d01221ef55749724b3d03b312d71866f1cb4bd2911bc1d40df7e2c8feffa661f

Analysis

max time kernel
183s
max time network
209s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2023 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.774248e12ac42aa9dd12e974931148e0.exe
Size

119KB
MD5

774248e12ac42aa9dd12e974931148e0
SHA1

cf8c9a430e19292195ff5562649d3e50f3903a10
SHA256

d01221ef55749724b3d03b312d71866f1cb4bd2911bc1d40df7e2c8feffa661f
SHA512

c2f5b2c90085a53dfd75f85674a1963fd740cc2f3bbffc350e9d7d1b190339adde8d899f026e6f012996a57920094865de416ac2e9c94ad977f35b21c663f3b8
SSDEEP

3072:kJeazdGy8oU/64cug1oOnaeEoKTSpaiqdaLtANC3gz:ktQUU/6/jx1paosCQz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1952	urdvxc.exe
4400	urdvxc.exe
3060	urdvxc.exe
2676	urdvxc.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\urdvxc.exe	NEAS.774248e12ac42aa9dd12e974931148e0.exe
File opened for modification	C:\Windows\SysWOW64\urdvxc.exe	NEAS.774248e12ac42aa9dd12e974931148e0.exe
File created	C:\Windows\SysWOW64\urdvxc.exe	urdvxc.exe

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "lhsqjthcrrzjbthz"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "hqwvskbnwtjrzrxk"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3333B95E-C7BD-673E-819B-E6E027F101FC}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.774248e12ac42aa9dd12e974931148e0.exe"	NEAS.774248e12ac42aa9dd12e974931148e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3333B95E-C7BD-673E-819B-E6E027F101FC}\LocalServer32	NEAS.774248e12ac42aa9dd12e974931148e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "rjnnreetlrtqench"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3333B95E-C7BD-673E-819B-E6E027F101FC}	NEAS.774248e12ac42aa9dd12e974931148e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3333B95E-C7BD-673E-819B-E6E027F101FC}\ = "jnbjebeswwtzbxkr"	NEAS.774248e12ac42aa9dd12e974931148e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "whtsqzxjetetjttn"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1952	urdvxc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 1952	1004	NEAS.774248e12ac42aa9dd12e974931148e0.exe	92
PID 1004 wrote to memory of 1952	1004	NEAS.774248e12ac42aa9dd12e974931148e0.exe	92
PID 1004 wrote to memory of 1952	1004	NEAS.774248e12ac42aa9dd12e974931148e0.exe	92
PID 1004 wrote to memory of 4400	1004	NEAS.774248e12ac42aa9dd12e974931148e0.exe	93
PID 1004 wrote to memory of 4400	1004	NEAS.774248e12ac42aa9dd12e974931148e0.exe	93
PID 1004 wrote to memory of 4400	1004	NEAS.774248e12ac42aa9dd12e974931148e0.exe	93
PID 1004 wrote to memory of 2676	1004	NEAS.774248e12ac42aa9dd12e974931148e0.exe	95
PID 1004 wrote to memory of 2676	1004	NEAS.774248e12ac42aa9dd12e974931148e0.exe	95
PID 1004 wrote to memory of 2676	1004	NEAS.774248e12ac42aa9dd12e974931148e0.exe	95

C:\Users\Admin\AppData\Local\Temp\NEAS.774248e12ac42aa9dd12e974931148e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.774248e12ac42aa9dd12e974931148e0.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /installservice
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /start
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:4400
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /uninstallservice patch:C:\Users\Admin\AppData\Local\Temp\NEAS.774248e12ac42aa9dd12e974931148e0.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:2676

C:\Windows\SysWOW64\urdvxc.exe
"C:\Windows\SysWOW64\urdvxc.exe" /service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\urdvxc.exe

Filesize
119KB

MD5
774248e12ac42aa9dd12e974931148e0

SHA1
cf8c9a430e19292195ff5562649d3e50f3903a10

SHA256
d01221ef55749724b3d03b312d71866f1cb4bd2911bc1d40df7e2c8feffa661f

SHA512
c2f5b2c90085a53dfd75f85674a1963fd740cc2f3bbffc350e9d7d1b190339adde8d899f026e6f012996a57920094865de416ac2e9c94ad977f35b21c663f3b8

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
119KB

MD5
774248e12ac42aa9dd12e974931148e0

SHA1
cf8c9a430e19292195ff5562649d3e50f3903a10

SHA256
d01221ef55749724b3d03b312d71866f1cb4bd2911bc1d40df7e2c8feffa661f

SHA512
c2f5b2c90085a53dfd75f85674a1963fd740cc2f3bbffc350e9d7d1b190339adde8d899f026e6f012996a57920094865de416ac2e9c94ad977f35b21c663f3b8

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
119KB

MD5
774248e12ac42aa9dd12e974931148e0

SHA1
cf8c9a430e19292195ff5562649d3e50f3903a10

SHA256
d01221ef55749724b3d03b312d71866f1cb4bd2911bc1d40df7e2c8feffa661f

SHA512
c2f5b2c90085a53dfd75f85674a1963fd740cc2f3bbffc350e9d7d1b190339adde8d899f026e6f012996a57920094865de416ac2e9c94ad977f35b21c663f3b8

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
119KB

MD5
774248e12ac42aa9dd12e974931148e0

SHA1
cf8c9a430e19292195ff5562649d3e50f3903a10

SHA256
d01221ef55749724b3d03b312d71866f1cb4bd2911bc1d40df7e2c8feffa661f

SHA512
c2f5b2c90085a53dfd75f85674a1963fd740cc2f3bbffc350e9d7d1b190339adde8d899f026e6f012996a57920094865de416ac2e9c94ad977f35b21c663f3b8

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
119KB

MD5
774248e12ac42aa9dd12e974931148e0

SHA1
cf8c9a430e19292195ff5562649d3e50f3903a10

SHA256
d01221ef55749724b3d03b312d71866f1cb4bd2911bc1d40df7e2c8feffa661f

SHA512
c2f5b2c90085a53dfd75f85674a1963fd740cc2f3bbffc350e9d7d1b190339adde8d899f026e6f012996a57920094865de416ac2e9c94ad977f35b21c663f3b8

Download Submit
memory/1004-1-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1004-2-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1004-13-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1004-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1952-7-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1952-8-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2676-16-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/2676-14-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/3060-44-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-50-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-18-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-22-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-23-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-24-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-25-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-26-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-27-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-28-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-29-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-30-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-31-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-32-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-33-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-34-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-35-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-36-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-37-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-38-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-39-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-40-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-41-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-42-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-43-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-15-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-45-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-46-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-47-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-48-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-49-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-17-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-51-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-52-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-53-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-54-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-55-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-56-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-57-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-58-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-59-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-60-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-61-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-62-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-63-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-64-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-65-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-66-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-67-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-68-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-69-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-70-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-71-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-72-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-73-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-74-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-75-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-76-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-77-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-78-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-79-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3060-80-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4400-10-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download