ebc552eaaf6f6624f093191ab86ce3f4d17d5516bc7efc8c4d2e1409ed6f572e

General

Target

ebc552eaaf6f6624f093191ab86ce3f4d17d5516bc7efc8c4d2e1409ed6f572e.exe
Size

224KB
MD5

7a4532067ecc554f4a8fb9d5d3690e58
SHA1

63aece0e58f9c0623e538c93ce9ed746014e9c20
SHA256

ebc552eaaf6f6624f093191ab86ce3f4d17d5516bc7efc8c4d2e1409ed6f572e
SHA512

748c128de47c17d2df3c037a85b09c78997e7163d318641f21efb951911a37a45db417d4e0933c63c802007573019e95f3bf657f452f877c694371c94f889215
SSDEEP

3072:OvRpGambf7/dnRyLFA0VPZGgIRF6dMnpKCnMo2RsJbJGd9QggbFtJX:OEcPZGbz6dKBLQjd93gvF

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ebc552eaaf6f6624f093191ab86ce3f4d17d5516bc7efc8c4d2e1409ed6f572e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	fuedit.exe

Executes dropped EXE 1 IoCs

pid	Process
1848	fuedit.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	ebc552eaaf6f6624f093191ab86ce3f4d17d5516bc7efc8c4d2e1409ed6f572e.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run\	ebc552eaaf6f6624f093191ab86ce3f4d17d5516bc7efc8c4d2e1409ed6f572e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuedit = "C:\\Users\\Admin\\fuedit.exe /a"	ebc552eaaf6f6624f093191ab86ce3f4d17d5516bc7efc8c4d2e1409ed6f572e.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run\	fuedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuedit = "C:\\Users\\Admin\\fuedit.exe /t"	fuedit.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	fuedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	ebc552eaaf6f6624f093191ab86ce3f4d17d5516bc7efc8c4d2e1409ed6f572e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	ebc552eaaf6f6624f093191ab86ce3f4d17d5516bc7efc8c4d2e1409ed6f572e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	fuedit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3068	ebc552eaaf6f6624f093191ab86ce3f4d17d5516bc7efc8c4d2e1409ed6f572e.exe
3068	ebc552eaaf6f6624f093191ab86ce3f4d17d5516bc7efc8c4d2e1409ed6f572e.exe
1848	fuedit.exe
1848	fuedit.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3068	ebc552eaaf6f6624f093191ab86ce3f4d17d5516bc7efc8c4d2e1409ed6f572e.exe
1848	fuedit.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 1848	3068	ebc552eaaf6f6624f093191ab86ce3f4d17d5516bc7efc8c4d2e1409ed6f572e.exe	84
PID 3068 wrote to memory of 1848	3068	ebc552eaaf6f6624f093191ab86ce3f4d17d5516bc7efc8c4d2e1409ed6f572e.exe	84
PID 3068 wrote to memory of 1848	3068	ebc552eaaf6f6624f093191ab86ce3f4d17d5516bc7efc8c4d2e1409ed6f572e.exe	84

C:\Users\Admin\AppData\Local\Temp\ebc552eaaf6f6624f093191ab86ce3f4d17d5516bc7efc8c4d2e1409ed6f572e.exe
"C:\Users\Admin\AppData\Local\Temp\ebc552eaaf6f6624f093191ab86ce3f4d17d5516bc7efc8c4d2e1409ed6f572e.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\fuedit.exe
  "C:\Users\Admin\fuedit.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\fuedit.exe

Filesize
224KB

MD5
7a4532067ecc554f4a8fb9d5d3690e58

SHA1
63aece0e58f9c0623e538c93ce9ed746014e9c20

SHA256
ebc552eaaf6f6624f093191ab86ce3f4d17d5516bc7efc8c4d2e1409ed6f572e

SHA512
748c128de47c17d2df3c037a85b09c78997e7163d318641f21efb951911a37a45db417d4e0933c63c802007573019e95f3bf657f452f877c694371c94f889215

Download Submit
C:\Users\Admin\fuedit.exe

Filesize
224KB

MD5
7a4532067ecc554f4a8fb9d5d3690e58

SHA1
63aece0e58f9c0623e538c93ce9ed746014e9c20

SHA256
ebc552eaaf6f6624f093191ab86ce3f4d17d5516bc7efc8c4d2e1409ed6f572e

SHA512
748c128de47c17d2df3c037a85b09c78997e7163d318641f21efb951911a37a45db417d4e0933c63c802007573019e95f3bf657f452f877c694371c94f889215

Download Submit
memory/1848-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads