Analysis Overview
SHA256
685879a8ac253907b3eefd0f5b92d3380fb2fa3a6c4d1cc02d42d6591cc10165
Threat Level: Shows suspicious behavior
The file a748a2c1309b46e221d69642e5ae7e31.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Looks up external IP address via web service
Unsigned PE
Enumerates physical storage devices
Modifies registry key
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-07 19:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-07 19:37
Reported
2024-01-07 19:40
Platform
win7-20231129-en
Max time kernel
0s
Max time network
142s
Command Line
Signatures
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-address.domaintools.com | N/A | N/A |
| N/A | ip-address.domaintools.com | N/A | N/A |
| N/A | ip-address.domaintools.com | N/A | N/A |
| N/A | ip-address.domaintools.com | N/A | N/A |
| N/A | whatismyip.com | N/A | N/A |
| N/A | ip-address.domaintools.com | N/A | N/A |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a748a2c1309b46e221d69642e5ae7e31.exe
"C:\Users\Admin\AppData\Local\Temp\a748a2c1309b46e221d69642e5ae7e31.exe"
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\ProgramData\ciepsIdenxsWlFYrmbHQRPUFyGjwvMQSKjyqbJLgJNblGUHtUq\ciepsIdenxsWlFYrmbHQRPUFyGjwvMQSKjyqbJLgJNblGUHtUq\0.0.0.0\screen.exe
"C:\ProgramData\ciepsIdenxsWlFYrmbHQRPUFyGjwvMQSKjyqbJLgJNblGUHtUq\ciepsIdenxsWlFYrmbHQRPUFyGjwvMQSKjyqbJLgJNblGUHtUq\0.0.0.0\screen.exe"
C:\Users\Admin\Documents\a748a2c1309b46e221d69642e5ae7e31.exe
"C:\Users\Admin\Documents\a748a2c1309b46e221d69642e5ae7e31.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | whatismyip.com | udp |
| US | 172.67.189.152:80 | whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 172.67.189.152:443 | www.whatismyip.com | tcp |
| US | 172.67.189.152:80 | www.whatismyip.com | tcp |
| US | 172.67.189.152:443 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | ip-address.domaintools.com | udp |
| US | 199.30.228.13:80 | ip-address.domaintools.com | tcp |
| US | 199.30.228.13:443 | ip-address.domaintools.com | tcp |
| US | 199.30.228.13:443 | ip-address.domaintools.com | tcp |
| US | 172.67.189.152:443 | www.whatismyip.com | tcp |
| US | 172.67.189.152:443 | www.whatismyip.com | tcp |
| US | 199.30.228.13:80 | ip-address.domaintools.com | tcp |
| US | 199.30.228.13:443 | ip-address.domaintools.com | tcp |
| US | 199.30.228.13:443 | ip-address.domaintools.com | tcp |
Files
memory/1044-0-0x0000000074AD0000-0x000000007507B000-memory.dmp
memory/1044-1-0x0000000074AD0000-0x000000007507B000-memory.dmp
memory/1044-2-0x0000000000340000-0x0000000000380000-memory.dmp
memory/1044-14-0x0000000074AD0000-0x000000007507B000-memory.dmp
memory/1712-25-0x0000000000A30000-0x0000000000A70000-memory.dmp
memory/2676-40-0x0000000074AD0000-0x000000007507B000-memory.dmp
memory/2676-41-0x0000000000080000-0x00000000000C0000-memory.dmp
memory/2676-50-0x0000000000080000-0x00000000000C0000-memory.dmp
memory/1712-53-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-60-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-83-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-103-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-109-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-107-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-105-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-101-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-99-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-97-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-95-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-93-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-91-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-89-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-87-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-85-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-81-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-79-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-76-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-74-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-72-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-70-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-68-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-66-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-64-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-62-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-58-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-56-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/2676-54-0x0000000000080000-0x00000000000C0000-memory.dmp
memory/1712-51-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-812-0x0000000000A30000-0x0000000000A70000-memory.dmp
memory/1712-813-0x0000000000A30000-0x0000000000A70000-memory.dmp
memory/1712-48-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-46-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-44-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/2676-43-0x0000000074AD0000-0x000000007507B000-memory.dmp
memory/1712-42-0x00000000050C0000-0x0000000005144000-memory.dmp
memory/1712-27-0x0000000074AD0000-0x000000007507B000-memory.dmp
memory/1712-24-0x0000000074AD0000-0x000000007507B000-memory.dmp
memory/1712-816-0x0000000000A30000-0x0000000000A70000-memory.dmp
memory/1712-817-0x0000000074AD0000-0x000000007507B000-memory.dmp
memory/1712-815-0x0000000074AD0000-0x000000007507B000-memory.dmp
memory/2676-819-0x0000000000080000-0x00000000000C0000-memory.dmp
memory/2676-820-0x0000000074AD0000-0x000000007507B000-memory.dmp
memory/2676-818-0x0000000074AD0000-0x000000007507B000-memory.dmp
memory/2676-821-0x0000000000080000-0x00000000000C0000-memory.dmp
