0f60e086a4cf0a293a52d601635c3899802817c03192f4cd61f7198f8b6bf58a

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/02/2024, 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa609c7363a8dd21471794ffb981051d.exe
Size

224KB
MD5

aa609c7363a8dd21471794ffb981051d
SHA1

2b48265b4b705cd06d765084f254cb088cefbdd4
SHA256

0f60e086a4cf0a293a52d601635c3899802817c03192f4cd61f7198f8b6bf58a
SHA512

4c19e02d85b6fda1ff66e827028e8f0dc55147a5f5fed1de238bc6fa8488965e138c1d611c3b6b3b607258a5395e8bef38b231bde254cd6f2bff995b90e9f497
SSDEEP

6144:qtkEoAM4iYQqA4PwYXXwRV4GmTH9dcMf6QFoYJZwYX:aPwYXXwRV4PBFoLYX

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	tazebama.dl_

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	tazebama.dl_

Executes dropped EXE 1 IoCs

pid	Process
2340	tazebama.dl_

Loads dropped DLL 3 IoCs

pid	Process
2012	aa609c7363a8dd21471794ffb981051d.exe
2012	aa609c7363a8dd21471794ffb981051d.exe
2012	aa609c7363a8dd21471794ffb981051d.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	tazebama.dl_
File opened (read-only)	\??\U:	tazebama.dl_
File opened (read-only)	\??\S:	tazebama.dl_
File opened (read-only)	\??\N:	aa609c7363a8dd21471794ffb981051d.exe
File opened (read-only)	\??\E:	tazebama.dl_
File opened (read-only)	\??\H:	tazebama.dl_
File opened (read-only)	\??\Y:	aa609c7363a8dd21471794ffb981051d.exe
File opened (read-only)	\??\U:	aa609c7363a8dd21471794ffb981051d.exe
File opened (read-only)	\??\T:	tazebama.dl_
File opened (read-only)	\??\N:	tazebama.dl_
File opened (read-only)	\??\M:	tazebama.dl_
File opened (read-only)	\??\L:	tazebama.dl_
File opened (read-only)	\??\K:	tazebama.dl_
File opened (read-only)	\??\L:	aa609c7363a8dd21471794ffb981051d.exe
File opened (read-only)	\??\I:	aa609c7363a8dd21471794ffb981051d.exe
File opened (read-only)	\??\H:	aa609c7363a8dd21471794ffb981051d.exe
File opened (read-only)	\??\E:	aa609c7363a8dd21471794ffb981051d.exe
File opened (read-only)	\??\I:	tazebama.dl_
File opened (read-only)	\??\G:	tazebama.dl_
File opened (read-only)	\??\W:	aa609c7363a8dd21471794ffb981051d.exe
File opened (read-only)	\??\P:	aa609c7363a8dd21471794ffb981051d.exe
File opened (read-only)	\??\M:	aa609c7363a8dd21471794ffb981051d.exe
File opened (read-only)	\??\K:	aa609c7363a8dd21471794ffb981051d.exe
File opened (read-only)	\??\G:	aa609c7363a8dd21471794ffb981051d.exe
File opened (read-only)	\??\R:	tazebama.dl_
File opened (read-only)	\??\O:	tazebama.dl_
File opened (read-only)	\??\T:	aa609c7363a8dd21471794ffb981051d.exe
File opened (read-only)	\??\O:	aa609c7363a8dd21471794ffb981051d.exe
File opened (read-only)	\??\J:	aa609c7363a8dd21471794ffb981051d.exe
File opened (read-only)	\??\Y:	tazebama.dl_
File opened (read-only)	\??\V:	tazebama.dl_
File opened (read-only)	\??\Q:	tazebama.dl_
File opened (read-only)	\??\V:	aa609c7363a8dd21471794ffb981051d.exe
File opened (read-only)	\??\Q:	aa609c7363a8dd21471794ffb981051d.exe
File opened (read-only)	\??\S:	aa609c7363a8dd21471794ffb981051d.exe
File opened (read-only)	\??\R:	aa609c7363a8dd21471794ffb981051d.exe
File opened (read-only)	\??\X:	aa609c7363a8dd21471794ffb981051d.exe
File opened (read-only)	\??\Z:	tazebama.dl_
File opened (read-only)	\??\W:	tazebama.dl_
File opened (read-only)	\??\P:	tazebama.dl_
File opened (read-only)	\??\J:	tazebama.dl_
File opened (read-only)	\??\Z:	aa609c7363a8dd21471794ffb981051d.exe

