0da4aed1141179612a8cd3d24e493f9a6681470485cb3f71f1b6f2e8733e1d43

General

Target

0da4aed1141179612a8cd3d24e493f9a6681470485cb3f71f1b6f2e8733e1d43.exe
Size

176KB
MD5

1b9d6ec7181f906613387bfa0351a2a0
SHA1

4b4ae2f968bad4f794aa4257015cff662e326bb1
SHA256

0da4aed1141179612a8cd3d24e493f9a6681470485cb3f71f1b6f2e8733e1d43
SHA512

7bb00294368766802abeb179ad6e68f29696a6ea38c54ff5fa3dd8adc084af2c7352789e6ca174aba672297ffca91fa1e60db7707b21c961eec32df216a85e05
SSDEEP

3072:OC1C8Wlh4GWtPuCaAYmG5bcFuKnvmb7/D26inavm4QLzHpXP6D8R8FOjcKvDHmB1:NI8WAGWtPuCaVmG5bnKnvmb7/D26caem

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

0da4aed1141179612a8cd3d24e493f9a6681470485cb3f71f1b6f2e8733e1d43.exetaigaiw.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0da4aed1141179612a8cd3d24e493f9a6681470485cb3f71f1b6f2e8733e1d43.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	taigaiw.exe

Executes dropped EXE 1 IoCs

Processes:

taigaiw.exe

pid process

2220 taigaiw.exe

pid	process
2220	taigaiw.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0da4aed1141179612a8cd3d24e493f9a6681470485cb3f71f1b6f2e8733e1d43.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	0da4aed1141179612a8cd3d24e493f9a6681470485cb3f71f1b6f2e8733e1d43.exe

Adds Run key to start application 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

taigaiw.exe0da4aed1141179612a8cd3d24e493f9a6681470485cb3f71f1b6f2e8733e1d43.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /X"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /S"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /v"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /c"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /H"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /I"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /u"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /A"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /b"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /a"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /K"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /J"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /j"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /R"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /f"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /n"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /l"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /U"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /d"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /t"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /q"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /e"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /F"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /D"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /O"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /C"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /i"	0da4aed1141179612a8cd3d24e493f9a6681470485cb3f71f1b6f2e8733e1d43.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /k"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /o"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /p"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /z"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /V"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /G"	taigaiw.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	0da4aed1141179612a8cd3d24e493f9a6681470485cb3f71f1b6f2e8733e1d43.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /Y"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /M"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /W"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /P"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /m"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /y"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /w"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /i"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /r"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /E"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /B"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /h"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /g"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /T"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /Q"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /s"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /x"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /Z"	taigaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taigaiw = "C:\\Users\\Admin\\taigaiw.exe /N"	taigaiw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0da4aed1141179612a8cd3d24e493f9a6681470485cb3f71f1b6f2e8733e1d43.exetaigaiw.exe

pid	process
4888	0da4aed1141179612a8cd3d24e493f9a6681470485cb3f71f1b6f2e8733e1d43.exe
4888	0da4aed1141179612a8cd3d24e493f9a6681470485cb3f71f1b6f2e8733e1d43.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe
2220	taigaiw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

0da4aed1141179612a8cd3d24e493f9a6681470485cb3f71f1b6f2e8733e1d43.exetaigaiw.exe

pid process

4888 0da4aed1141179612a8cd3d24e493f9a6681470485cb3f71f1b6f2e8733e1d43.exe
2220 taigaiw.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0da4aed1141179612a8cd3d24e493f9a6681470485cb3f71f1b6f2e8733e1d43.exe

description	pid	process	target process
PID 4888 wrote to memory of 2220	4888	0da4aed1141179612a8cd3d24e493f9a6681470485cb3f71f1b6f2e8733e1d43.exe	taigaiw.exe
PID 4888 wrote to memory of 2220	4888	0da4aed1141179612a8cd3d24e493f9a6681470485cb3f71f1b6f2e8733e1d43.exe	taigaiw.exe
PID 4888 wrote to memory of 2220	4888	0da4aed1141179612a8cd3d24e493f9a6681470485cb3f71f1b6f2e8733e1d43.exe	taigaiw.exe

C:\Users\Admin\AppData\Local\Temp\0da4aed1141179612a8cd3d24e493f9a6681470485cb3f71f1b6f2e8733e1d43.exe
"C:\Users\Admin\AppData\Local\Temp\0da4aed1141179612a8cd3d24e493f9a6681470485cb3f71f1b6f2e8733e1d43.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4888

C:\Users\Admin\taigaiw.exe
"C:\Users\Admin\taigaiw.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\taigaiw.exe
Filesize
176KB

MD5
1fe868682d070574cd4751ed51640365

SHA1
6a1f74a24e431e53641f2da58fdaf62323d51a1e

SHA256
0c3c03adc19ebbf006eb200aea1f82a329d3965da5120dfb41c5de14825ad8cb

SHA512
abf9f14c76367df38fc787b025dc250f9cc41433a651c4c968eb8636966ddeb090fb77660930fe6b73f3904124530ac909a9f836c8a7e93b5c69b31417faa07b

Download Submit
C:\Users\Admin\taigaiw.exe
Filesize
176KB

MD5
1fe868682d070574cd4751ed51640365

SHA1
6a1f74a24e431e53641f2da58fdaf62323d51a1e

SHA256
0c3c03adc19ebbf006eb200aea1f82a329d3965da5120dfb41c5de14825ad8cb

SHA512
abf9f14c76367df38fc787b025dc250f9cc41433a651c4c968eb8636966ddeb090fb77660930fe6b73f3904124530ac909a9f836c8a7e93b5c69b31417faa07b

Download Submit
memory/2220-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads