Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
104s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30/10/2022, 20:30
Static task
static1
Behavioral task
behavioral1
Sample
e4a6e22f7eb4db0da658063838ed31dfa291031d4f72c607c7c2e4c408702c85.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e4a6e22f7eb4db0da658063838ed31dfa291031d4f72c607c7c2e4c408702c85.exe
Resource
win10v2004-20220812-en
General
-
Target
e4a6e22f7eb4db0da658063838ed31dfa291031d4f72c607c7c2e4c408702c85.exe
-
Size
490KB
-
MD5
a20e245f936c3ccaa839cd02b8c93057
-
SHA1
feda5e95b3419134e27e68b464b542fb135acdc0
-
SHA256
e4a6e22f7eb4db0da658063838ed31dfa291031d4f72c607c7c2e4c408702c85
-
SHA512
f4551f0e7fcc6b3be06ed600801e3f6fbfc0720a441fecbaea21014f2f4cabe854d0c9ca7b5a06af87425876882de3220c709f9c295fd1bf0bc0ccf53893faca
-
SSDEEP
6144:APOxLfPcvgKVotUkrA4pn9X5E9T85rgSk04VId:A0zKJkrA4pn9X5E9T8VgO46
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tazebama.dl_ -
Executes dropped EXE 1 IoCs
pid Process 824 tazebama.dl_ -
Loads dropped DLL 1 IoCs
pid Process 5100 e4a6e22f7eb4db0da658063838ed31dfa291031d4f72c607c7c2e4c408702c85.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run tazebama.dl_ -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: tazebama.dl_ File opened (read-only) \??\N: tazebama.dl_ File opened (read-only) \??\L: tazebama.dl_ File opened (read-only) \??\G: tazebama.dl_ File opened (read-only) \??\E: tazebama.dl_ File opened (read-only) \??\Y: tazebama.dl_ File opened (read-only) \??\W: tazebama.dl_ File opened (read-only) \??\R: tazebama.dl_ File opened (read-only) \??\F: tazebama.dl_ File opened (read-only) \??\T: tazebama.dl_ File opened (read-only) \??\P: tazebama.dl_ File opened (read-only) \??\J: tazebama.dl_ File opened (read-only) \??\U: tazebama.dl_ File opened (read-only) \??\H: tazebama.dl_ File opened (read-only) \??\S: tazebama.dl_ File opened (read-only) \??\O: tazebama.dl_ File opened (read-only) \??\M: tazebama.dl_ File opened (read-only) \??\K: tazebama.dl_ File opened (read-only) \??\I: tazebama.dl_ File opened (read-only) \??\Z: tazebama.dl_ File opened (read-only) \??\X: tazebama.dl_ File opened (read-only) \??\V: tazebama.dl_ -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf tazebama.dl_ File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf tazebama.dl_ -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACRORD32.EXE tazebama.dl_ -
Program crash 1 IoCs
pid pid_target Process procid_target 1716 824 WerFault.exe 65 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 824 tazebama.dl_ 824 tazebama.dl_ -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5100 wrote to memory of 824 5100 e4a6e22f7eb4db0da658063838ed31dfa291031d4f72c607c7c2e4c408702c85.exe 65 PID 5100 wrote to memory of 824 5100 e4a6e22f7eb4db0da658063838ed31dfa291031d4f72c607c7c2e4c408702c85.exe 65 PID 5100 wrote to memory of 824 5100 e4a6e22f7eb4db0da658063838ed31dfa291031d4f72c607c7c2e4c408702c85.exe 65
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4a6e22f7eb4db0da658063838ed31dfa291031d4f72c607c7c2e4c408702c85.exe"C:\Users\Admin\AppData\Local\Temp\e4a6e22f7eb4db0da658063838ed31dfa291031d4f72c607c7c2e4c408702c85.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:824 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 7443⤵
- Program crash
PID:1716
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 824 -ip 8241⤵PID:3592
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151KB
MD56ec86ba263027b6864d8e756e5003576
SHA1369a1cf7d6578c93cc28fc8a2678e1e9a79a3c83
SHA25653a5f0607dea22e9b4f2e7e2f93bf0bdd2b770a09418d4f73b7979e6a67583f9
SHA5123ed6141c8082efe5fcf79d9ba48a9d62c5ac7b41b7add92148a9ac5115cd30c73ad641a4f0e001228758ed913ada1b2d5ab0f924a25c40335fb8d39ea6ed17bb
-
Filesize
151KB
MD56ec86ba263027b6864d8e756e5003576
SHA1369a1cf7d6578c93cc28fc8a2678e1e9a79a3c83
SHA25653a5f0607dea22e9b4f2e7e2f93bf0bdd2b770a09418d4f73b7979e6a67583f9
SHA5123ed6141c8082efe5fcf79d9ba48a9d62c5ac7b41b7add92148a9ac5115cd30c73ad641a4f0e001228758ed913ada1b2d5ab0f924a25c40335fb8d39ea6ed17bb
-
Filesize
32KB
MD5b6a03576e595afacb37ada2f1d5a0529
SHA1d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8
SHA2561707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad
SHA512181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c