e4a6e22f7eb4db0da658063838ed31dfa291031d4f72c607c7c2e4c408702c85

General

Target

e4a6e22f7eb4db0da658063838ed31dfa291031d4f72c607c7c2e4c408702c85.exe
Size

490KB
MD5

a20e245f936c3ccaa839cd02b8c93057
SHA1

feda5e95b3419134e27e68b464b542fb135acdc0
SHA256

e4a6e22f7eb4db0da658063838ed31dfa291031d4f72c607c7c2e4c408702c85
SHA512

f4551f0e7fcc6b3be06ed600801e3f6fbfc0720a441fecbaea21014f2f4cabe854d0c9ca7b5a06af87425876882de3220c709f9c295fd1bf0bc0ccf53893faca
SSDEEP

6144:APOxLfPcvgKVotUkrA4pn9X5E9T85rgSk04VId:A0zKJkrA4pn9X5E9T8VgO46

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	tazebama.dl_

Executes dropped EXE 1 IoCs

pid	Process
824	tazebama.dl_

Loads dropped DLL 1 IoCs

pid	Process
5100	e4a6e22f7eb4db0da658063838ed31dfa291031d4f72c607c7c2e4c408702c85.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	tazebama.dl_
File opened (read-only)	\??\N:	tazebama.dl_
File opened (read-only)	\??\L:	tazebama.dl_
File opened (read-only)	\??\G:	tazebama.dl_
File opened (read-only)	\??\E:	tazebama.dl_
File opened (read-only)	\??\Y:	tazebama.dl_
File opened (read-only)	\??\W:	tazebama.dl_
File opened (read-only)	\??\R:	tazebama.dl_
File opened (read-only)	\??\F:	tazebama.dl_
File opened (read-only)	\??\T:	tazebama.dl_
File opened (read-only)	\??\P:	tazebama.dl_
File opened (read-only)	\??\J:	tazebama.dl_
File opened (read-only)	\??\U:	tazebama.dl_
File opened (read-only)	\??\H:	tazebama.dl_
File opened (read-only)	\??\S:	tazebama.dl_
File opened (read-only)	\??\O:	tazebama.dl_
File opened (read-only)	\??\M:	tazebama.dl_
File opened (read-only)	\??\K:	tazebama.dl_
File opened (read-only)	\??\I:	tazebama.dl_
File opened (read-only)	\??\Z:	tazebama.dl_
File opened (read-only)	\??\X:	tazebama.dl_
File opened (read-only)	\??\V:	tazebama.dl_

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACRORD32.EXE	tazebama.dl_

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1716	824	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
824	tazebama.dl_
824	tazebama.dl_

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 824	5100	e4a6e22f7eb4db0da658063838ed31dfa291031d4f72c607c7c2e4c408702c85.exe	65
PID 5100 wrote to memory of 824	5100	e4a6e22f7eb4db0da658063838ed31dfa291031d4f72c607c7c2e4c408702c85.exe	65
PID 5100 wrote to memory of 824	5100	e4a6e22f7eb4db0da658063838ed31dfa291031d4f72c607c7c2e4c408702c85.exe	65

C:\Users\Admin\AppData\Local\Temp\e4a6e22f7eb4db0da658063838ed31dfa291031d4f72c607c7c2e4c408702c85.exe
"C:\Users\Admin\AppData\Local\Temp\e4a6e22f7eb4db0da658063838ed31dfa291031d4f72c607c7c2e4c408702c85.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Documents and Settings\tazebama.dl_
  "C:\Documents and Settings\tazebama.dl_"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 744
    3⤵
    - Program crash
    PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 824 -ip 824
1⤵
PID:3592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\tazebama.dl_

Filesize
151KB

MD5
6ec86ba263027b6864d8e756e5003576

SHA1
369a1cf7d6578c93cc28fc8a2678e1e9a79a3c83

SHA256
53a5f0607dea22e9b4f2e7e2f93bf0bdd2b770a09418d4f73b7979e6a67583f9

SHA512
3ed6141c8082efe5fcf79d9ba48a9d62c5ac7b41b7add92148a9ac5115cd30c73ad641a4f0e001228758ed913ada1b2d5ab0f924a25c40335fb8d39ea6ed17bb

Download Submit
C:\Users\tazebama.dl_

Filesize
151KB

MD5
6ec86ba263027b6864d8e756e5003576

SHA1
369a1cf7d6578c93cc28fc8a2678e1e9a79a3c83

SHA256
53a5f0607dea22e9b4f2e7e2f93bf0bdd2b770a09418d4f73b7979e6a67583f9

SHA512
3ed6141c8082efe5fcf79d9ba48a9d62c5ac7b41b7add92148a9ac5115cd30c73ad641a4f0e001228758ed913ada1b2d5ab0f924a25c40335fb8d39ea6ed17bb

Download Submit
C:\Users\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
memory/824-138-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/824-140-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5100-132-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5100-137-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5100-139-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads