Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
08/01/2024, 09:18
Static task
static1
Behavioral task
behavioral1
Sample
4b0b2e5e25aefcf2a018bb58ce6f4a4e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4b0b2e5e25aefcf2a018bb58ce6f4a4e.exe
Resource
win10v2004-20231215-en
General
-
Target
4b0b2e5e25aefcf2a018bb58ce6f4a4e.exe
-
Size
285KB
-
MD5
4b0b2e5e25aefcf2a018bb58ce6f4a4e
-
SHA1
d30d427278cbef519f124f5869855e049ad998cc
-
SHA256
25a3d3859e33ba20bf5ce977c29c6a1aa33320de88b1e41e2e6235f3c764bb6f
-
SHA512
521b87246f39df6d05aa272c8c6d552fa0612730545eae66185b38daae668078d6f5ec28d563ba19f3e427d3dec39fb0797f47c9955000cab9d575e95514164a
-
SSDEEP
6144:KcnKjO4Cq9i3CmC0x5ASpwf7BFRf3axVbkHVj:dKjyqU3W0DCf7BFR/Pl
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tazebama.dl_ -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tazebama.dl_ -
Executes dropped EXE 1 IoCs
pid Process 3060 tazebama.dl_ -
Loads dropped DLL 3 IoCs
pid Process 2972 4b0b2e5e25aefcf2a018bb58ce6f4a4e.exe 2972 4b0b2e5e25aefcf2a018bb58ce6f4a4e.exe 2972 4b0b2e5e25aefcf2a018bb58ce6f4a4e.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: tazebama.dl_ File opened (read-only) \??\S: tazebama.dl_ File opened (read-only) \??\R: tazebama.dl_ File opened (read-only) \??\N: tazebama.dl_ File opened (read-only) \??\M: tazebama.dl_ File opened (read-only) \??\H: tazebama.dl_ File opened (read-only) \??\G: tazebama.dl_ File opened (read-only) \??\Z: tazebama.dl_ File opened (read-only) \??\U: tazebama.dl_ File opened (read-only) \??\O: tazebama.dl_ File opened (read-only) \??\I: tazebama.dl_ File opened (read-only) \??\Y: tazebama.dl_ File opened (read-only) \??\V: tazebama.dl_ File opened (read-only) \??\P: tazebama.dl_ File opened (read-only) \??\L: tazebama.dl_ File opened (read-only) \??\E: tazebama.dl_ File opened (read-only) \??\X: tazebama.dl_ File opened (read-only) \??\W: tazebama.dl_ File opened (read-only) \??\Q: tazebama.dl_ File opened (read-only) \??\K: tazebama.dl_ File opened (read-only) \??\J: tazebama.dl_ -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf tazebama.dl_ File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf tazebama.dl_ File opened for modification F:\autorun.inf tazebama.dl_ -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\MSACCESS.EXE tazebama.dl_ File opened for modification C:\PROGRAM FILES\JAVA\JDK1.7.0_80\BIN\JVISUALVM.EXE tazebama.dl_ File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\EXCEL.EXE tazebama.dl_ File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\GROOVE.EXE tazebama.dl_ File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\INFOPATH.EXE tazebama.dl_ -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3060 tazebama.dl_ -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2972 wrote to memory of 3060 2972 4b0b2e5e25aefcf2a018bb58ce6f4a4e.exe 27 PID 2972 wrote to memory of 3060 2972 4b0b2e5e25aefcf2a018bb58ce6f4a4e.exe 27 PID 2972 wrote to memory of 3060 2972 4b0b2e5e25aefcf2a018bb58ce6f4a4e.exe 27 PID 2972 wrote to memory of 3060 2972 4b0b2e5e25aefcf2a018bb58ce6f4a4e.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b0b2e5e25aefcf2a018bb58ce6f4a4e.exe"C:\Users\Admin\AppData\Local\Temp\4b0b2e5e25aefcf2a018bb58ce6f4a4e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3060