Drops autorun.inf file 1 TTPs 6 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\autorun.inf	tazebama.dl_
File opened for modification	F:\autorun.inf	aa609c7363a8dd21471794ffb981051d.exe
File opened for modification	C:\autorun.inf	tazebama.dl_
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	tazebama.dl_
File opened for modification	C:\autorun.inf	aa609c7363a8dd21471794ffb981051d.exe
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	aa609c7363a8dd21471794ffb981051d.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\GROOVE.EXE	tazebama.dl_
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\GROOVE.EXE	aa609c7363a8dd21471794ffb981051d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\INFOPATH.EXE	tazebama.dl_
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\INFOPATH.EXE	aa609c7363a8dd21471794ffb981051d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\MSACCESS.EXE	tazebama.dl_
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\MSACCESS.EXE	aa609c7363a8dd21471794ffb981051d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\EXCEL.EXE	tazebama.dl_
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\EXCEL.EXE	aa609c7363a8dd21471794ffb981051d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2012	aa609c7363a8dd21471794ffb981051d.exe
2340	tazebama.dl_

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2340	2012	aa609c7363a8dd21471794ffb981051d.exe	28
PID 2012 wrote to memory of 2340	2012	aa609c7363a8dd21471794ffb981051d.exe	28
PID 2012 wrote to memory of 2340	2012	aa609c7363a8dd21471794ffb981051d.exe	28
PID 2012 wrote to memory of 2340	2012	aa609c7363a8dd21471794ffb981051d.exe	28

C:\Users\Admin\AppData\Local\Temp\aa609c7363a8dd21471794ffb981051d.exe
"C:\Users\Admin\AppData\Local\Temp\aa609c7363a8dd21471794ffb981051d.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Documents and Settings\tazebama.dl_
  "C:\Documents and Settings\tazebama.dl_"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\MICROS~1\OFFICE14\MSACCESS.EXE

Filesize
13.5MB

MD5
b69afe0155dd8a64abec03a34130ccb0

SHA1
560cee136c6ddc2f9b7a603adaa5497001340c62

SHA256
b6425d3b101fff71072e98c25740cd9ebdf670752f2450fe89c08e0342cd3d1a

SHA512
48a76c8d96ef33a799b0443acff60ef9fdbb5532c48112d37294f22e3549223fad0af19e4b4346bc030e8b12ab6bafe00f423f8e534777b2737c7c9855c80d20

Download Submit
C:\zPharaoh.exe

Filesize
151KB

MD5
f1fc7c570c0dccdbaa370ab09d4e8fa4

SHA1
7d4b54230a957d8312965b65230e7378a7985664

SHA256
84fa174dd842c108df3b99433b3373c6c8b38c9e64aba42825e6d8e88390b1ca

SHA512
b2bf25050d052cf387db5d6bf9ed52ff9b6fcb59e5c530b4bca461815ca5e727e483a0a9a58d484607ad38dcbfae15dfa8a9025dd8fd4ce59be71f2c339119ed

Download Submit
F:\1.taz

Filesize
126B

MD5
163e20cbccefcdd42f46e43a94173c46

SHA1
4c7b5048e8608e2a75799e00ecf1bbb4773279ae

SHA256
7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

SHA512
e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

Download Submit
F:\zPharaoh.exe

Filesize
152KB

MD5
9d72b3f930ab02f838b793fb60cf4ab1

SHA1
87c517099dfe815f234d99bb7180ff201df3665a

SHA256
2432b45f00e4524c8bcc1ed8d996abe5fc048fda350908e442850c1946bc624a

SHA512
277061e78adb98526dd91005c48882d2769dd3ebb21b84dd990485f391b74016702326dbbb5a3f08756444216b97478b62442d8c58527d2e84990272d6fdbae1

Download Submit
\Users\tazebama.dl_

Filesize
151KB

MD5
2aa33237570a03fef7faedabc43e3ae4

SHA1
97c07c7aa476b1986c5fe9a343bb7215727bb565

SHA256
e96a77d58b74c1964327481e7c1f4d126d2d345039adb4f86c073dc74dcdcbb0

SHA512
82c2d660ee8287435ebfd21938b54321c0c36fa357372f25addf32a3b926d7e4b5a5490d62286ef761b732c04857618a968cd1c74a17046fcbdec5e386f5886a

Download Submit
\Users\tazebama.dll

Filesize
32KB

MD5
b6a03576e595afacb37ada2f1d5a0529

SHA1
d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

SHA256
1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

SHA512
181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

Download Submit
memory/2012-11-0x0000000000260000-0x0000000000276000-memory.dmp

Filesize
88KB

Download
memory/2012-47-0x0000000000260000-0x0000000000276000-memory.dmp

Filesize
88KB

Download
memory/2012-48-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2012-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2012-57-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2340-49-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2340-55-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download