a62719f6eba55262c8391d234b0be63fb5f8324c3c2df001fff47eddcaa857a0

General

Target

a62719f6eba55262c8391d234b0be63fb5f8324c3c2df001fff47eddcaa857a0.exe
Size

228KB
MD5

07be76977d2328bb386a47779c9e1bc1
SHA1

16a905818f7fde2f9708e4fd0636f956986d8864
SHA256

a62719f6eba55262c8391d234b0be63fb5f8324c3c2df001fff47eddcaa857a0
SHA512

dd1f0a0cef38096c604971cea5b76a1a522bee513f689aa2bc4aa4b2c45413237007b82f9a9018e753470e2a3573304f5adc95e89e636fcd36bce6de7edac2fc
SSDEEP

3072:RJYqAlIg4OrsxE0s3mGLeBdNN+XEB4HH7UIZiu7p9Le3ZqsUM8:Ux4ksiWGLeBZr4nkKLgxUM8

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	tazebama.dl_

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	tazebama.dl_

Executes dropped EXE 1 IoCs

pid	Process
1416	tazebama.dl_

Loads dropped DLL 3 IoCs

pid	Process
1336	a62719f6eba55262c8391d234b0be63fb5f8324c3c2df001fff47eddcaa857a0.exe
1336	a62719f6eba55262c8391d234b0be63fb5f8324c3c2df001fff47eddcaa857a0.exe
1336	a62719f6eba55262c8391d234b0be63fb5f8324c3c2df001fff47eddcaa857a0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\Wow6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	tazebama.dl_
File opened (read-only)	\??\L:	tazebama.dl_
File opened (read-only)	\??\I:	tazebama.dl_
File opened (read-only)	\??\T:	tazebama.dl_
File opened (read-only)	\??\P:	tazebama.dl_
File opened (read-only)	\??\X:	tazebama.dl_
File opened (read-only)	\??\V:	tazebama.dl_
File opened (read-only)	\??\U:	tazebama.dl_
File opened (read-only)	\??\S:	tazebama.dl_
File opened (read-only)	\??\R:	tazebama.dl_
File opened (read-only)	\??\Q:	tazebama.dl_
File opened (read-only)	\??\J:	tazebama.dl_
File opened (read-only)	\??\Z:	tazebama.dl_
File opened (read-only)	\??\Y:	tazebama.dl_
File opened (read-only)	\??\E:	tazebama.dl_
File opened (read-only)	\??\H:	tazebama.dl_
File opened (read-only)	\??\F:	tazebama.dl_
File opened (read-only)	\??\N:	tazebama.dl_
File opened (read-only)	\??\K:	tazebama.dl_
File opened (read-only)	\??\G:	tazebama.dl_
File opened (read-only)	\??\W:	tazebama.dl_
File opened (read-only)	\??\O:	tazebama.dl_

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\EXCEL.EXE	tazebama.dl_

Program crash 1 IoCs

pid	pid_target	Process	procid_target
884	1336	WerFault.exe	26

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1416	tazebama.dl_

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 1416	1336	a62719f6eba55262c8391d234b0be63fb5f8324c3c2df001fff47eddcaa857a0.exe	27
PID 1336 wrote to memory of 1416	1336	a62719f6eba55262c8391d234b0be63fb5f8324c3c2df001fff47eddcaa857a0.exe	27
PID 1336 wrote to memory of 1416	1336	a62719f6eba55262c8391d234b0be63fb5f8324c3c2df001fff47eddcaa857a0.exe	27
PID 1336 wrote to memory of 1416	1336	a62719f6eba55262c8391d234b0be63fb5f8324c3c2df001fff47eddcaa857a0.exe	27
PID 1336 wrote to memory of 884	1336	a62719f6eba55262c8391d234b0be63fb5f8324c3c2df001fff47eddcaa857a0.exe	28
PID 1336 wrote to memory of 884	1336	a62719f6eba55262c8391d234b0be63fb5f8324c3c2df001fff47eddcaa857a0.exe	28
PID 1336 wrote to memory of 884	1336	a62719f6eba55262c8391d234b0be63fb5f8324c3c2df001fff47eddcaa857a0.exe	28
PID 1336 wrote to memory of 884	1336	a62719f6eba55262c8391d234b0be63fb5f8324c3c2df001fff47eddcaa857a0.exe	28

C:\Users\Admin\AppData\Local\Temp\a62719f6eba55262c8391d234b0be63fb5f8324c3c2df001fff47eddcaa857a0.exe
"C:\Users\Admin\AppData\Local\Temp\a62719f6eba55262c8391d234b0be63fb5f8324c3c2df001fff47eddcaa857a0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Documents and Settings\tazebama.dl_
  "C:\Documents and Settings\tazebama.dl_"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 140
  2⤵
  - Program crash
  PID:884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\tazebama.dl_

Filesize
151KB

MD5
8fc3db65521e35b23473903bf8309f8a

SHA1
17a33be5e2f1bf5d23d57533d3f39cbed7a46134

SHA256
5760a6378b7761395300444a3a7ee08a470eb8ecc5b6fe092d0600dfd4b71d07

SHA512
63b11fb9df72e4736e5735a110086eef361ec0328e6d348b6a80dd752bd1521fe63981b0a0962c1d70efbc72c5c9b718eeb457ee77518e14ee536abb49f7d991

Download Submit
C:\Users\tazebama.dl_

Filesize
151KB

MD5
8fc3db65521e35b23473903bf8309f8a

SHA1
17a33be5e2f1bf5d23d57533d3f39cbed7a46134

SHA256
5760a6378b7761395300444a3a7ee08a470eb8ecc5b6fe092d0600dfd4b71d07

SHA512
63b11fb9df72e4736e5735a110086eef361ec0328e6d348b6a80dd752bd1521fe63981b0a0962c1d70efbc72c5c9b718eeb457ee77518e14ee536abb49f7d991

Download Submit
\Users\tazebama.dl_

Filesize
151KB

MD5
8fc3db65521e35b23473903bf8309f8a

SHA1
17a33be5e2f1bf5d23d57533d3f39cbed7a46134

SHA256
5760a6378b7761395300444a3a7ee08a470eb8ecc5b6fe092d0600dfd4b71d07

SHA512
63b11fb9df72e4736e5735a110086eef361ec0328e6d348b6a80dd752bd1521fe63981b0a0962c1d70efbc72c5c9b718eeb457ee77518e14ee536abb49f7d991

Download Submit
\Users\tazebama.dl_

Filesize
151KB

MD5
8fc3db65521e35b23473903bf8309f8a

SHA1
17a33be5e2f1bf5d23d57533d3f39cbed7a46134

SHA256
5760a6378b7761395300444a3a7ee08a470eb8ecc5b6fe092d0600dfd4b71d07

SHA512
63b11fb9df72e4736e5735a110086eef361ec0328e6d348b6a80dd752bd1521fe63981b0a0962c1d70efbc72c5c9b718eeb457ee77518e14ee536abb49f7d991

Download Submit
\Users\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
memory/1336-62-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1336-64-0x00000000002F0000-0x0000000000307000-memory.dmp

Filesize
92KB

Download
memory/1336-63-0x00000000002F0000-0x0000000000307000-memory.dmp

Filesize
92KB

Download
memory/1336-67-0x00000000002F0000-0x0000000000307000-memory.dmp

Filesize
92KB

Download
memory/1416-59-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download
memory/1416-65-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1416-66-0x0000000072701000-0x0000000072703000-memory.dmp

Filesize
8KB

Download
memory/1416-68-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads