8df14fd2417c7e5b764f3adb4ff29b64bd3161fbdbc914232da4dfab8f08247f

Analysis

max time kernel
20s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fda39f3dfc7b5b40b03376dc1f46105.exe
Size

62KB
MD5

1fda39f3dfc7b5b40b03376dc1f46105
SHA1

abeb3f841e1868daa1ad372e7bd9f57055cf8be1
SHA256

8df14fd2417c7e5b764f3adb4ff29b64bd3161fbdbc914232da4dfab8f08247f
SHA512

0925ae4443e4838a8bbe39996f1db6abe821c0ea001f10930b771acb426a0a8e18f4ce6231fbdfa29cfe9676a85355b217e3328c7034677a1cabc944b7ecf4a1
SSDEEP

768:4NAj+BynOHlkcjhCxHNp6GEF1pfnb3VqFt4L8UgiAuUZbnqjuIYjs9rb1qGTue+L:4No4juK/EmL8R3Z2juIOs9PCmjbVY

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4848	urdvxc.exe

Executes dropped EXE 4 IoCs

pid	Process
4880	urdvxc.exe
1908	urdvxc.exe
2876	urdvxc.exe
4848	urdvxc.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\urdvxc.exe	urdvxc.exe
File created	C:\Windows\SysWOW64\urdvxc.exe	1fda39f3dfc7b5b40b03376dc1f46105.exe
File opened for modification	C:\Windows\SysWOW64\urdvxc.exe	1fda39f3dfc7b5b40b03376dc1f46105.exe

Modifies registry class 20 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "nqkrntlwlkxjlshs"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "tzlttrhzvtbrhqsr"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "tjnwehhtqlljcqet"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB9597A4-CC3F-9377-6978-622C0B970B6F}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1fda39f3dfc7b5b40b03376dc1f46105.exe"	1fda39f3dfc7b5b40b03376dc1f46105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB9597A4-CC3F-9377-6978-622C0B970B6F}\LocalServer32	1fda39f3dfc7b5b40b03376dc1f46105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB9597A4-CC3F-9377-6978-622C0B970B6F}	1fda39f3dfc7b5b40b03376dc1f46105.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\LocalServer32\ = "C:\\Windows\\SysWOW64\\urdvxc.exe"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66E9A00C-64D1-4956-05AE-619DF5D22A84}\ = "setscktsltqeehsh"	urdvxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB9597A4-CC3F-9377-6978-622C0B970B6F}\ = "rsjjkxjjlbbecstw"	1fda39f3dfc7b5b40b03376dc1f46105.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4880	urdvxc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3796 wrote to memory of 4880	3796	1fda39f3dfc7b5b40b03376dc1f46105.exe	92
PID 3796 wrote to memory of 4880	3796	1fda39f3dfc7b5b40b03376dc1f46105.exe	92
PID 3796 wrote to memory of 4880	3796	1fda39f3dfc7b5b40b03376dc1f46105.exe	92
PID 3796 wrote to memory of 1908	3796	1fda39f3dfc7b5b40b03376dc1f46105.exe	94
PID 3796 wrote to memory of 1908	3796	1fda39f3dfc7b5b40b03376dc1f46105.exe	94
PID 3796 wrote to memory of 1908	3796	1fda39f3dfc7b5b40b03376dc1f46105.exe	94
PID 3796 wrote to memory of 4848	3796	1fda39f3dfc7b5b40b03376dc1f46105.exe	95
PID 3796 wrote to memory of 4848	3796	1fda39f3dfc7b5b40b03376dc1f46105.exe	95
PID 3796 wrote to memory of 4848	3796	1fda39f3dfc7b5b40b03376dc1f46105.exe	95

C:\Users\Admin\AppData\Local\Temp\1fda39f3dfc7b5b40b03376dc1f46105.exe
"C:\Users\Admin\AppData\Local\Temp\1fda39f3dfc7b5b40b03376dc1f46105.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /installservice
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:4880
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /start
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:1908
- C:\Windows\SysWOW64\urdvxc.exe
  C:\Windows\system32\urdvxc.exe /uninstallservice patch:C:\Users\Admin\AppData\Local\Temp\1fda39f3dfc7b5b40b03376dc1f46105.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies registry class
  PID:4848

C:\Windows\SysWOW64\urdvxc.exe
"C:\Windows\SysWOW64\urdvxc.exe" /service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\urdvxc.exe

Filesize
13KB

MD5
5f3eea239aae479901f354258af251c4

SHA1
06523633808241a34817105b5af54ab46373c62c

SHA256
9940ceccf4eee8ea74faa34e2a7e52653413820dff1f8879e19bf6ea70bcac86

SHA512
97e379ec6c6ac991631e2bfeed76ea630b82200ae940bea053ef55134c543fbfb6ffab6d8aacd36bfec27efa5f6919cb8b8efc7fce982812b0f8649f4cac3b51

Download Submit
C:\Windows\SysWOW64\urdvxc.exe

Filesize
62KB

MD5
1fda39f3dfc7b5b40b03376dc1f46105

SHA1
abeb3f841e1868daa1ad372e7bd9f57055cf8be1

SHA256
8df14fd2417c7e5b764f3adb4ff29b64bd3161fbdbc914232da4dfab8f08247f

SHA512
0925ae4443e4838a8bbe39996f1db6abe821c0ea001f10930b771acb426a0a8e18f4ce6231fbdfa29cfe9676a85355b217e3328c7034677a1cabc944b7ecf4a1

Download Submit
memory/1908-13-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/1908-10-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/2876-61-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-24-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-19-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-21-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-22-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-66-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-23-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-26-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-27-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-29-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-67-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-32-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-33-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-1154-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-14-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-17-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-40-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-41-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-42-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-44-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-45-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-46-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-48-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-49-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-50-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-51-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-52-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-54-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-55-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-64-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-58-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-60-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-12-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-63-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-57-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-15-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-30-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-69-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-70-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-71-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-73-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-74-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-76-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-77-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-75-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-79-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-80-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-78-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-72-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-68-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-65-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-62-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-59-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-56-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-53-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-47-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-43-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-38-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-25-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-35-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-34-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-31-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2876-28-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/3796-37-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3796-1-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/3796-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4848-39-0x00000000001C0000-0x00000000001DF000-memory.dmp

Filesize
124KB

Download
memory/4880-7-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4880-8-0x00000000001E0000-0x00000000001FF000-memory.dmp

Filesize
124KB

Download
memory/4880-6-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download