592f7701d364ca150b3d0c0f06f4a941192f55cedd8b78742402ab59de74657c

Analysis

max time kernel
222s
max time network
242s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 13:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.04464bef3746a42aeeb9780332e9e100.exe
Size

119KB
MD5

04464bef3746a42aeeb9780332e9e100
SHA1

3d78e3332c3a3c98c082be1df3be5e06559bf942
SHA256

592f7701d364ca150b3d0c0f06f4a941192f55cedd8b78742402ab59de74657c
SHA512

a92010d44476d2aa45500b102581dcc0c6473860c39c96997312411db5967569fee975046c72a3baee717551248abb39d0b9c911e3bb92acc7aaf2494a27dbe3
SSDEEP

1536:tgBwGMYt44Ot6nXVNd/ky2qlmGaRA0o+61hm7sz2tB8VvUKL76JfKRR/kSbUySca:tg3MY64OwXVoI71+ywa2IJxGCRRkyJg

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2660	urdvxc.exe

Executes dropped EXE 4 IoCs

pid	Process
4460	urdvxc.exe
924	urdvxc.exe
2840	urdvxc.exe
2660	urdvxc.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\urdvxc.exe	NEAS.04464bef3746a42aeeb9780332e9e100.exe
File opened for modification	C:\Windows\SysWOW64\urdvxc.exe	NEAS.04464bef3746a42aeeb9780332e9e100.exe
File created	C:\Windows\SysWOW64\urdvxc.exe	urdvxc.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\ComparePop.html	urdvxc.exe

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{292FEFAB-7006-774C-C689-917EBFC9C573}\ = "vvqljjtblzxhextc"	NEAS.04464bef3746a42aeeb9780332e9e100.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "twsbwltsznlbrteq"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{292FEFAB-7006-774C-C689-917EBFC9C573}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.04464bef3746a42aeeb9780332e9e100.exe"	NEAS.04464bef3746a42aeeb9780332e9e100.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "cxbkbrcrbqzhxrnh"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{292FEFAB-7006-774C-C689-917EBFC9C573}	NEAS.04464bef3746a42aeeb9780332e9e100.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "zzrtejhnkhkhrkrb"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{292FEFAB-7006-774C-C689-917EBFC9C573}\LocalServer32	NEAS.04464bef3746a42aeeb9780332e9e100.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "sqhnjtlxlvqrnjrv"	urdvxc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4460	urdvxc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 4460	2128	NEAS.04464bef3746a42aeeb9780332e9e100.exe	88
PID 2128 wrote to memory of 4460	2128	NEAS.04464bef3746a42aeeb9780332e9e100.exe	88
PID 2128 wrote to memory of 4460	2128	NEAS.04464bef3746a42aeeb9780332e9e100.exe	88
PID 2128 wrote to memory of 924	2128	NEAS.04464bef3746a42aeeb9780332e9e100.exe	89
PID 2128 wrote to memory of 924	2128	NEAS.04464bef3746a42aeeb9780332e9e100.exe	89
PID 2128 wrote to memory of 924	2128	NEAS.04464bef3746a42aeeb9780332e9e100.exe	89
PID 2128 wrote to memory of 2660	2128	NEAS.04464bef3746a42aeeb9780332e9e100.exe	94
PID 2128 wrote to memory of 2660	2128	NEAS.04464bef3746a42aeeb9780332e9e100.exe	94
PID 2128 wrote to memory of 2660	2128	NEAS.04464bef3746a42aeeb9780332e9e100.exe	94

C:\Users\Admin\AppData\Local\Temp\NEAS.04464bef3746a42aeeb9780332e9e100.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.04464bef3746a42aeeb9780332e9e100.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /installservice
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:4460
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /start
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:924
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /uninstallservice patch:C:\Users\Admin\AppData\Local\Temp\NEAS.04464bef3746a42aeeb9780332e9e100.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies registry class
  PID:2660

C:\Windows\SysWOW64\urdvxc.exe
"C:\Windows\SysWOW64\urdvxc.exe" /service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
PID:2840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\urdvxc.exe

Filesize
119KB

MD5
04464bef3746a42aeeb9780332e9e100

SHA1
3d78e3332c3a3c98c082be1df3be5e06559bf942

SHA256
592f7701d364ca150b3d0c0f06f4a941192f55cedd8b78742402ab59de74657c

SHA512
a92010d44476d2aa45500b102581dcc0c6473860c39c96997312411db5967569fee975046c72a3baee717551248abb39d0b9c911e3bb92acc7aaf2494a27dbe3

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
119KB

MD5
04464bef3746a42aeeb9780332e9e100

SHA1
3d78e3332c3a3c98c082be1df3be5e06559bf942

SHA256
592f7701d364ca150b3d0c0f06f4a941192f55cedd8b78742402ab59de74657c

SHA512
a92010d44476d2aa45500b102581dcc0c6473860c39c96997312411db5967569fee975046c72a3baee717551248abb39d0b9c911e3bb92acc7aaf2494a27dbe3

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
119KB

MD5
04464bef3746a42aeeb9780332e9e100

SHA1
3d78e3332c3a3c98c082be1df3be5e06559bf942

SHA256
592f7701d364ca150b3d0c0f06f4a941192f55cedd8b78742402ab59de74657c

SHA512
a92010d44476d2aa45500b102581dcc0c6473860c39c96997312411db5967569fee975046c72a3baee717551248abb39d0b9c911e3bb92acc7aaf2494a27dbe3

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
119KB

MD5
04464bef3746a42aeeb9780332e9e100

SHA1
3d78e3332c3a3c98c082be1df3be5e06559bf942

SHA256
592f7701d364ca150b3d0c0f06f4a941192f55cedd8b78742402ab59de74657c

SHA512
a92010d44476d2aa45500b102581dcc0c6473860c39c96997312411db5967569fee975046c72a3baee717551248abb39d0b9c911e3bb92acc7aaf2494a27dbe3

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
119KB

MD5
04464bef3746a42aeeb9780332e9e100

SHA1
3d78e3332c3a3c98c082be1df3be5e06559bf942

SHA256
592f7701d364ca150b3d0c0f06f4a941192f55cedd8b78742402ab59de74657c

SHA512
a92010d44476d2aa45500b102581dcc0c6473860c39c96997312411db5967569fee975046c72a3baee717551248abb39d0b9c911e3bb92acc7aaf2494a27dbe3

Download Submit
memory/924-10-0x00000000001D0000-0x00000000001EF000-memory.dmp

Filesize
124KB

Download
memory/924-13-0x00000000001D0000-0x00000000001EF000-memory.dmp

Filesize
124KB

Download
memory/2128-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2128-1-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2128-2-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2128-37-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2660-38-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/2840-46-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-51-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-21-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-22-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-23-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-24-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-25-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-26-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-28-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-29-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-30-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-31-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-32-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-33-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-34-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-35-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-18-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-15-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-14-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-39-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-40-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-41-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-42-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-43-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-44-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-45-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-12-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-47-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-48-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-49-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-50-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-20-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-52-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-53-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-54-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-55-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-56-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-57-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-58-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-59-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-60-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-61-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-62-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-63-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-64-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-65-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-66-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-67-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-68-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-69-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-70-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-71-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-72-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-73-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-74-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-75-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-76-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-77-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-78-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-79-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-80-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2840-280-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4460-7-0x0000000000510000-0x000000000052F000-memory.dmp

Filesize
124KB

Download
memory/4460-8-0x0000000000510000-0x000000000052F000-memory.dmp

Filesize
124KB

Download