Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27/02/2024, 23:01
Static task
static1
Behavioral task
behavioral1
Sample
aa609c7363a8dd21471794ffb981051d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
aa609c7363a8dd21471794ffb981051d.exe
Resource
win10v2004-20240226-en
General
-
Target
aa609c7363a8dd21471794ffb981051d.exe
-
Size
224KB
-
MD5
aa609c7363a8dd21471794ffb981051d
-
SHA1
2b48265b4b705cd06d765084f254cb088cefbdd4
-
SHA256
0f60e086a4cf0a293a52d601635c3899802817c03192f4cd61f7198f8b6bf58a
-
SHA512
4c19e02d85b6fda1ff66e827028e8f0dc55147a5f5fed1de238bc6fa8488965e138c1d611c3b6b3b607258a5395e8bef38b231bde254cd6f2bff995b90e9f497
-
SSDEEP
6144:qtkEoAM4iYQqA4PwYXXwRV4GmTH9dcMf6QFoYJZwYX:aPwYXXwRV4PBFoLYX
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tazebama.dl_ -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tazebama.dl_ -
Executes dropped EXE 1 IoCs
pid Process 2340 tazebama.dl_ -
Loads dropped DLL 3 IoCs
pid Process 2012 aa609c7363a8dd21471794ffb981051d.exe 2012 aa609c7363a8dd21471794ffb981051d.exe 2012 aa609c7363a8dd21471794ffb981051d.exe -
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: tazebama.dl_ File opened (read-only) \??\U: tazebama.dl_ File opened (read-only) \??\S: tazebama.dl_ File opened (read-only) \??\N: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\E: tazebama.dl_ File opened (read-only) \??\H: tazebama.dl_ File opened (read-only) \??\Y: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\U: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\T: tazebama.dl_ File opened (read-only) \??\N: tazebama.dl_ File opened (read-only) \??\M: tazebama.dl_ File opened (read-only) \??\L: tazebama.dl_ File opened (read-only) \??\K: tazebama.dl_ File opened (read-only) \??\L: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\I: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\H: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\E: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\I: tazebama.dl_ File opened (read-only) \??\G: tazebama.dl_ File opened (read-only) \??\W: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\P: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\M: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\K: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\G: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\R: tazebama.dl_ File opened (read-only) \??\O: tazebama.dl_ File opened (read-only) \??\T: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\O: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\J: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\Y: tazebama.dl_ File opened (read-only) \??\V: tazebama.dl_ File opened (read-only) \??\Q: tazebama.dl_ File opened (read-only) \??\V: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\Q: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\S: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\R: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\X: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\Z: tazebama.dl_ File opened (read-only) \??\W: tazebama.dl_ File opened (read-only) \??\P: tazebama.dl_ File opened (read-only) \??\J: tazebama.dl_ File opened (read-only) \??\Z: aa609c7363a8dd21471794ffb981051d.exe -
Drops autorun.inf file 1 TTPs 6 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf tazebama.dl_ File opened for modification F:\autorun.inf aa609c7363a8dd21471794ffb981051d.exe File opened for modification C:\autorun.inf tazebama.dl_ File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf tazebama.dl_ File opened for modification C:\autorun.inf aa609c7363a8dd21471794ffb981051d.exe File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf aa609c7363a8dd21471794ffb981051d.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\GROOVE.EXE tazebama.dl_ File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\GROOVE.EXE aa609c7363a8dd21471794ffb981051d.exe File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\INFOPATH.EXE tazebama.dl_ File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\INFOPATH.EXE aa609c7363a8dd21471794ffb981051d.exe File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\MSACCESS.EXE tazebama.dl_ File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\MSACCESS.EXE aa609c7363a8dd21471794ffb981051d.exe File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\EXCEL.EXE tazebama.dl_ File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\EXCEL.EXE aa609c7363a8dd21471794ffb981051d.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2012 aa609c7363a8dd21471794ffb981051d.exe 2340 tazebama.dl_ -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2012 wrote to memory of 2340 2012 aa609c7363a8dd21471794ffb981051d.exe 28 PID 2012 wrote to memory of 2340 2012 aa609c7363a8dd21471794ffb981051d.exe 28 PID 2012 wrote to memory of 2340 2012 aa609c7363a8dd21471794ffb981051d.exe 28 PID 2012 wrote to memory of 2340 2012 aa609c7363a8dd21471794ffb981051d.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa609c7363a8dd21471794ffb981051d.exe"C:\Users\Admin\AppData\Local\Temp\aa609c7363a8dd21471794ffb981051d.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2340
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13.5MB
MD5b69afe0155dd8a64abec03a34130ccb0
SHA1560cee136c6ddc2f9b7a603adaa5497001340c62
SHA256b6425d3b101fff71072e98c25740cd9ebdf670752f2450fe89c08e0342cd3d1a
SHA51248a76c8d96ef33a799b0443acff60ef9fdbb5532c48112d37294f22e3549223fad0af19e4b4346bc030e8b12ab6bafe00f423f8e534777b2737c7c9855c80d20
-
Filesize
151KB
MD5f1fc7c570c0dccdbaa370ab09d4e8fa4
SHA17d4b54230a957d8312965b65230e7378a7985664
SHA25684fa174dd842c108df3b99433b3373c6c8b38c9e64aba42825e6d8e88390b1ca
SHA512b2bf25050d052cf387db5d6bf9ed52ff9b6fcb59e5c530b4bca461815ca5e727e483a0a9a58d484607ad38dcbfae15dfa8a9025dd8fd4ce59be71f2c339119ed
-
Filesize
126B
MD5163e20cbccefcdd42f46e43a94173c46
SHA14c7b5048e8608e2a75799e00ecf1bbb4773279ae
SHA2567780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e
SHA512e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8
-
Filesize
152KB
MD59d72b3f930ab02f838b793fb60cf4ab1
SHA187c517099dfe815f234d99bb7180ff201df3665a
SHA2562432b45f00e4524c8bcc1ed8d996abe5fc048fda350908e442850c1946bc624a
SHA512277061e78adb98526dd91005c48882d2769dd3ebb21b84dd990485f391b74016702326dbbb5a3f08756444216b97478b62442d8c58527d2e84990272d6fdbae1
-
Filesize
151KB
MD52aa33237570a03fef7faedabc43e3ae4
SHA197c07c7aa476b1986c5fe9a343bb7215727bb565
SHA256e96a77d58b74c1964327481e7c1f4d126d2d345039adb4f86c073dc74dcdcbb0
SHA51282c2d660ee8287435ebfd21938b54321c0c36fa357372f25addf32a3b926d7e4b5a5490d62286ef761b732c04857618a968cd1c74a17046fcbdec5e386f5886a
-
Filesize
32KB
MD5b6a03576e595afacb37ada2f1d5a0529
SHA1d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8
SHA2561707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad
SHA512181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c