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD57fe854aad28a8f2a0eaf6f598735acad
SHA1ba02538b52366f59d658abf35c83f21029b79d7b
SHA25661ba266ab18868528873bec48bf8fbd8cebee053376dc81b8cd60fe9c0b323eb
SHA512dfe0ed06ca9a09df47c67fd9beaf5580ea4dcbb8587138c22d93d7e98514f59cd0536187c487958b157cc029b95a900118d729e8e415b56fd3782ed1de3f168b
-
Filesize
136KB
MD57ae57aa2bf5dc3fe9d50a62c878cc1d7
SHA1721ef8165c9f6f93b7e393d7283268de70b27b3e
SHA25634ccc73674d594c4a6bfc1af4841ce9e70369cd21ebd89bb4ca552732efce8bc
SHA51261a0fdac365d5d1de1caf9d6d3756c804dcd8aba11768ecb95e924fb7b31c6b93788d7686e49db186e268ff49f5103fd8a27c5db0301ab16983383d37db2541f
-
Filesize
149KB
MD5e19d8acdfe221ee2e142172a4bc39748
SHA1670b2d3dc0a84bc4d3b42ae98480a8eb568e9124
SHA25659fb0251e0e473446d92d0a9c4877ffbfe40275c718a2b59b96b791b7b5ccb2e
SHA512ac03104a4a684483ec50dc29d49b575c47607716cd18257a796a3cef580905ca62a4cb04a9cda78d911f1d61e0f8a2af07ecacf4f5b51347e6c38887cbe746d0
-
Filesize
69KB
MD58ba404e90194c38541e324657e72f74c
SHA1ad9fda28f95b7747579a7fbb8a18e1d1e6311a49
SHA2568145e4c62390f9c55343cc6dadb790dc2cb9463c4f578fa57bf43f12c4720340
SHA5121f594ebb6b970c9cb86b97d642351106a52db407c6e90db7391b50e97a1136e5ba13aeec66c9b985192c377d8c5c70d3746a00f37bcc83855fea316cf8d82362
-
F:\$RECYCLE.BIN\S-1-5-21-3308111660-3636268597-2291490419-1000\S-1-5-21-3308111660-3636268597-2291490419-1000 .exe
Filesize112KB
MD587a148b02d9f3fb23f27a8b903ee7dc8
SHA10deb87175c9af97120aa3b1d60016af5598cfea3
SHA2567c3454ab9550f4792408c665506c021e451a990a29b0eba31f3ab2d10f20d3de
SHA512aa42acb96027f3e998c1a8715518e08c49853c701e431a6402273e69467a5dbab44815d80bcd81b89b321584a2cf1e3d8ee29fb102982980a75cc7785bf857a6
-
F:\$RECYCLE.BIN\S-1-5-21-3308111660-3636268597-2291490419-1000\S-1-5-21-3308111660-3636268597-2291490419-1000 .exe
Filesize151KB
MD59e1c71f2ce8e7a43cf22c2dd1a893d40
SHA1f74b52a7a804d837d27c83b566e539d4171b0060
SHA256d571ed02084514d6a9fa1b5d87caf960a87737e893c8fe5d1b4ed67b520025db
SHA51205d9e1bf75e2f80570a077506bd2673c86a3ca6ff42c539ee903fc211a4b54cf1edff5900c74a848facf068870c31d88fe0650001e3929b1d6e45ac40607a211
-
Filesize
151KB
MD5f529b0f248564d09e25e4b5e9512a1e6
SHA1efa8a91c9d7a994cea1a80cd3a96dc02a16736c9
SHA256c469346a0134de75110559132779768473662e46df00918737270f57234c5e8a
SHA512b56409adf4e61add1293d20a815429fe36e3838ce17cae1fa34bb47a2565c582c3d50a9a6d18fad04b4e3b716bb03dec1e34ed8bfbba58f8cf2d2970b1ae3d58
-
Filesize
151KB
MD5584236ebab3d43c6332e2cf0592a3f6e
SHA1bf2c09f54779c516adc3a3f0bdf60a040dea64f0
SHA256a2cc1f2a2957608ef76da86b6978d11b92364ad03f923478d9839190045815dc
SHA5129e2a5c71f650c36ee26fbbf5f40aabb5805dc3aefe2b2fb9d3ed437ed7c41a549c8d7a22fbb4c43027f1114a6238e09a2449bff02988f047dfed6d6e443d62cb
-
Filesize
32KB
MD5b6a03576e595afacb37ada2f1d5a0529
SHA1d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8
SHA2561707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad
SHA512181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c