Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2022, 15:45
Behavioral task
behavioral1
Sample
3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe
Resource
win10v2004-20220901-en
General
-
Target
3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe
-
Size
434KB
-
MD5
0e6d2f678cda0d2ffa212b881b9c0da0
-
SHA1
8c5064521de78810378ebfbe767bbe4988451014
-
SHA256
3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e
-
SHA512
a04fd1e6b6749a2b2cdf185a77a9a5819a18b13eaeda6fdf3d9d54d02eb15b024750e360e0ecddcd24f59107c4add00f4e3caee9dfe302eab410a7536ace5311
-
SSDEEP
12288:ZSNC80I+cR3R03VseZOt/wq9rhYQmJjc9hoe:Z4ChZcRi3VseFqpGi2e
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe chrome.exe" 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tazebama.dl_ -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 2428 tazebama.dl_ -
resource yara_rule behavioral2/memory/2016-132-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/2016-134-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/2016-139-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/2016-146-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/2016-147-0x0000000000400000-0x00000000004CA000-memory.dmp upx -
Loads dropped DLL 1 IoCs
pid Process 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run tazebama.dl_ Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Windows\\system32\\chrome.exe" 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: tazebama.dl_ File opened (read-only) \??\Q: tazebama.dl_ File opened (read-only) \??\L: tazebama.dl_ File opened (read-only) \??\J: tazebama.dl_ File opened (read-only) \??\j: 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe File opened (read-only) \??\z: 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe File opened (read-only) \??\Z: tazebama.dl_ File opened (read-only) \??\f: 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe File opened (read-only) \??\i: 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe File opened (read-only) \??\r: 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe File opened (read-only) \??\H: tazebama.dl_ File opened (read-only) \??\m: 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe File opened (read-only) \??\t: 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe File opened (read-only) \??\b: 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe File opened (read-only) \??\N: tazebama.dl_ File opened (read-only) \??\e: 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe File opened (read-only) \??\h: 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe File opened (read-only) \??\q: 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe File opened (read-only) \??\w: 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe File opened (read-only) \??\V: tazebama.dl_ File opened (read-only) \??\R: tazebama.dl_ File opened (read-only) \??\K: tazebama.dl_ File opened (read-only) \??\I: tazebama.dl_ File opened (read-only) \??\p: 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe File opened (read-only) \??\u: 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe File opened (read-only) \??\Y: tazebama.dl_ File opened (read-only) \??\G: tazebama.dl_ File opened (read-only) \??\a: 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe File opened (read-only) \??\g: 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe File opened (read-only) \??\s: 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe File opened (read-only) \??\W: tazebama.dl_ File opened (read-only) \??\U: tazebama.dl_ File opened (read-only) \??\P: tazebama.dl_ File opened (read-only) \??\k: 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe File opened (read-only) \??\l: 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe File opened (read-only) \??\n: 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe File opened (read-only) \??\o: 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe File opened (read-only) \??\v: 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe File opened (read-only) \??\X: tazebama.dl_ File opened (read-only) \??\y: 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe File opened (read-only) \??\x: 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe File opened (read-only) \??\O: tazebama.dl_ File opened (read-only) \??\M: tazebama.dl_ File opened (read-only) \??\F: tazebama.dl_ File opened (read-only) \??\E: tazebama.dl_ File opened (read-only) \??\S: tazebama.dl_ -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2016-139-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral2/memory/2016-146-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral2/memory/2016-147-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf tazebama.dl_ File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf tazebama.dl_ File created \??\d:\autorun.inf 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\chrome.exe 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe File opened for modification C:\Windows\SysWOW64\chrome.exe 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe File opened for modification C:\Windows\SysWOW64\autorun.ini 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACRORD32.EXE tazebama.dl_ -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\chrome.exe 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe File opened for modification C:\Windows\chrome.exe 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1700 2428 WerFault.exe 81 -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://h1.ripway.com/poojasharma/index.html" 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://h1.ripway.com/poojasharma/index.html" 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://h1.ripway.com/poojasharma/index.html" 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://h1.ripway.com/poojasharma/index.html" 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://h1.ripway.com/poojasharma/index.html" 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2428 tazebama.dl_ 2428 tazebama.dl_ 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2016 wrote to memory of 2428 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 81 PID 2016 wrote to memory of 2428 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 81 PID 2016 wrote to memory of 2428 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 81 PID 2016 wrote to memory of 3768 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 83 PID 2016 wrote to memory of 3768 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 83 PID 2016 wrote to memory of 3768 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 83 PID 3768 wrote to memory of 3508 3768 cmd.exe 85 PID 3768 wrote to memory of 3508 3768 cmd.exe 85 PID 3768 wrote to memory of 3508 3768 cmd.exe 85 PID 2016 wrote to memory of 888 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 87 PID 2016 wrote to memory of 888 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 87 PID 2016 wrote to memory of 888 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 87 PID 888 wrote to memory of 1736 888 cmd.exe 89 PID 888 wrote to memory of 1736 888 cmd.exe 89 PID 888 wrote to memory of 1736 888 cmd.exe 89 PID 2016 wrote to memory of 3872 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 90 PID 2016 wrote to memory of 3872 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 90 PID 2016 wrote to memory of 3872 2016 3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe 90 PID 3872 wrote to memory of 1100 3872 cmd.exe 92 PID 3872 wrote to memory of 1100 3872 cmd.exe 92 PID 3872 wrote to memory of 1100 3872 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe"C:\Users\Admin\AppData\Local\Temp\3a7ed12eea1046eef1d722ed6873fe6f614bdc23d884bc021d78d41e37c0f14e.exe"1⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2428 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 7283⤵
- Program crash
PID:1700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes2⤵
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\at.exeAT /delete /yes3⤵PID:3508
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\chrome.exe2⤵
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\chrome.exe3⤵PID:1736
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C cacls "C:\system volume information" /e /g "Admin":f2⤵
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\cacls.execacls "C:\system volume information" /e /g "Admin":f3⤵PID:1100
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2428 -ip 24281⤵PID:3704
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151KB
MD5a867a96fc073afd30656f6c0939e50ed
SHA1ed51477960030dd12f330771d48a1d09812bdef4
SHA256667e78bcc0eff0590950a2dfa4f579c92b4b4ad56ebbed14dd4d11e0baf0ec94
SHA512687041e5b1ad74897f16b23b35b5358079d213627849cbd1d15d7f356250cb67c50fab6d30c07fab33cb0b7f28c2e56a941e280f961cabae6e84ce83e3a479c1
-
Filesize
151KB
MD5a867a96fc073afd30656f6c0939e50ed
SHA1ed51477960030dd12f330771d48a1d09812bdef4
SHA256667e78bcc0eff0590950a2dfa4f579c92b4b4ad56ebbed14dd4d11e0baf0ec94
SHA512687041e5b1ad74897f16b23b35b5358079d213627849cbd1d15d7f356250cb67c50fab6d30c07fab33cb0b7f28c2e56a941e280f961cabae6e84ce83e3a479c1
-
Filesize
32KB
MD5b6a03576e595afacb37ada2f1d5a0529
SHA1d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8
SHA2561707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad
SHA512181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c