a5ce0806995a529a70a009333393f2bc6b487d957cacd4bd2d3e2f997e7cfd39

Analysis

max time kernel
91s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5ce0806995a529a70a009333393f2bc6b487d957cacd4bd2d3e2f997e7cfd39.exe
Size

893KB
MD5

50adf141d9b921d22c50dfdb202d4544
SHA1

e27835cd542d5c6d550f00efb7c2e25f5e791835
SHA256

a5ce0806995a529a70a009333393f2bc6b487d957cacd4bd2d3e2f997e7cfd39
SHA512

588e19228190b0d1f5b632df686bd26e78731dcb0472f1f46c2b3d0d9fd0c8537a0187ce3ff4f1d9a016e72bbaf335a11a149d32d4ed37d91a726320ea366272
SSDEEP

12288:Wzj0D9bO3rTtg3xNGNboQtCyGOy9IAGNmt187tZp9oe1aKNvETo+johds7barLGb:WWTKMQtCypy9IvmAro8+Ehds7ULh6J

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1520	tazecik.exe

Loads dropped DLL 1 IoCs

pid	Process
1624	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	tazecik.exe
Token: 33	1520	tazecik.exe
Token: SeIncBasePriorityPrivilege	1520	tazecik.exe
Token: 33	1520	tazecik.exe
Token: SeIncBasePriorityPrivilege	1520	tazecik.exe
Token: 33	1520	tazecik.exe
Token: SeIncBasePriorityPrivilege	1520	tazecik.exe
Token: 33	1520	tazecik.exe
Token: SeIncBasePriorityPrivilege	1520	tazecik.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 1624	968	a5ce0806995a529a70a009333393f2bc6b487d957cacd4bd2d3e2f997e7cfd39.exe	28
PID 968 wrote to memory of 1624	968	a5ce0806995a529a70a009333393f2bc6b487d957cacd4bd2d3e2f997e7cfd39.exe	28
PID 968 wrote to memory of 1624	968	a5ce0806995a529a70a009333393f2bc6b487d957cacd4bd2d3e2f997e7cfd39.exe	28
PID 968 wrote to memory of 1624	968	a5ce0806995a529a70a009333393f2bc6b487d957cacd4bd2d3e2f997e7cfd39.exe	28
PID 1624 wrote to memory of 1520	1624	cmd.exe	30
PID 1624 wrote to memory of 1520	1624	cmd.exe	30
PID 1624 wrote to memory of 1520	1624	cmd.exe	30
PID 1624 wrote to memory of 1520	1624	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\a5ce0806995a529a70a009333393f2bc6b487d957cacd4bd2d3e2f997e7cfd39.exe
"C:\Users\Admin\AppData\Local\Temp\a5ce0806995a529a70a009333393f2bc6b487d957cacd4bd2d3e2f997e7cfd39.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2647.tmp\launch.bat" C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Users\Admin\AppData\Local\Temp\2647.tmp\tazecik.exe
    tazecik.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2647.tmp\launch.bat

Filesize
28B

MD5
f73b14375c0763929b083a71a42fe5ab

SHA1
dc8f5cecc56ee0e497c22d91f3acd87e1416e014

SHA256
524e66a16be2b09c344bb863033c83f5f9b482a5db1bca780e31e72394fb55a6

SHA512
d3b582a811f95d96a6e1b638de0ba9d46b0fc0bd43828310046d4a7f70d1ced839e2ce6db99f29eff369242ecaab110c848a6ffba28c5a1786f514e368787b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\2647.tmp\tazecik.exe

Filesize
45KB

MD5
2b57b0001db944d425d6e86e672be28d

SHA1
a2a6a49329e94ff65faa9894e2cc84422af86740

SHA256
2956ef6d934f757b1da830811d32efa510c8a9ac04dba12b5958f875fcae101b

SHA512
891429373df0d7571d79b9873bbf14a2e01890ab8e66f4f072c1cd651ca81b074d6f46213ac4f7f37738d64a5a60f9068a98c5210a6f8018f905bd124f88725a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2647.tmp\tazecik.exe

Filesize
45KB

MD5
2b57b0001db944d425d6e86e672be28d

SHA1
a2a6a49329e94ff65faa9894e2cc84422af86740

SHA256
2956ef6d934f757b1da830811d32efa510c8a9ac04dba12b5958f875fcae101b

SHA512
891429373df0d7571d79b9873bbf14a2e01890ab8e66f4f072c1cd651ca81b074d6f46213ac4f7f37738d64a5a60f9068a98c5210a6f8018f905bd124f88725a

Download Submit
\Users\Admin\AppData\Local\Temp\2647.tmp\tazecik.exe

Filesize
45KB

MD5
2b57b0001db944d425d6e86e672be28d

SHA1
a2a6a49329e94ff65faa9894e2cc84422af86740

SHA256
2956ef6d934f757b1da830811d32efa510c8a9ac04dba12b5958f875fcae101b

SHA512
891429373df0d7571d79b9873bbf14a2e01890ab8e66f4f072c1cd651ca81b074d6f46213ac4f7f37738d64a5a60f9068a98c5210a6f8018f905bd124f88725a

Download Submit
memory/968-54-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/968-56-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/968-63-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1520-62-0x000007FEF3930000-0x000007FEF4353000-memory.dmp

Filesize
10.1MB

Download
memory/1520-64-0x000007FEF2890000-0x000007FEF3926000-memory.dmp

Filesize
16.6MB

Download
memory/1520-65-0x0000000001F26000-0x0000000001F45000-memory.dmp

Filesize
124KB

Download