Analysis
-
max time kernel
0s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:37
Static task
static1
Behavioral task
behavioral1
Sample
a748a2c1309b46e221d69642e5ae7e31.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a748a2c1309b46e221d69642e5ae7e31.exe
Resource
win10v2004-20231215-en
General
-
Target
a748a2c1309b46e221d69642e5ae7e31.exe
-
Size
1.4MB
-
MD5
a748a2c1309b46e221d69642e5ae7e31
-
SHA1
7acd6747949e9609cefc0c44d9130137415e25f4
-
SHA256
685879a8ac253907b3eefd0f5b92d3380fb2fa3a6c4d1cc02d42d6591cc10165
-
SHA512
80ef2c42cfafaa4aef3713a97bfdf5efc65421169a89dec161cccebf8c0de5ac6b4b7f163c3d57120d6c73795f75642f69f2574948af32f4172af94456aeedf6
-
SSDEEP
24576:pW9rFD2q/bOG53IjgOBasSdJgOKd2zRl+CE+CWMMdPWiowTVT1u:8rp1P3s/gJgOKdyR7E+prMs
Malware Config
Signatures
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 whatismyip.com 25 ip-address.domaintools.com 38 ip-address.domaintools.com 42 ip-address.domaintools.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 2 IoCs
pid Process 1208 reg.exe 3632 reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a748a2c1309b46e221d69642e5ae7e31.exe"C:\Users\Admin\AppData\Local\Temp\a748a2c1309b46e221d69642e5ae7e31.exe"1⤵PID:1196
-
C:\Users\Admin\Documents\a748a2c1309b46e221d69642e5ae7e31.exe"C:\Users\Admin\Documents\a748a2c1309b46e221d69642e5ae7e31.exe"2⤵PID:2364
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵PID:2352
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- Modifies registry key
PID:3632
-
-
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f1⤵
- Modifies registry key
PID:1208
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f1⤵PID:2064
-
C:\ProgramData\ciepsIdenxsWlFYrmbHQRPUFyGjwvMQSKjyqbJLgJNblGUHtUq\ciepsIdenxsWlFYrmbHQRPUFyGjwvMQSKjyqbJLgJNblGUHtUq\0.0.0.0\screen.exe"C:\ProgramData\ciepsIdenxsWlFYrmbHQRPUFyGjwvMQSKjyqbJLgJNblGUHtUq\ciepsIdenxsWlFYrmbHQRPUFyGjwvMQSKjyqbJLgJNblGUHtUq\0.0.0.0\screen.exe"1⤵PID:1332