Analysis
-
max time kernel
0s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 19:37
Static task
static1
Behavioral task
behavioral1
Sample
a748a2c1309b46e221d69642e5ae7e31.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a748a2c1309b46e221d69642e5ae7e31.exe
Resource
win10v2004-20231215-en
General
-
Target
a748a2c1309b46e221d69642e5ae7e31.exe
-
Size
1.4MB
-
MD5
a748a2c1309b46e221d69642e5ae7e31
-
SHA1
7acd6747949e9609cefc0c44d9130137415e25f4
-
SHA256
685879a8ac253907b3eefd0f5b92d3380fb2fa3a6c4d1cc02d42d6591cc10165
-
SHA512
80ef2c42cfafaa4aef3713a97bfdf5efc65421169a89dec161cccebf8c0de5ac6b4b7f163c3d57120d6c73795f75642f69f2574948af32f4172af94456aeedf6
-
SSDEEP
24576:pW9rFD2q/bOG53IjgOBasSdJgOKd2zRl+CE+CWMMdPWiowTVT1u:8rp1P3s/gJgOKdyR7E+prMs
Malware Config
Signatures
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 ip-address.domaintools.com 14 ip-address.domaintools.com 18 ip-address.domaintools.com 19 ip-address.domaintools.com 5 whatismyip.com 11 ip-address.domaintools.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 2 IoCs
pid Process 2452 reg.exe 876 reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a748a2c1309b46e221d69642e5ae7e31.exe"C:\Users\Admin\AppData\Local\Temp\a748a2c1309b46e221d69642e5ae7e31.exe"1⤵PID:1044
-
C:\Users\Admin\Documents\a748a2c1309b46e221d69642e5ae7e31.exe"C:\Users\Admin\Documents\a748a2c1309b46e221d69642e5ae7e31.exe"2⤵PID:1712
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f1⤵
- Modifies registry key
PID:2452
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f1⤵PID:2820
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f1⤵
- Modifies registry key
PID:876
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f1⤵PID:600
-
C:\ProgramData\ciepsIdenxsWlFYrmbHQRPUFyGjwvMQSKjyqbJLgJNblGUHtUq\ciepsIdenxsWlFYrmbHQRPUFyGjwvMQSKjyqbJLgJNblGUHtUq\0.0.0.0\screen.exe"C:\ProgramData\ciepsIdenxsWlFYrmbHQRPUFyGjwvMQSKjyqbJLgJNblGUHtUq\ciepsIdenxsWlFYrmbHQRPUFyGjwvMQSKjyqbJLgJNblGUHtUq\0.0.0.0\screen.exe"1⤵PID:2676