Malware Analysis Report

2025-08-05 17:03

Sample ID 240107-yb2ypadfb4
Target a748a2c1309b46e221d69642e5ae7e31.exe
SHA256 685879a8ac253907b3eefd0f5b92d3380fb2fa3a6c4d1cc02d42d6591cc10165
Tags
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

685879a8ac253907b3eefd0f5b92d3380fb2fa3a6c4d1cc02d42d6591cc10165

Threat Level: Shows suspicious behavior

The file a748a2c1309b46e221d69642e5ae7e31.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary


Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 19:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 19:37

Reported

2024-01-07 19:40

Platform

win7-20231129-en

Max time kernel

0s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a748a2c1309b46e221d69642e5ae7e31.exe"

Signatures

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-address.domaintools.com N/A N/A
N/A ip-address.domaintools.com N/A N/A
N/A ip-address.domaintools.com N/A N/A
N/A ip-address.domaintools.com N/A N/A
N/A whatismyip.com N/A N/A
N/A ip-address.domaintools.com N/A N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a748a2c1309b46e221d69642e5ae7e31.exe

"C:\Users\Admin\AppData\Local\Temp\a748a2c1309b46e221d69642e5ae7e31.exe"

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\ProgramData\ciepsIdenxsWlFYrmbHQRPUFyGjwvMQSKjyqbJLgJNblGUHtUq\ciepsIdenxsWlFYrmbHQRPUFyGjwvMQSKjyqbJLgJNblGUHtUq\0.0.0.0\screen.exe

"C:\ProgramData\ciepsIdenxsWlFYrmbHQRPUFyGjwvMQSKjyqbJLgJNblGUHtUq\ciepsIdenxsWlFYrmbHQRPUFyGjwvMQSKjyqbJLgJNblGUHtUq\0.0.0.0\screen.exe"

C:\Users\Admin\Documents\a748a2c1309b46e221d69642e5ae7e31.exe

"C:\Users\Admin\Documents\a748a2c1309b46e221d69642e5ae7e31.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyip.com udp
US 172.67.189.152:80 whatismyip.com tcp
US 8.8.8.8:53 www.whatismyip.com udp
US 172.67.189.152:443 www.whatismyip.com tcp
US 172.67.189.152:80 www.whatismyip.com tcp
US 172.67.189.152:443 www.whatismyip.com tcp
US 8.8.8.8:53 ip-address.domaintools.com udp
US 199.30.228.13:80 ip-address.domaintools.com tcp
US 199.30.228.13:443 ip-address.domaintools.com tcp
US 199.30.228.13:443 ip-address.domaintools.com tcp
US 172.67.189.152:443 www.whatismyip.com tcp
US 172.67.189.152:443 www.whatismyip.com tcp
US 199.30.228.13:80 ip-address.domaintools.com tcp
US 199.30.228.13:443 ip-address.domaintools.com tcp
US 199.30.228.13:443 ip-address.domaintools.com tcp

Files

memory/1044-0-0x0000000074AD0000-0x000000007507B000-memory.dmp

memory/1044-1-0x0000000074AD0000-0x000000007507B000-memory.dmp

memory/1044-2-0x0000000000340000-0x0000000000380000-memory.dmp

memory/1044-14-0x0000000074AD0000-0x000000007507B000-memory.dmp

memory/1712-25-0x0000000000A30000-0x0000000000A70000-memory.dmp

memory/2676-40-0x0000000074AD0000-0x000000007507B000-memory.dmp

memory/2676-41-0x0000000000080000-0x00000000000C0000-memory.dmp

memory/2676-50-0x0000000000080000-0x00000000000C0000-memory.dmp

memory/1712-53-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-60-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-83-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-103-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-109-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-107-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-105-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-101-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-99-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-97-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-95-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-93-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-91-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-89-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-87-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-85-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-81-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-79-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-76-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-74-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-72-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-70-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-68-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-66-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-64-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-62-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-58-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-56-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/2676-54-0x0000000000080000-0x00000000000C0000-memory.dmp

memory/1712-51-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-812-0x0000000000A30000-0x0000000000A70000-memory.dmp

memory/1712-813-0x0000000000A30000-0x0000000000A70000-memory.dmp

memory/1712-48-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-46-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-44-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/2676-43-0x0000000074AD0000-0x000000007507B000-memory.dmp

memory/1712-42-0x00000000050C0000-0x0000000005144000-memory.dmp

memory/1712-27-0x0000000074AD0000-0x000000007507B000-memory.dmp

memory/1712-24-0x0000000074AD0000-0x000000007507B000-memory.dmp

memory/1712-816-0x0000000000A30000-0x0000000000A70000-memory.dmp

memory/1712-817-0x0000000074AD0000-0x000000007507B000-memory.dmp

memory/1712-815-0x0000000074AD0000-0x000000007507B000-memory.dmp

memory/2676-819-0x0000000000080000-0x00000000000C0000-memory.dmp

memory/2676-820-0x0000000074AD0000-0x000000007507B000-memory.dmp

memory/2676-818-0x0000000074AD0000-0x000000007507B000-memory.dmp

memory/2676-821-0x0000000000080000-0x00000000000C0000-memory.dmp

memory/2676-822-0x0000000000080000-0x00000000000C0000-memory.dmp

memory/1712-823-0x0000000000A30000-0x0000000000A70000-memory.dmp

memory/1712-824-0x0000000000A30000-0x0000000000A70000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 19:37

