Analysis
-
max time kernel
94s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
23-11-2022 20:57
General
-
Target
a0d5a5f89d62230b26c57bade0df0ab721110925a6440f306043b5410b18c3ed.exe
-
Size
230KB
-
MD5
2c2fa72b1cfcc4e452920f9ab0994177
-
SHA1
003ada28dfba1ebe2396acf5f0c29a80c9fad266
-
SHA256
a0d5a5f89d62230b26c57bade0df0ab721110925a6440f306043b5410b18c3ed
-
SHA512
62009ea9c3f49bfda731d657f525049e04ba61ae13a785177bbcb96f8f48f1a60ed07003b8957410d2a81cbfde7d6d78024567d7a42d42ca0f41ef380809b302
-
SSDEEP
6144:adT3RRJxSu6ZGGexdkXyeKY6o2aTYRCzEacG:qhRv9xdkXyeKtWT76G
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Nirsoft 4 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0d5a5f89d62230b26c57bade0df0ab721110925a6440f306043b5410b18c3ed.exe"C:\Users\Admin\AppData\Local\Temp\a0d5a5f89d62230b26c57bade0df0ab721110925a6440f306043b5410b18c3ed.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 6523⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1516 -ip 15161⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
157KB
MD587d42c88bd871be7f44f69e34ceaab79
SHA1123de1f20e98905a77a09d6fc65fb85730309fec
SHA25677109419bbad0d4fee337c659555e3ec9dc75f1eaff1c66d9927a33d16d0584f
SHA512314111ce73a9a6ed6b43a1afb9f469e034321aac3f3b547b9329639944116fc92faa15e8e6aa06c4f2eaf7e17f9d4dcafc0752a3c2e34e96941b99ce015ef72e
-
Filesize
2.6MB
MD5f200bb5ea7cc86a305c1a5d437334ea6
SHA1863e50bbabdfa47cb846996ca7b322fa0eb7c0dc
SHA256517367bea75ac6a6ced2f1d4a9d3d8c30679452cc38b422fdeae23214c36ee1d
SHA5120ae4a2c29ba6c6df0c38cd0ec8ef26b6bbcdf83b8f986313419ddd239f13356d18e2bdc6611c80462d4a26730617c813043c02ad5ff79704acdc221ecb7f9381
-
Filesize
157KB
MD587d42c88bd871be7f44f69e34ceaab79
SHA1123de1f20e98905a77a09d6fc65fb85730309fec
SHA25677109419bbad0d4fee337c659555e3ec9dc75f1eaff1c66d9927a33d16d0584f
SHA512314111ce73a9a6ed6b43a1afb9f469e034321aac3f3b547b9329639944116fc92faa15e8e6aa06c4f2eaf7e17f9d4dcafc0752a3c2e34e96941b99ce015ef72e
-
Filesize
32KB
MD5b6a03576e595afacb37ada2f1d5a0529
SHA1d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8
SHA2561707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad
SHA512181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c
-
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB