Analysis
-
max time kernel
151s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 00:35
Static task
static1
Behavioral task
behavioral1
Sample
64dbd0555bff64544f0a1d773296691e29e49927da77ba9410e351efb55b5147.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
64dbd0555bff64544f0a1d773296691e29e49927da77ba9410e351efb55b5147.exe
Resource
win10v2004-20220901-en
General
-
Target
64dbd0555bff64544f0a1d773296691e29e49927da77ba9410e351efb55b5147.exe
-
Size
144KB
-
MD5
3a34c964fc0e17eea6a09a776c6bcff0
-
SHA1
9d5e8149940bd1ecb7a7f907241be119bc4dbb65
-
SHA256
64dbd0555bff64544f0a1d773296691e29e49927da77ba9410e351efb55b5147
-
SHA512
12de82f52967e7841a2c5062967eceb1f1b7cbb5fff844cd0dcfe46a87f590699be945a61755a1eb594838f4b3c28c79ad6e23c6599d6fa1f115eaeed6286e1f
-
SSDEEP
3072:NHKFKfj2vhINgVs+Y9YXeKjxF1yj13TWDnt5:NqFUjWq2gYuKjxF1ss
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
64dbd0555bff64544f0a1d773296691e29e49927da77ba9410e351efb55b5147.exetaawit.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 64dbd0555bff64544f0a1d773296691e29e49927da77ba9410e351efb55b5147.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" taawit.exe -
Executes dropped EXE 1 IoCs
Processes:
taawit.exepid process 1612 taawit.exe -
Loads dropped DLL 2 IoCs
Processes:
64dbd0555bff64544f0a1d773296691e29e49927da77ba9410e351efb55b5147.exepid process 992 64dbd0555bff64544f0a1d773296691e29e49927da77ba9410e351efb55b5147.exe 992 64dbd0555bff64544f0a1d773296691e29e49927da77ba9410e351efb55b5147.exe -
Adds Run key to start application 2 TTPs 55 IoCs
Processes:
64dbd0555bff64544f0a1d773296691e29e49927da77ba9410e351efb55b5147.exetaawit.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 64dbd0555bff64544f0a1d773296691e29e49927da77ba9410e351efb55b5147.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /u" 64dbd0555bff64544f0a1d773296691e29e49927da77ba9410e351efb55b5147.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /N" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /g" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /B" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /u" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /C" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /D" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /O" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /M" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /t" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /V" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /P" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /l" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /y" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /h" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /F" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /w" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /R" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /c" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /A" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /I" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /U" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /W" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /E" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /Q" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /Y" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /x" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /T" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /k" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /L" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /q" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /s" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /f" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /K" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /n" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /S" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /z" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /d" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /j" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /m" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /e" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /X" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /p" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /o" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /J" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /b" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /Z" taawit.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /r" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /G" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /i" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /a" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /v" taawit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\taawit = "C:\\Users\\Admin\\taawit.exe /H" taawit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
64dbd0555bff64544f0a1d773296691e29e49927da77ba9410e351efb55b5147.exetaawit.exepid process 992 64dbd0555bff64544f0a1d773296691e29e49927da77ba9410e351efb55b5147.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe 1612 taawit.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
64dbd0555bff64544f0a1d773296691e29e49927da77ba9410e351efb55b5147.exetaawit.exepid process 992 64dbd0555bff64544f0a1d773296691e29e49927da77ba9410e351efb55b5147.exe 1612 taawit.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
64dbd0555bff64544f0a1d773296691e29e49927da77ba9410e351efb55b5147.exedescription pid process target process PID 992 wrote to memory of 1612 992 64dbd0555bff64544f0a1d773296691e29e49927da77ba9410e351efb55b5147.exe taawit.exe PID 992 wrote to memory of 1612 992 64dbd0555bff64544f0a1d773296691e29e49927da77ba9410e351efb55b5147.exe taawit.exe PID 992 wrote to memory of 1612 992 64dbd0555bff64544f0a1d773296691e29e49927da77ba9410e351efb55b5147.exe taawit.exe PID 992 wrote to memory of 1612 992 64dbd0555bff64544f0a1d773296691e29e49927da77ba9410e351efb55b5147.exe taawit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\64dbd0555bff64544f0a1d773296691e29e49927da77ba9410e351efb55b5147.exe"C:\Users\Admin\AppData\Local\Temp\64dbd0555bff64544f0a1d773296691e29e49927da77ba9410e351efb55b5147.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\taawit.exe"C:\Users\Admin\taawit.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\taawit.exeFilesize
144KB
MD5568ffc70e4a8abb9b6464fb81d12736f
SHA1b73d9b035f35e9b750dbe6f9289314c5cf8fd238
SHA256716619a4f12ac6206d71db0f4163ab4481a8814fcb720e88e6b3beb3797ef849
SHA5125e3a4f480064db58d3c76c266371e93409ff6fcd32308a404a3a42396a58907b5e052df587709a58923e4467dd31690db02b08e017cb49721bcc5e26174eca86
-
C:\Users\Admin\taawit.exeFilesize
144KB
MD5568ffc70e4a8abb9b6464fb81d12736f
SHA1b73d9b035f35e9b750dbe6f9289314c5cf8fd238
SHA256716619a4f12ac6206d71db0f4163ab4481a8814fcb720e88e6b3beb3797ef849
SHA5125e3a4f480064db58d3c76c266371e93409ff6fcd32308a404a3a42396a58907b5e052df587709a58923e4467dd31690db02b08e017cb49721bcc5e26174eca86
-
\Users\Admin\taawit.exeFilesize
144KB
MD5568ffc70e4a8abb9b6464fb81d12736f
SHA1b73d9b035f35e9b750dbe6f9289314c5cf8fd238
SHA256716619a4f12ac6206d71db0f4163ab4481a8814fcb720e88e6b3beb3797ef849
SHA5125e3a4f480064db58d3c76c266371e93409ff6fcd32308a404a3a42396a58907b5e052df587709a58923e4467dd31690db02b08e017cb49721bcc5e26174eca86
-
\Users\Admin\taawit.exeFilesize
144KB
MD5568ffc70e4a8abb9b6464fb81d12736f
SHA1b73d9b035f35e9b750dbe6f9289314c5cf8fd238
SHA256716619a4f12ac6206d71db0f4163ab4481a8814fcb720e88e6b3beb3797ef849
SHA5125e3a4f480064db58d3c76c266371e93409ff6fcd32308a404a3a42396a58907b5e052df587709a58923e4467dd31690db02b08e017cb49721bcc5e26174eca86
-
memory/992-56-0x0000000076561000-0x0000000076563000-memory.dmpFilesize
8KB
-
memory/1612-59-0x0000000000000000-mapping.dmp