memory/2676-822-0x0000000000080000-0x00000000000C0000-memory.dmp
memory/1712-823-0x0000000000A30000-0x0000000000A70000-memory.dmp
memory/1712-824-0x0000000000A30000-0x0000000000A70000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-07 19:37
Reported
2024-01-07 19:40
Platform
win10v2004-20231215-en
Max time kernel
0s
Max time network
149s
Command Line
Signatures
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyip.com | N/A | N/A |
| N/A | ip-address.domaintools.com | N/A | N/A |
| N/A | ip-address.domaintools.com | N/A | N/A |
| N/A | ip-address.domaintools.com | N/A | N/A |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a748a2c1309b46e221d69642e5ae7e31.exe
"C:\Users\Admin\AppData\Local\Temp\a748a2c1309b46e221d69642e5ae7e31.exe"
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\ProgramData\ciepsIdenxsWlFYrmbHQRPUFyGjwvMQSKjyqbJLgJNblGUHtUq\ciepsIdenxsWlFYrmbHQRPUFyGjwvMQSKjyqbJLgJNblGUHtUq\0.0.0.0\screen.exe
"C:\ProgramData\ciepsIdenxsWlFYrmbHQRPUFyGjwvMQSKjyqbJLgJNblGUHtUq\ciepsIdenxsWlFYrmbHQRPUFyGjwvMQSKjyqbJLgJNblGUHtUq\0.0.0.0\screen.exe"
C:\Users\Admin\Documents\a748a2c1309b46e221d69642e5ae7e31.exe
"C:\Users\Admin\Documents\a748a2c1309b46e221d69642e5ae7e31.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | whatismyip.com | udp |
| US | 104.21.89.158:80 | whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 8.8.8.8:53 | 75.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.89.21.104.in-addr.arpa | udp |
| US | 104.21.89.158:443 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | ip-address.domaintools.com | udp |
| US | 199.30.228.13:80 | ip-address.domaintools.com | tcp |
| US | 104.21.89.158:80 | www.whatismyip.com | tcp |
| US | 104.21.89.158:443 | www.whatismyip.com | tcp |
| US | 199.30.228.13:80 | ip-address.domaintools.com | tcp |
| US | 199.30.228.13:443 | ip-address.domaintools.com | tcp |
| US | 8.8.8.8:53 | 13.228.30.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 199.30.228.13:443 | ip-address.domaintools.com | tcp |
| GB | 87.248.205.0:80 | tcp | |
| GB | 96.17.179.63:80 | tcp |
Files
memory/1196-1-0x0000000001A40000-0x0000000001A50000-memory.dmp
memory/1196-2-0x0000000075580000-0x0000000075B31000-memory.dmp
memory/1196-0-0x0000000075580000-0x0000000075B31000-memory.dmp
memory/2364-18-0x0000000075580000-0x0000000075B31000-memory.dmp
memory/2364-30-0x0000000075580000-0x0000000075B31000-memory.dmp
memory/1332-50-0x0000000075580000-0x0000000075B31000-memory.dmp
memory/1332-51-0x0000000075580000-0x0000000075B31000-memory.dmp
memory/2364-55-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-57-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-59-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-61-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-65-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-75-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-79-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-83-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-86-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-93-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-97-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-102-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/1332-108-0x0000000001300000-0x0000000001310000-memory.dmp
memory/2364-109-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-117-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-119-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-115-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-113-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-111-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-106-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-104-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-99-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-95-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-91-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-89-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/1332-87-0x0000000001300000-0x0000000001310000-memory.dmp
memory/1332-85-0x0000000001300000-0x0000000001310000-memory.dmp
memory/2364-81-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-77-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-73-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-71-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-69-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-67-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-63-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-53-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-52-0x0000000006360000-0x00000000063E4000-memory.dmp
memory/2364-29-0x0000000000D10000-0x0000000000D20000-memory.dmp
memory/1196-17-0x0000000075580000-0x0000000075B31000-memory.dmp
memory/2364-822-0x0000000000D10000-0x0000000000D20000-memory.dmp
memory/2364-823-0x0000000000D10000-0x0000000000D20000-memory.dmp
memory/2364-826-0x0000000075580000-0x0000000075B31000-memory.dmp
memory/2364-827-0x0000000000D10000-0x0000000000D20000-memory.dmp
memory/2364-828-0x0000000075580000-0x0000000075B31000-memory.dmp
memory/1332-829-0x0000000075580000-0x0000000075B31000-memory.dmp
memory/1332-830-0x0000000001300000-0x0000000001310000-memory.dmp
memory/1332-831-0x0000000075580000-0x0000000075B31000-memory.dmp
memory/1332-833-0x0000000001300000-0x0000000001310000-memory.dmp
memory/1332-832-0x0000000001300000-0x0000000001310000-memory.dmp
memory/1332-834-0x0000000001300000-0x0000000001310000-memory.dmp
memory/2364-835-0x0000000000D10000-0x0000000000D20000-memory.dmp
memory/2364-836-0x0000000000D10000-0x0000000000D20000-memory.dmp
memory/2364-837-0x0000000000D10000-0x0000000000D20000-memory.dmp