Overview

overview

10

Static

static

8816f1a32d...f3.exe

windows7-x64

10

8816f1a32d...f3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 02:07

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    8816f1a32df873184dc68b7174a60b0f2ab78fd6fa9614984c73292aa701f0f3.exe

  • Size

    235KB

  • MD5

    8199ecf33ab08efbfb1f82a49239f60d

  • SHA1

    0f0ed1152c2658012f3d789c668b693c742cf89d

  • SHA256

    8816f1a32df873184dc68b7174a60b0f2ab78fd6fa9614984c73292aa701f0f3

  • SHA512

    04116efb2dc28a2a69c576dea02420ae90a6baf0347f825f1face3388422b16deb7b136a448454b76ccd534c97e7f69dac748d9f0a37e5b940cb7d3ce43a3e2f

  • SSDEEP

    3072:W1iHnFeXb0ryVjM6xeVo0tL0nUq8sT06+7KJOTnhrNENfUxhy9lyi31YKLn:W1IcX4ryVsR0nUqS6+7KsLcmhyui3Xb

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8816f1a32df873184dc68b7174a60b0f2ab78fd6fa9614984c73292aa701f0f3.exe
    "C:\Users\Admin\AppData\Local\Temp\8816f1a32df873184dc68b7174a60b0f2ab78fd6fa9614984c73292aa701f0f3.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:4364
    • C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      PID:4784
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 744
        3⤵
        • Program crash
        PID:5016
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4784 -ip 4784
    1⤵
      PID:2232

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Documents and Settings\tazebama.dl_
            Filesize

            157KB

            MD5

            623a4f9c5bd1082af9e6d03ff271d110

            SHA1

            d8556a1e43e871159de6c582c65ca0f3bf240758

            SHA256

            7b56ebc4bef00b25052b5e5815cfadd41940feb499b479f12a7158daa9dc85b1

            SHA512

            2c835751b3b13f3b39076d1ac79d61f07e56303c729139eaabf4267a22108574cc9fc4515a75e1499d954162e875d7cc7c3c42b8bc48c9aa14f0eb831eac81d8

            Download Submit

          • C:\Users\tazebama.dl_
            Filesize

            157KB

            MD5

            623a4f9c5bd1082af9e6d03ff271d110

            SHA1

            d8556a1e43e871159de6c582c65ca0f3bf240758

            SHA256

            7b56ebc4bef00b25052b5e5815cfadd41940feb499b479f12a7158daa9dc85b1

            SHA512

            2c835751b3b13f3b39076d1ac79d61f07e56303c729139eaabf4267a22108574cc9fc4515a75e1499d954162e875d7cc7c3c42b8bc48c9aa14f0eb831eac81d8

            Download Submit

          • C:\Users\tazebama.dll
            Filesize

            32KB

            MD5

            b6a03576e595afacb37ada2f1d5a0529

            SHA1

            d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

            SHA256

            1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

            SHA512

            181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

            Download Submit

          • memory/4364-136-0x0000000001000000-0x0000000001016000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4364-138-0x0000000001000000-0x0000000001016000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4784-137-0x0000000000400000-0x0000000000418000-memory.dmp

            Filesize

            96KB

            Download

          • memory/4784-139-0x0000000000400000-0x0000000000418000-memory.dmp

            Filesize

            96KB

            Download