e3dc7facef810c9b10dc20b81e8c96a008d13d11a38dafbca1b00d4137fe72ae

Analysis

max time kernel
151s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3dc7facef810c9b10dc20b81e8c96a008d13d11a38dafbca1b00d4137fe72ae.exe
Size

104KB
MD5

a50f03c8b86c7eb2aadb0a4d6e4bc614
SHA1

71158ea58e9d79665a2d66d935797dab39810d40
SHA256

e3dc7facef810c9b10dc20b81e8c96a008d13d11a38dafbca1b00d4137fe72ae
SHA512

bb9087f53e3de729b01e2dc17faf5fe3798bac75682a21b06c38f583224fa4f9a9c8cef319dca77883def855b299f39bbdc6152f8c25897f36a9e5127ed9f39d
SSDEEP

1536:QpLRvx+u+s+HBchhQKNIqpOcQv0sTEFSocloXjLl03F:M5+eiKNZJQv0sTNo3m3F

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	e3dc7facef810c9b10dc20b81e8c96a008d13d11a38dafbca1b00d4137fe72ae.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	duiedi.exe

Executes dropped EXE 1 IoCs

pid	Process
932	duiedi.exe

Loads dropped DLL 2 IoCs

pid	Process
1980	e3dc7facef810c9b10dc20b81e8c96a008d13d11a38dafbca1b00d4137fe72ae.exe
1980	e3dc7facef810c9b10dc20b81e8c96a008d13d11a38dafbca1b00d4137fe72ae.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\duiedi = "C:\\Users\\Admin\\duiedi.exe /g"	duiedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\duiedi = "C:\\Users\\Admin\\duiedi.exe /h"	duiedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\duiedi = "C:\\Users\\Admin\\duiedi.exe /z"	duiedi.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	e3dc7facef810c9b10dc20b81e8c96a008d13d11a38dafbca1b00d4137fe72ae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\duiedi = "C:\\Users\\Admin\\duiedi.exe /b"	duiedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\duiedi = "C:\\Users\\Admin\\duiedi.exe /i"	duiedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\duiedi = "C:\\Users\\Admin\\duiedi.exe /k"	duiedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\duiedi = "C:\\Users\\Admin\\duiedi.exe /v"	duiedi.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	duiedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\duiedi = "C:\\Users\\Admin\\duiedi.exe /j"	duiedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\duiedi = "C:\\Users\\Admin\\duiedi.exe /r"	duiedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\duiedi = "C:\\Users\\Admin\\duiedi.exe /d"	duiedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\duiedi = "C:\\Users\\Admin\\duiedi.exe /q"	duiedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\duiedi = "C:\\Users\\Admin\\duiedi.exe /p"	duiedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\duiedi = "C:\\Users\\Admin\\duiedi.exe /y"	duiedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\duiedi = "C:\\Users\\Admin\\duiedi.exe /c"	duiedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\duiedi = "C:\\Users\\Admin\\duiedi.exe /n"	duiedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\duiedi = "C:\\Users\\Admin\\duiedi.exe /u"	duiedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\duiedi = "C:\\Users\\Admin\\duiedi.exe /m"	duiedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\duiedi = "C:\\Users\\Admin\\duiedi.exe /l"	duiedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\duiedi = "C:\\Users\\Admin\\duiedi.exe /a"	duiedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\duiedi = "C:\\Users\\Admin\\duiedi.exe /a"	e3dc7facef810c9b10dc20b81e8c96a008d13d11a38dafbca1b00d4137fe72ae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\duiedi = "C:\\Users\\Admin\\duiedi.exe /x"	duiedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\duiedi = "C:\\Users\\Admin\\duiedi.exe /w"	duiedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\duiedi = "C:\\Users\\Admin\\duiedi.exe /t"	duiedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\duiedi = "C:\\Users\\Admin\\duiedi.exe /f"	duiedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\duiedi = "C:\\Users\\Admin\\duiedi.exe /s"	duiedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\duiedi = "C:\\Users\\Admin\\duiedi.exe /o"	duiedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\duiedi = "C:\\Users\\Admin\\duiedi.exe /e"	duiedi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1980	e3dc7facef810c9b10dc20b81e8c96a008d13d11a38dafbca1b00d4137fe72ae.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe
932	duiedi.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1980	e3dc7facef810c9b10dc20b81e8c96a008d13d11a38dafbca1b00d4137fe72ae.exe
932	duiedi.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 932	1980	e3dc7facef810c9b10dc20b81e8c96a008d13d11a38dafbca1b00d4137fe72ae.exe	28
PID 1980 wrote to memory of 932	1980	e3dc7facef810c9b10dc20b81e8c96a008d13d11a38dafbca1b00d4137fe72ae.exe	28
PID 1980 wrote to memory of 932	1980	e3dc7facef810c9b10dc20b81e8c96a008d13d11a38dafbca1b00d4137fe72ae.exe	28
PID 1980 wrote to memory of 932	1980	e3dc7facef810c9b10dc20b81e8c96a008d13d11a38dafbca1b00d4137fe72ae.exe	28

C:\Users\Admin\AppData\Local\Temp\e3dc7facef810c9b10dc20b81e8c96a008d13d11a38dafbca1b00d4137fe72ae.exe
"C:\Users\Admin\AppData\Local\Temp\e3dc7facef810c9b10dc20b81e8c96a008d13d11a38dafbca1b00d4137fe72ae.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\duiedi.exe
  "C:\Users\Admin\duiedi.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\duiedi.exe

Filesize
104KB

MD5
ecdc9fce0764248898983b22a169ec45

SHA1
e5b86273e07dbd0dca694bbdb0d78661b9d63611

SHA256
a46dedcef8ef08b13ee620862661b764b3b57cdbffe1d479461b3b49b827772a

SHA512
9700e3410c27fb0a9d8630a58758134ba100836dc81e08cbf32c959f2b0725905db212655f32d7ba69020a53404a3f09ce37930a5c94d93136a361275fe826d5

Download Submit
C:\Users\Admin\duiedi.exe

Filesize
104KB

MD5
ecdc9fce0764248898983b22a169ec45

SHA1
e5b86273e07dbd0dca694bbdb0d78661b9d63611

SHA256
a46dedcef8ef08b13ee620862661b764b3b57cdbffe1d479461b3b49b827772a

SHA512
9700e3410c27fb0a9d8630a58758134ba100836dc81e08cbf32c959f2b0725905db212655f32d7ba69020a53404a3f09ce37930a5c94d93136a361275fe826d5

Download Submit
\Users\Admin\duiedi.exe

Filesize
104KB

MD5
ecdc9fce0764248898983b22a169ec45

SHA1
e5b86273e07dbd0dca694bbdb0d78661b9d63611

SHA256
a46dedcef8ef08b13ee620862661b764b3b57cdbffe1d479461b3b49b827772a

SHA512
9700e3410c27fb0a9d8630a58758134ba100836dc81e08cbf32c959f2b0725905db212655f32d7ba69020a53404a3f09ce37930a5c94d93136a361275fe826d5

Download Submit
\Users\Admin\duiedi.exe

Filesize
104KB

MD5
ecdc9fce0764248898983b22a169ec45

SHA1
e5b86273e07dbd0dca694bbdb0d78661b9d63611

SHA256
a46dedcef8ef08b13ee620862661b764b3b57cdbffe1d479461b3b49b827772a

SHA512
9700e3410c27fb0a9d8630a58758134ba100836dc81e08cbf32c959f2b0725905db212655f32d7ba69020a53404a3f09ce37930a5c94d93136a361275fe826d5

Download Submit
memory/1980-56-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download