b6c1e0e710f37f2cc822a86b8553e7dcf40e0d25083d819cc69397a634d8caa2

Analysis

max time kernel
150s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6c1e0e710f37f2cc822a86b8553e7dcf40e0d25083d819cc69397a634d8caa2.exe
Size

240KB
MD5

06ca84f4cb730da7ab59d01f39030aa0
SHA1

8246cfba73ecc907b783505e221aaa274a91a126
SHA256

b6c1e0e710f37f2cc822a86b8553e7dcf40e0d25083d819cc69397a634d8caa2
SHA512

2d92ee79643ee94add6cf4928db00ea9150efb7582cac959b7c0ec4d385091ccea128bf6d602cfa6ebbc4592277b176093b96b63f7eacd6351d2ee76801da87a
SSDEEP

6144:hUd3dwqsNwemAB0EqxF6snji81RUinKchhyZS3i:mdQQJsAS

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	b6c1e0e710f37f2cc822a86b8553e7dcf40e0d25083d819cc69397a634d8caa2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	sazat.exe

Executes dropped EXE 1 IoCs

pid	Process
992	sazat.exe

Loads dropped DLL 2 IoCs

pid	Process
1524	b6c1e0e710f37f2cc822a86b8553e7dcf40e0d25083d819cc69397a634d8caa2.exe
1524	b6c1e0e710f37f2cc822a86b8553e7dcf40e0d25083d819cc69397a634d8caa2.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sazat = "C:\\Users\\Admin\\sazat.exe /e"	sazat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sazat = "C:\\Users\\Admin\\sazat.exe /x"	sazat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sazat = "C:\\Users\\Admin\\sazat.exe /a"	sazat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sazat = "C:\\Users\\Admin\\sazat.exe /i"	sazat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sazat = "C:\\Users\\Admin\\sazat.exe /s"	sazat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sazat = "C:\\Users\\Admin\\sazat.exe /b"	sazat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sazat = "C:\\Users\\Admin\\sazat.exe /w"	sazat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sazat = "C:\\Users\\Admin\\sazat.exe /r"	sazat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sazat = "C:\\Users\\Admin\\sazat.exe /u"	sazat.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	sazat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sazat = "C:\\Users\\Admin\\sazat.exe /f"	sazat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sazat = "C:\\Users\\Admin\\sazat.exe /p"	sazat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sazat = "C:\\Users\\Admin\\sazat.exe /o"	sazat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sazat = "C:\\Users\\Admin\\sazat.exe /q"	sazat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sazat = "C:\\Users\\Admin\\sazat.exe /k"	sazat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sazat = "C:\\Users\\Admin\\sazat.exe /l"	sazat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sazat = "C:\\Users\\Admin\\sazat.exe /c"	sazat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sazat = "C:\\Users\\Admin\\sazat.exe /t"	sazat.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	b6c1e0e710f37f2cc822a86b8553e7dcf40e0d25083d819cc69397a634d8caa2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sazat = "C:\\Users\\Admin\\sazat.exe /w"	b6c1e0e710f37f2cc822a86b8553e7dcf40e0d25083d819cc69397a634d8caa2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sazat = "C:\\Users\\Admin\\sazat.exe /z"	sazat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sazat = "C:\\Users\\Admin\\sazat.exe /j"	sazat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sazat = "C:\\Users\\Admin\\sazat.exe /d"	sazat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sazat = "C:\\Users\\Admin\\sazat.exe /y"	sazat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sazat = "C:\\Users\\Admin\\sazat.exe /h"	sazat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sazat = "C:\\Users\\Admin\\sazat.exe /v"	sazat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sazat = "C:\\Users\\Admin\\sazat.exe /n"	sazat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sazat = "C:\\Users\\Admin\\sazat.exe /g"	sazat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sazat = "C:\\Users\\Admin\\sazat.exe /m"	sazat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1524	b6c1e0e710f37f2cc822a86b8553e7dcf40e0d25083d819cc69397a634d8caa2.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe
992	sazat.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1524	b6c1e0e710f37f2cc822a86b8553e7dcf40e0d25083d819cc69397a634d8caa2.exe
992	sazat.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 992	1524	b6c1e0e710f37f2cc822a86b8553e7dcf40e0d25083d819cc69397a634d8caa2.exe	26
PID 1524 wrote to memory of 992	1524	b6c1e0e710f37f2cc822a86b8553e7dcf40e0d25083d819cc69397a634d8caa2.exe	26
PID 1524 wrote to memory of 992	1524	b6c1e0e710f37f2cc822a86b8553e7dcf40e0d25083d819cc69397a634d8caa2.exe	26
PID 1524 wrote to memory of 992	1524	b6c1e0e710f37f2cc822a86b8553e7dcf40e0d25083d819cc69397a634d8caa2.exe	26

C:\Users\Admin\AppData\Local\Temp\b6c1e0e710f37f2cc822a86b8553e7dcf40e0d25083d819cc69397a634d8caa2.exe
"C:\Users\Admin\AppData\Local\Temp\b6c1e0e710f37f2cc822a86b8553e7dcf40e0d25083d819cc69397a634d8caa2.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Users\Admin\sazat.exe
  "C:\Users\Admin\sazat.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\sazat.exe

Filesize
240KB

MD5
ec2fb881151c621dde7b8917cdbc0733

SHA1
489600e05a662d392f792dfb54e924de0f1f87e6

SHA256
f2bfd68e03bea4d3bf48a570cc8ddc0a1d2aed96aba47a91b60e51dd41895f5e

SHA512
53c9a27eca45abe1a77c950d9b55a09d51dc60fdb8128c7bf5400f806314fdb19fabb2ba7d754790e778eb5d476ad97aeb0b0c53c891d1503399bc33be124761

Download Submit
C:\Users\Admin\sazat.exe

Filesize
240KB

MD5
ec2fb881151c621dde7b8917cdbc0733

SHA1
489600e05a662d392f792dfb54e924de0f1f87e6

SHA256
f2bfd68e03bea4d3bf48a570cc8ddc0a1d2aed96aba47a91b60e51dd41895f5e

SHA512
53c9a27eca45abe1a77c950d9b55a09d51dc60fdb8128c7bf5400f806314fdb19fabb2ba7d754790e778eb5d476ad97aeb0b0c53c891d1503399bc33be124761

Download Submit
\Users\Admin\sazat.exe

Filesize
240KB

MD5
ec2fb881151c621dde7b8917cdbc0733

SHA1
489600e05a662d392f792dfb54e924de0f1f87e6

SHA256
f2bfd68e03bea4d3bf48a570cc8ddc0a1d2aed96aba47a91b60e51dd41895f5e

SHA512
53c9a27eca45abe1a77c950d9b55a09d51dc60fdb8128c7bf5400f806314fdb19fabb2ba7d754790e778eb5d476ad97aeb0b0c53c891d1503399bc33be124761

Download Submit
\Users\Admin\sazat.exe

Filesize
240KB

MD5
ec2fb881151c621dde7b8917cdbc0733

SHA1
489600e05a662d392f792dfb54e924de0f1f87e6

SHA256
f2bfd68e03bea4d3bf48a570cc8ddc0a1d2aed96aba47a91b60e51dd41895f5e

SHA512
53c9a27eca45abe1a77c950d9b55a09d51dc60fdb8128c7bf5400f806314fdb19fabb2ba7d754790e778eb5d476ad97aeb0b0c53c891d1503399bc33be124761

Download Submit
memory/1524-56-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download