febe10dc296ce9eadb

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
66KB

MD5
bf893707505ba989b6616fbc05343760

SHA1
9a5c99654686170f5d2bd0a7ddc06219eaac44bd

SHA256
61b44f60b62fd8ef1ab86bf7be9c1ecdcf5230b41e2f5f6b419ab1317ab8642d

SHA512
e94bcabd9d6432be0c3de82053b9292f114500bd1d7c1a782ef1a7950af11d154e86224b96b7036330c05248a83ee3627d65b4cd030fd2febe10dc296ce9eadb

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
66KB

MD5
bf893707505ba989b6616fbc05343760

SHA1
9a5c99654686170f5d2bd0a7ddc06219eaac44bd

SHA256
61b44f60b62fd8ef1ab86bf7be9c1ecdcf5230b41e2f5f6b419ab1317ab8642d

SHA512
e94bcabd9d6432be0c3de82053b9292f114500bd1d7c1a782ef1a7950af11d154e86224b96b7036330c05248a83ee3627d65b4cd030fd2febe10dc296ce9eadb

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
66KB

MD5
bf893707505ba989b6616fbc05343760

SHA1
9a5c99654686170f5d2bd0a7ddc06219eaac44bd

SHA256
61b44f60b62fd8ef1ab86bf7be9c1ecdcf5230b41e2f5f6b419ab1317ab8642d

SHA512
e94bcabd9d6432be0c3de82053b9292f114500bd1d7c1a782ef1a7950af11d154e86224b96b7036330c05248a83ee3627d65b4cd030fd2febe10dc296ce9eadb

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
66KB

MD5
bf893707505ba989b6616fbc05343760

SHA1
9a5c99654686170f5d2bd0a7ddc06219eaac44bd

SHA256
61b44f60b62fd8ef1ab86bf7be9c1ecdcf5230b41e2f5f6b419ab1317ab8642d

SHA512
e94bcabd9d6432be0c3de82053b9292f114500bd1d7c1a782ef1a7950af11d154e86224b96b7036330c05248a83ee3627d65b4cd030fd2febe10dc296ce9eadb

Download Submit
memory/1408-10-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/3800-1999-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/3800-1824-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/4288-8-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4288-7-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4288-6-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4788-1-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4788-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4788-32-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-47-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-57-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-26-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-27-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-28-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-29-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-30-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-24-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-34-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-12-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-23-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-35-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-36-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-37-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-38-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-39-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-40-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-41-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-42-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-43-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-44-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-45-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-46-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-22-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-48-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-49-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-14-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-51-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-52-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-53-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-54-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-55-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-56-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-25-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-58-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-59-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-60-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-61-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-62-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-63-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-64-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-65-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-66-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-67-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-68-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-69-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-70-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-71-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-72-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-73-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-74-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-75-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-76-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-77-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-78-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-79-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-80-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-358-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-1822-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-21-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-20-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-18-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-17-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4860-13-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/5100-50-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/5100-33-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download