76586617f0f0492574ede863dd8b661f0da7ae3342e5d61f6d68dd6d7a37342f

Analysis

max time kernel
140s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uedit32.exe
Size

9.9MB
MD5

fa359bdcc9d06c3efaf3fc2143641a67
SHA1

bee9a5f1ba8292d26e0f7f7a00530f859c928da5
SHA256

75f6958db91edc7745235374848c91ec4f7fbc6d0c9cffb2c3ae223da4e18fc7
SHA512

214b5379865013dc3c7891630a51b6074cd4fb9e66abdd7b5bf0e7c0e668ea1fdadb87a32dafc4a6109a8621c9386fe99a2f1f4bf329bfec709a9e10c9b10ff6
SSDEEP

98304:oEmzkOY7yIBl5Ktq8weyJPNgmR+Q/+icSFu1nH9/WL1YbP0Hk+CGRzOsCND9g4mj:Q4x7975dNgO//A9/WL2KCedj

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uedit32.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Uedit32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	Uedit32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Uedit32.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\.uenc\Content Type = "text/plain"	Uedit32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\.uenc\OpenWithProgids\UltraEdit.uenc	Uedit32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\UltraEdit.uenc	Uedit32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\UltraEdit.uenc\ = "UltraEdit Encryption File"	Uedit32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\.uenc	Uedit32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\.uenc\OpenWithProgids	Uedit32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\UltraEdit.uenc\shell\Open\Command	Uedit32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\UltraEdit.uenc\shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Uedit32.exe\" \"%1\""	Uedit32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\.uenc\ = "UltraEdit.uenc"	Uedit32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\.uenc\PerceivedType = "text"	Uedit32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\UltraEdit.uenc\shell	Uedit32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\UltraEdit.uenc\shell\Print\Command	Uedit32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\UltraEdit.uenc\shell\Print	Uedit32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\UltraEdit.uenc\shell\Open	Uedit32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\UltraEdit.uenc\shell\Print\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Uedit32.exe\" /p \"%1\""	Uedit32.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2936	Uedit32.exe
2936	Uedit32.exe
2936	Uedit32.exe
2936	Uedit32.exe
2936	Uedit32.exe
2936	Uedit32.exe
2936	Uedit32.exe
2936	Uedit32.exe
2936	Uedit32.exe
2936	Uedit32.exe

C:\Users\Admin\AppData\Local\Temp\Uedit32.exe
"C:\Users\Admin\AppData\Local\Temp\Uedit32.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\IDMComp\UltraEdit\Power User.tb1

Filesize
1KB

MD5
1dc827e82585fc80e5aa7ca52169b56b

SHA1
b046d5890c4f26991f4f69619992aca1b552f3da

SHA256
a750bef57d691b911c285ed1ee14457cb0fc0ff9b1f943740636577df8778f1d

SHA512
cdebdce0458431946dfe251157ea51dda038f8b6d03c133d3b841caa6e720f8d5569214baa3c14089e84ce224d3f676b7663bae45e12ad6452b6a906d86d9991

Download Submit
C:\Users\Admin\AppData\Roaming\IDMComp\UltraEdit\Programmer.pb1

Filesize
7KB

MD5
02fcc3d3721bcae650c336544d8063d6

SHA1
9ba8367197f911c2a072c52abd51720c3f3bcd2e

SHA256
783c62838e59482490f24e7dd4c33d5999ce9298f0ab0d4c4178a0c0476d182d

SHA512
31f7441a054b1a1514d2452f6df17a279cfa0a2543cf1bfb0730c08fd08be1b07aaac74f01a089d8aa2e5f7a45e78f4040f2e0312c0d0f155d5477b5d3c0daca

Download Submit
C:\Users\Admin\AppData\Roaming\IDMComp\UltraEdit\TAGLIST.UET

Filesize
48KB

MD5
217107398a96067d4175682052fd353e

SHA1
7a39c88fff3c7b736cfd663f4e4bfd63b072b143

SHA256
5a4fd55068da3c4e8931128f4d5b34be594fde4f2004c227abd619f92fd32a4f

SHA512
b714a42b2c0b6a31f1e33bd7f9c7b3ea8509a1571fa25708163ffc18cbf60d6a40b8e7e71c838854bee65c54e4a57454f28e8c442d5dad444c657a5829860d7a

Download Submit
C:\Users\Admin\AppData\Roaming\IDMComp\UltraEdit\Uedit32.in0

Filesize
69B

MD5
b21754eea00796171df9069cbe4bfff5

SHA1
25b9150462f5e9ac70323737f5c6bc26ec4f6415

SHA256
16fff4f651843e174e73d3cea4cbee4fdbce7cdfa272496da0d09cb1b202f8a1

SHA512
444300f9da69cad4ee43d0ba647dd9d060fbcd9c832e451fb89d65f53a3a10a8525a52cda425dbef95a1734bd2e494f5eab07bc8fa7c2f26721e3bb85d089820

Download Submit
C:\Users\Admin\AppData\Roaming\IDMComp\UltraEdit\Uedit32.mb0

Filesize
23KB

MD5
d78ced07da18c9cd5b53b70e1a1d0ed5

SHA1
5e1a1651330d1945bc7917e152af8c482830b96a

SHA256
198ae610aa39d1414fb9999bb69d011859b33ae14019cae039428ea0f67987e2

SHA512
bef7253c655822898a291feafff5db1bee37a506c11759ef39d709392e76baf6d0a986bb342f2b5ed502784d1f0b51ae959eca1d47bd5ca7258c4faecccf907d

Download Submit
memory/2936-0-0x0000000000400000-0x0000000000E3E000-memory.dmp

Filesize
10.2MB

Download
memory/2936-1-0x0000000002F10000-0x00000000031C7000-memory.dmp

Filesize
2.7MB

Download
memory/2936-338-0x0000000004F70000-0x0000000004F83000-memory.dmp

Filesize
76KB

Download
memory/2936-365-0x0000000068080000-0x0000000068174000-memory.dmp

Filesize
976KB

Download
memory/2936-397-0x0000000000400000-0x0000000000E3E000-memory.dmp

Filesize
10.2MB

Download