Analysis
-
max time kernel
92s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 00:10
Static task
static1
Behavioral task
behavioral1
Sample
dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe
Resource
win10v2004-20220812-en
General
-
Target
dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe
-
Size
224KB
-
MD5
97d9b62252924a65c4c0c3e956737b27
-
SHA1
033f602685338f18ae21d3d92450ba2c2251f274
-
SHA256
dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08
-
SHA512
3a5b0cda3a873e28b6959eab68c2b55e0a3d83ebcad3b24b45d4c60fbbdd73b31c4a4cbb91be0b8eec53e458161c7003ad271131d2f71f576c1c0af584243ff3
-
SSDEEP
3072:YtkEoAWF4ZCD4OnYQqD84uiZSDMKdoWAx0NFZCSgMd3u43mb9gBBTsi:YtkEoAM4iYQqA4uoWJ8SgMd3u43mZg9
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe -
Executes dropped EXE 1 IoCs
pid Process 3884 tazebama.dl_ -
Loads dropped DLL 1 IoCs
pid Process 2500 dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe Key created \REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run tazebama.dl_ -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: tazebama.dl_ File opened (read-only) \??\V: tazebama.dl_ File opened (read-only) \??\H: tazebama.dl_ File opened (read-only) \??\W: dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe File opened (read-only) \??\H: dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe File opened (read-only) \??\Q: tazebama.dl_ File opened (read-only) \??\J: dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe File opened (read-only) \??\Q: dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe File opened (read-only) \??\M: dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe File opened (read-only) \??\F: dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe File opened (read-only) \??\N: tazebama.dl_ File opened (read-only) \??\J: tazebama.dl_ File opened (read-only) \??\F: tazebama.dl_ File opened (read-only) \??\U: dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe File opened (read-only) \??\S: dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe File opened (read-only) \??\V: dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe File opened (read-only) \??\P: dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe File opened (read-only) \??\O: dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe File opened (read-only) \??\L: dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe File opened (read-only) \??\T: tazebama.dl_ File opened (read-only) \??\R: tazebama.dl_ File opened (read-only) \??\E: tazebama.dl_ File opened (read-only) \??\X: dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe File opened (read-only) \??\R: dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe File opened (read-only) \??\N: dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe File opened (read-only) \??\X: tazebama.dl_ File opened (read-only) \??\W: tazebama.dl_ File opened (read-only) \??\U: tazebama.dl_ File opened (read-only) \??\P: tazebama.dl_ File opened (read-only) \??\O: tazebama.dl_ File opened (read-only) \??\Y: dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe File opened (read-only) \??\I: tazebama.dl_ File opened (read-only) \??\M: tazebama.dl_ File opened (read-only) \??\G: dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe File opened (read-only) \??\Y: tazebama.dl_ File opened (read-only) \??\L: tazebama.dl_ File opened (read-only) \??\G: tazebama.dl_ File opened (read-only) \??\Z: dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe File opened (read-only) \??\K: dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe File opened (read-only) \??\I: dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe File opened (read-only) \??\E: dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe File opened (read-only) \??\S: tazebama.dl_ File opened (read-only) \??\K: tazebama.dl_ File opened (read-only) \??\T: dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf tazebama.dl_ File opened for modification C:\autorun.inf dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe File opened for modification C:\autorun.inf tazebama.dl_ File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACRORD32.EXE dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe File opened for modification C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACRORD32.EXE tazebama.dl_ -
Program crash 2 IoCs
pid pid_target Process procid_target 636 2500 WerFault.exe 79 4196 3884 WerFault.exe 80 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3884 tazebama.dl_ 2500 dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe 2500 dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe 3884 tazebama.dl_ -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2500 wrote to memory of 3884 2500 dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe 80 PID 2500 wrote to memory of 3884 2500 dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe 80 PID 2500 wrote to memory of 3884 2500 dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe"C:\Users\Admin\AppData\Local\Temp\dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3884 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 7523⤵
- Program crash
PID:4196
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 7602⤵
- Program crash
PID:636
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2500 -ip 25001⤵PID:2156
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3884 -ip 38841⤵PID:2296
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
126B
MD5163e20cbccefcdd42f46e43a94173c46
SHA14c7b5048e8608e2a75799e00ecf1bbb4773279ae
SHA2567780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e
SHA512e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8
-
Filesize
151KB
MD524792fbd97d58fff70274a94fa7cadec
SHA13253a5a2dd91e876ca7ecdb49992cba4d19cde8f
SHA25662048ba5dd2c47edd8c5fb4b47631c13f7c6267e7c8efa86ef9dd1c575424ea4
SHA5126aecad8045a829ace872a3469649518f642aeb1d1a1a60922607fdec112877c31c7e0721e8b095d4d7ecb6d918b0f289446203682c2c7dfbdde8939ec5b88c34
-
Filesize
151KB
MD524792fbd97d58fff70274a94fa7cadec
SHA13253a5a2dd91e876ca7ecdb49992cba4d19cde8f
SHA25662048ba5dd2c47edd8c5fb4b47631c13f7c6267e7c8efa86ef9dd1c575424ea4
SHA5126aecad8045a829ace872a3469649518f642aeb1d1a1a60922607fdec112877c31c7e0721e8b095d4d7ecb6d918b0f289446203682c2c7dfbdde8939ec5b88c34
-
Filesize
32KB
MD5b6a03576e595afacb37ada2f1d5a0529
SHA1d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8
SHA2561707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad
SHA512181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c
-
Filesize
71KB
MD5e8e869097f9a2609a25ddf6344ce1aab
SHA13deeeb230a066937c5c87329fc8479e844195b98
SHA256639f4f79c2555b5642b1ddc46d1dc875eded0dea890ae4c484391f143d7254b8
SHA512fd5f018b5f5a47d6ae5df3cc4b06a3e90f510a36266a4abbc39e08c9f944b6788f2caa85e2c9a5c4d3346db4d1f9cbd5873f370b0f92a1ee52e9bc1fec04df5d
-
Filesize
71KB
MD5e8e869097f9a2609a25ddf6344ce1aab
SHA13deeeb230a066937c5c87329fc8479e844195b98
SHA256639f4f79c2555b5642b1ddc46d1dc875eded0dea890ae4c484391f143d7254b8
SHA512fd5f018b5f5a47d6ae5df3cc4b06a3e90f510a36266a4abbc39e08c9f944b6788f2caa85e2c9a5c4d3346db4d1f9cbd5873f370b0f92a1ee52e9bc1fec04df5d
-
Filesize
157KB
MD542f7534e38d30c56bf23d042772a4156
SHA1fe1ccd562279e1826f63a85a8001dad3b3ad53cf
SHA25616aea7284a213e506db2ec090dd04d1749f89fd6f4fa518520e555fb3c1e435e
SHA512b98b6e961c62db0bb3225158d62ef7d3c7b84e353fd8b2b500f543592d2bebf88f9b11df4d3585704f4a8483e7b376ed564617aae40622c45feac591c96e81bf
-
Filesize
157KB
MD542f7534e38d30c56bf23d042772a4156
SHA1fe1ccd562279e1826f63a85a8001dad3b3ad53cf
SHA25616aea7284a213e506db2ec090dd04d1749f89fd6f4fa518520e555fb3c1e435e
SHA512b98b6e961c62db0bb3225158d62ef7d3c7b84e353fd8b2b500f543592d2bebf88f9b11df4d3585704f4a8483e7b376ed564617aae40622c45feac591c96e81bf
-
Filesize
157KB
MD542f7534e38d30c56bf23d042772a4156
SHA1fe1ccd562279e1826f63a85a8001dad3b3ad53cf
SHA25616aea7284a213e506db2ec090dd04d1749f89fd6f4fa518520e555fb3c1e435e
SHA512b98b6e961c62db0bb3225158d62ef7d3c7b84e353fd8b2b500f543592d2bebf88f9b11df4d3585704f4a8483e7b376ed564617aae40622c45feac591c96e81bf