Overview

overview

10

Static

static

dfe31e6446...08.exe

windows7-x64

10

dfe31e6446...08.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2022, 00:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe

  • Size

    224KB

  • MD5

    97d9b62252924a65c4c0c3e956737b27

  • SHA1

    033f602685338f18ae21d3d92450ba2c2251f274

  • SHA256

    dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08

  • SHA512

    3a5b0cda3a873e28b6959eab68c2b55e0a3d83ebcad3b24b45d4c60fbbdd73b31c4a4cbb91be0b8eec53e458161c7003ad271131d2f71f576c1c0af584243ff3

  • SSDEEP

    3072:YtkEoAWF4ZCD4OnYQqD84uiZSDMKdoWAx0NFZCSgMd3u43mb9gBBTsi:YtkEoAM4iYQqA4uoWJ8SgMd3u43mZg9

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 2 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe
    "C:\Users\Admin\AppData\Local\Temp\dfe31e64464595cefc7915a5dfbe700b434f3ecccf8033f913d0d87029efec08.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2500
    • C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      PID:3884
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 752
        3⤵
        • Program crash
        PID:4196
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 760
      2⤵
      • Program crash
      PID:636
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2500 -ip 2500
    1⤵
      PID:2156
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3884 -ip 3884
      1⤵
        PID:2296

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\1.taz
        Filesize

        126B

        MD5

        163e20cbccefcdd42f46e43a94173c46

        SHA1

        4c7b5048e8608e2a75799e00ecf1bbb4773279ae

        SHA256

        7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

        SHA512

        e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

        Download Submit

      • C:\Documents and Settings\tazebama.dl_
        Filesize

        151KB

        MD5

        24792fbd97d58fff70274a94fa7cadec

        SHA1

        3253a5a2dd91e876ca7ecdb49992cba4d19cde8f

        SHA256

        62048ba5dd2c47edd8c5fb4b47631c13f7c6267e7c8efa86ef9dd1c575424ea4

        SHA512

        6aecad8045a829ace872a3469649518f642aeb1d1a1a60922607fdec112877c31c7e0721e8b095d4d7ecb6d918b0f289446203682c2c7dfbdde8939ec5b88c34

        Download Submit

      • C:\Users\tazebama.dl_
        Filesize

        151KB

        MD5

        24792fbd97d58fff70274a94fa7cadec

        SHA1

        3253a5a2dd91e876ca7ecdb49992cba4d19cde8f

        SHA256

        62048ba5dd2c47edd8c5fb4b47631c13f7c6267e7c8efa86ef9dd1c575424ea4

        SHA512

        6aecad8045a829ace872a3469649518f642aeb1d1a1a60922607fdec112877c31c7e0721e8b095d4d7ecb6d918b0f289446203682c2c7dfbdde8939ec5b88c34

        Download Submit

      • C:\Users\tazebama.dll
        Filesize

        32KB

        MD5

        b6a03576e595afacb37ada2f1d5a0529

        SHA1

        d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

        SHA256

        1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

        SHA512

        181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

        Download Submit

      • C:\zPharaoh.exe
        Filesize

        71KB

        MD5

        e8e869097f9a2609a25ddf6344ce1aab

        SHA1

        3deeeb230a066937c5c87329fc8479e844195b98

        SHA256

        639f4f79c2555b5642b1ddc46d1dc875eded0dea890ae4c484391f143d7254b8

        SHA512

        fd5f018b5f5a47d6ae5df3cc4b06a3e90f510a36266a4abbc39e08c9f944b6788f2caa85e2c9a5c4d3346db4d1f9cbd5873f370b0f92a1ee52e9bc1fec04df5d

        Download Submit

      • C:\zPharaoh.exe
        Filesize

        71KB

        MD5

        e8e869097f9a2609a25ddf6344ce1aab

        SHA1

        3deeeb230a066937c5c87329fc8479e844195b98

        SHA256

        639f4f79c2555b5642b1ddc46d1dc875eded0dea890ae4c484391f143d7254b8

        SHA512

        fd5f018b5f5a47d6ae5df3cc4b06a3e90f510a36266a4abbc39e08c9f944b6788f2caa85e2c9a5c4d3346db4d1f9cbd5873f370b0f92a1ee52e9bc1fec04df5d

        Download Submit

      • C:\zPharaoh.exe
        Filesize

        157KB

        MD5

        42f7534e38d30c56bf23d042772a4156

        SHA1

        fe1ccd562279e1826f63a85a8001dad3b3ad53cf

        SHA256

        16aea7284a213e506db2ec090dd04d1749f89fd6f4fa518520e555fb3c1e435e

        SHA512

        b98b6e961c62db0bb3225158d62ef7d3c7b84e353fd8b2b500f543592d2bebf88f9b11df4d3585704f4a8483e7b376ed564617aae40622c45feac591c96e81bf

        Download Submit

      • C:\zPharaoh.exe
        Filesize

        157KB

        MD5

        42f7534e38d30c56bf23d042772a4156

        SHA1

        fe1ccd562279e1826f63a85a8001dad3b3ad53cf

        SHA256

        16aea7284a213e506db2ec090dd04d1749f89fd6f4fa518520e555fb3c1e435e

        SHA512

        b98b6e961c62db0bb3225158d62ef7d3c7b84e353fd8b2b500f543592d2bebf88f9b11df4d3585704f4a8483e7b376ed564617aae40622c45feac591c96e81bf

        Download Submit

      • C:\zPharaoh.exe
        Filesize

        157KB

        MD5

        42f7534e38d30c56bf23d042772a4156

        SHA1

        fe1ccd562279e1826f63a85a8001dad3b3ad53cf

        SHA256

        16aea7284a213e506db2ec090dd04d1749f89fd6f4fa518520e555fb3c1e435e

        SHA512

        b98b6e961c62db0bb3225158d62ef7d3c7b84e353fd8b2b500f543592d2bebf88f9b11df4d3585704f4a8483e7b376ed564617aae40622c45feac591c96e81bf

        Download Submit

      • memory/2500-137-0x0000000000400000-0x0000000000416000-memory.dmp

        Filesize

        88KB

        Download

      • memory/2500-132-0x0000000000400000-0x0000000000416000-memory.dmp

        Filesize

        88KB

        Download

      • memory/2500-145-0x0000000000400000-0x0000000000416000-memory.dmp

        Filesize

        88KB

        Download

      • memory/3884-138-0x0000000000400000-0x0000000000416000-memory.dmp

        Filesize

        88KB

        Download

      • memory/3884-146-0x0000000000400000-0x0000000000416000-memory.dmp

        Filesize

        88KB

        Download