Reported

2024-01-07 19:40

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a748a2c1309b46e221d69642e5ae7e31.exe"

Signatures

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyip.com N/A N/A
N/A ip-address.domaintools.com N/A N/A
N/A ip-address.domaintools.com N/A N/A
N/A ip-address.domaintools.com N/A N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a748a2c1309b46e221d69642e5ae7e31.exe

"C:\Users\Admin\AppData\Local\Temp\a748a2c1309b46e221d69642e5ae7e31.exe"

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\ProgramData\ciepsIdenxsWlFYrmbHQRPUFyGjwvMQSKjyqbJLgJNblGUHtUq\ciepsIdenxsWlFYrmbHQRPUFyGjwvMQSKjyqbJLgJNblGUHtUq\0.0.0.0\screen.exe

"C:\ProgramData\ciepsIdenxsWlFYrmbHQRPUFyGjwvMQSKjyqbJLgJNblGUHtUq\ciepsIdenxsWlFYrmbHQRPUFyGjwvMQSKjyqbJLgJNblGUHtUq\0.0.0.0\screen.exe"

C:\Users\Admin\Documents\a748a2c1309b46e221d69642e5ae7e31.exe

"C:\Users\Admin\Documents\a748a2c1309b46e221d69642e5ae7e31.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 whatismyip.com udp
US 104.21.89.158:80 whatismyip.com tcp
US 8.8.8.8:53 www.whatismyip.com udp
US 8.8.8.8:53 75.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 158.89.21.104.in-addr.arpa udp
US 104.21.89.158:443 www.whatismyip.com tcp
US 8.8.8.8:53 ip-address.domaintools.com udp
US 199.30.228.13:80 ip-address.domaintools.com tcp
US 104.21.89.158:80 www.whatismyip.com tcp
US 104.21.89.158:443 www.whatismyip.com tcp
US 199.30.228.13:80 ip-address.domaintools.com tcp
US 199.30.228.13:443 ip-address.domaintools.com tcp
US 8.8.8.8:53 13.228.30.199.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 199.30.228.13:443 ip-address.domaintools.com tcp
GB 87.248.205.0:80 tcp
GB 96.17.179.63:80 tcp

Files

memory/1196-1-0x0000000001A40000-0x0000000001A50000-memory.dmp

memory/1196-2-0x0000000075580000-0x0000000075B31000-memory.dmp

memory/1196-0-0x0000000075580000-0x0000000075B31000-memory.dmp

memory/2364-18-0x0000000075580000-0x0000000075B31000-memory.dmp

memory/2364-30-0x0000000075580000-0x0000000075B31000-memory.dmp

memory/1332-50-0x0000000075580000-0x0000000075B31000-memory.dmp

memory/1332-51-0x0000000075580000-0x0000000075B31000-memory.dmp

memory/2364-55-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-57-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-59-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-61-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-65-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-75-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-79-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-83-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-86-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-93-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-97-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-102-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/1332-108-0x0000000001300000-0x0000000001310000-memory.dmp

memory/2364-109-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-117-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-119-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-115-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-113-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-111-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-106-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-104-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-99-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-95-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-91-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-89-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/1332-87-0x0000000001300000-0x0000000001310000-memory.dmp

memory/1332-85-0x0000000001300000-0x0000000001310000-memory.dmp

memory/2364-81-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-77-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-73-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-71-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-69-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-67-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-63-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-53-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-52-0x0000000006360000-0x00000000063E4000-memory.dmp

memory/2364-29-0x0000000000D10000-0x0000000000D20000-memory.dmp

memory/1196-17-0x0000000075580000-0x0000000075B31000-memory.dmp

memory/2364-822-0x0000000000D10000-0x0000000000D20000-memory.dmp

memory/2364-823-0x0000000000D10000-0x0000000000D20000-memory.dmp

memory/2364-826-0x0000000075580000-0x0000000075B31000-memory.dmp

memory/2364-827-0x0000000000D10000-0x0000000000D20000-memory.dmp

memory/2364-828-0x0000000075580000-0x0000000075B31000-memory.dmp

memory/1332-829-0x0000000075580000-0x0000000075B31000-memory.dmp

memory/1332-830-0x0000000001300000-0x0000000001310000-memory.dmp

memory/1332-831-0x0000000075580000-0x0000000075B31000-memory.dmp

memory/1332-833-0x0000000001300000-0x0000000001310000-memory.dmp

memory/1332-832-0x0000000001300000-0x0000000001310000-memory.dmp

memory/1332-834-0x0000000001300000-0x0000000001310000-memory.dmp

memory/2364-835-0x0000000000D10000-0x0000000000D20000-memory.dmp

memory/2364-836-0x0000000000D10000-0x0000000000D20000-memory.dmp

memory/2364-837-0x0000000000D10000-0x0000000000D20000-memory.dmp