4757ec12e85d9f9ef421894d30aae99a8632e8dfa34655b2c14f3bdfeb79102d

General

Target

4757ec12e85d9f9ef421894d30aae99a8632e8dfa34655b2c14f3bdfeb79102d.exe
Size

820KB
MD5

520327308034faebbf7770a951eea810
SHA1

4065db1062e0a0ba7e1b20f93c7d0169aa5ee1e6
SHA256

4757ec12e85d9f9ef421894d30aae99a8632e8dfa34655b2c14f3bdfeb79102d
SHA512

33d832f74286b3f7e79fdba5e06f67d6a8510e5492523150960b14211c4530d3da820a1cc9a08915d037ccadc7483a4c9dda17514e0f20f33bff5f6e45d92d3b
SSDEEP

24576:xFRCUn4rP/37YzHXA6QJsoPtdpxxzYddS:xerP/37YzHXA6QJ3PtdpfEddS

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	tazebama.dl_

Executes dropped EXE 1 IoCs

pid	Process
4684	tazebama.dl_

Loads dropped DLL 1 IoCs

pid	Process
2424	4757ec12e85d9f9ef421894d30aae99a8632e8dfa34655b2c14f3bdfeb79102d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	tazebama.dl_

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	tazebama.dl_
File opened (read-only)	\??\U:	tazebama.dl_
File opened (read-only)	\??\M:	tazebama.dl_
File opened (read-only)	\??\K:	tazebama.dl_
File opened (read-only)	\??\G:	tazebama.dl_
File opened (read-only)	\??\Z:	tazebama.dl_
File opened (read-only)	\??\W:	tazebama.dl_
File opened (read-only)	\??\V:	tazebama.dl_
File opened (read-only)	\??\T:	tazebama.dl_
File opened (read-only)	\??\E:	tazebama.dl_
File opened (read-only)	\??\R:	tazebama.dl_
File opened (read-only)	\??\P:	tazebama.dl_
File opened (read-only)	\??\O:	tazebama.dl_
File opened (read-only)	\??\L:	tazebama.dl_
File opened (read-only)	\??\I:	tazebama.dl_
File opened (read-only)	\??\F:	tazebama.dl_
File opened (read-only)	\??\Y:	tazebama.dl_
File opened (read-only)	\??\S:	tazebama.dl_
File opened (read-only)	\??\Q:	tazebama.dl_
File opened (read-only)	\??\N:	tazebama.dl_
File opened (read-only)	\??\J:	tazebama.dl_
File opened (read-only)	\??\H:	tazebama.dl_

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACRORD32.EXE	tazebama.dl_

Program crash 1 IoCs

pid	pid_target	Process	procid_target
564	4684	WerFault.exe	80

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4684	tazebama.dl_
4684	tazebama.dl_

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 4684	2424	4757ec12e85d9f9ef421894d30aae99a8632e8dfa34655b2c14f3bdfeb79102d.exe	80
PID 2424 wrote to memory of 4684	2424	4757ec12e85d9f9ef421894d30aae99a8632e8dfa34655b2c14f3bdfeb79102d.exe	80
PID 2424 wrote to memory of 4684	2424	4757ec12e85d9f9ef421894d30aae99a8632e8dfa34655b2c14f3bdfeb79102d.exe	80

C:\Users\Admin\AppData\Local\Temp\4757ec12e85d9f9ef421894d30aae99a8632e8dfa34655b2c14f3bdfeb79102d.exe
"C:\Users\Admin\AppData\Local\Temp\4757ec12e85d9f9ef421894d30aae99a8632e8dfa34655b2c14f3bdfeb79102d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Documents and Settings\tazebama.dl_
  "C:\Documents and Settings\tazebama.dl_"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 728
    3⤵
    - Program crash
    PID:564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4684 -ip 4684
1⤵
PID:816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\tazebama.dl_

Filesize
151KB

MD5
c6241d30809e847ee86b792ef4751f8e

SHA1
a719ccf3d879de1ab75cc522722acb6767ccca42

SHA256
cdb4a2140856ef4d09c4102ecd33ce0a7270097faebfeea2892591612f59abef

SHA512
6d964a83425ca96802516f319e309f8f8a32b9b6ac2686119427a951f2d9324a7de07d1c76e6b9286974317d1905301b24c3b31869262b3b9533e4949ab04ac7

Download Submit
C:\Users\tazebama.dl_

Filesize
151KB

MD5
c6241d30809e847ee86b792ef4751f8e

SHA1
a719ccf3d879de1ab75cc522722acb6767ccca42

SHA256
cdb4a2140856ef4d09c4102ecd33ce0a7270097faebfeea2892591612f59abef

SHA512
6d964a83425ca96802516f319e309f8f8a32b9b6ac2686119427a951f2d9324a7de07d1c76e6b9286974317d1905301b24c3b31869262b3b9533e4949ab04ac7

Download Submit
C:\Users\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
memory/2424-133-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2424-134-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2424-137-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2424-139-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2424-142-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4684-140-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4684-141-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads