Analysis
-
max time kernel
165s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 20:57
Static task
static1
Behavioral task
behavioral1
Sample
a0d5a5f89d62230b26c57bade0df0ab721110925a6440f306043b5410b18c3ed.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a0d5a5f89d62230b26c57bade0df0ab721110925a6440f306043b5410b18c3ed.exe
Resource
win10v2004-20220812-en
General
-
Target
a0d5a5f89d62230b26c57bade0df0ab721110925a6440f306043b5410b18c3ed.exe
-
Size
230KB
-
MD5
2c2fa72b1cfcc4e452920f9ab0994177
-
SHA1
003ada28dfba1ebe2396acf5f0c29a80c9fad266
-
SHA256
a0d5a5f89d62230b26c57bade0df0ab721110925a6440f306043b5410b18c3ed
-
SHA512
62009ea9c3f49bfda731d657f525049e04ba61ae13a785177bbcb96f8f48f1a60ed07003b8957410d2a81cbfde7d6d78024567d7a42d42ca0f41ef380809b302
-
SSDEEP
6144:adT3RRJxSu6ZGGexdkXyeKY6o2aTYRCzEacG:qhRv9xdkXyeKtWT76G
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
tazebama.dl_description ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tazebama.dl_ -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
tazebama.dl_description ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tazebama.dl_ -
Nirsoft 3 IoCs
Processes:
resource yara_rule behavioral1/memory/960-63-0x0000000000400000-0x0000000000412000-memory.dmp Nirsoft behavioral1/memory/960-66-0x0000000000400000-0x0000000000412000-memory.dmp Nirsoft behavioral1/memory/960-67-0x0000000000400000-0x0000000000412000-memory.dmp Nirsoft -
Executes dropped EXE 1 IoCs
Processes:
tazebama.dl_pid process 1712 tazebama.dl_ -
Loads dropped DLL 3 IoCs
Processes:
a0d5a5f89d62230b26c57bade0df0ab721110925a6440f306043b5410b18c3ed.exepid process 960 a0d5a5f89d62230b26c57bade0df0ab721110925a6440f306043b5410b18c3ed.exe 960 a0d5a5f89d62230b26c57bade0df0ab721110925a6440f306043b5410b18c3ed.exe 960 a0d5a5f89d62230b26c57bade0df0ab721110925a6440f306043b5410b18c3ed.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tazebama.dl_description ioc process Key created \REGISTRY\MACHINE\software\Wow6432Node\Microsoft\Windows\CurrentVersion\run tazebama.dl_ -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
tazebama.dl_description ioc process File opened (read-only) \??\X: tazebama.dl_ File opened (read-only) \??\V: tazebama.dl_ File opened (read-only) \??\U: tazebama.dl_ File opened (read-only) \??\Q: tazebama.dl_ File opened (read-only) \??\J: tazebama.dl_ File opened (read-only) \??\Y: tazebama.dl_ File opened (read-only) \??\M: tazebama.dl_ File opened (read-only) \??\L: tazebama.dl_ File opened (read-only) \??\I: tazebama.dl_ File opened (read-only) \??\E: tazebama.dl_ File opened (read-only) \??\Z: tazebama.dl_ File opened (read-only) \??\W: tazebama.dl_ File opened (read-only) \??\O: tazebama.dl_ File opened (read-only) \??\N: tazebama.dl_ File opened (read-only) \??\F: tazebama.dl_ File opened (read-only) \??\G: tazebama.dl_ File opened (read-only) \??\T: tazebama.dl_ File opened (read-only) \??\S: tazebama.dl_ File opened (read-only) \??\R: tazebama.dl_ File opened (read-only) \??\P: tazebama.dl_ File opened (read-only) \??\K: tazebama.dl_ File opened (read-only) \??\H: tazebama.dl_ -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
tazebama.dl_description ioc process File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf tazebama.dl_ File opened for modification C:\autorun.inf tazebama.dl_ -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
tazebama.dl_pid process 1712 tazebama.dl_ -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
a0d5a5f89d62230b26c57bade0df0ab721110925a6440f306043b5410b18c3ed.exepid process 960 a0d5a5f89d62230b26c57bade0df0ab721110925a6440f306043b5410b18c3ed.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
a0d5a5f89d62230b26c57bade0df0ab721110925a6440f306043b5410b18c3ed.exedescription pid process target process PID 960 wrote to memory of 1712 960 a0d5a5f89d62230b26c57bade0df0ab721110925a6440f306043b5410b18c3ed.exe tazebama.dl_ PID 960 wrote to memory of 1712 960 a0d5a5f89d62230b26c57bade0df0ab721110925a6440f306043b5410b18c3ed.exe tazebama.dl_ PID 960 wrote to memory of 1712 960 a0d5a5f89d62230b26c57bade0df0ab721110925a6440f306043b5410b18c3ed.exe tazebama.dl_ PID 960 wrote to memory of 1712 960 a0d5a5f89d62230b26c57bade0df0ab721110925a6440f306043b5410b18c3ed.exe tazebama.dl_
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0d5a5f89d62230b26c57bade0df0ab721110925a6440f306043b5410b18c3ed.exe"C:\Users\Admin\AppData\Local\Temp\a0d5a5f89d62230b26c57bade0df0ab721110925a6440f306043b5410b18c3ed.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
PID:1712
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
157KB
MD587d42c88bd871be7f44f69e34ceaab79
SHA1123de1f20e98905a77a09d6fc65fb85730309fec
SHA25677109419bbad0d4fee337c659555e3ec9dc75f1eaff1c66d9927a33d16d0584f
SHA512314111ce73a9a6ed6b43a1afb9f469e034321aac3f3b547b9329639944116fc92faa15e8e6aa06c4f2eaf7e17f9d4dcafc0752a3c2e34e96941b99ce015ef72e
-
Filesize
157KB
MD587d42c88bd871be7f44f69e34ceaab79
SHA1123de1f20e98905a77a09d6fc65fb85730309fec
SHA25677109419bbad0d4fee337c659555e3ec9dc75f1eaff1c66d9927a33d16d0584f
SHA512314111ce73a9a6ed6b43a1afb9f469e034321aac3f3b547b9329639944116fc92faa15e8e6aa06c4f2eaf7e17f9d4dcafc0752a3c2e34e96941b99ce015ef72e
-
Filesize
157KB
MD587d42c88bd871be7f44f69e34ceaab79
SHA1123de1f20e98905a77a09d6fc65fb85730309fec
SHA25677109419bbad0d4fee337c659555e3ec9dc75f1eaff1c66d9927a33d16d0584f
SHA512314111ce73a9a6ed6b43a1afb9f469e034321aac3f3b547b9329639944116fc92faa15e8e6aa06c4f2eaf7e17f9d4dcafc0752a3c2e34e96941b99ce015ef72e
-
Filesize
157KB
MD587d42c88bd871be7f44f69e34ceaab79
SHA1123de1f20e98905a77a09d6fc65fb85730309fec
SHA25677109419bbad0d4fee337c659555e3ec9dc75f1eaff1c66d9927a33d16d0584f
SHA512314111ce73a9a6ed6b43a1afb9f469e034321aac3f3b547b9329639944116fc92faa15e8e6aa06c4f2eaf7e17f9d4dcafc0752a3c2e34e96941b99ce015ef72e
-
Filesize
32KB
MD5b6a03576e595afacb37ada2f1d5a0529
SHA1d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8
SHA2561707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad
SHA512181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c