Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27/02/2024, 23:01
Static task
static1
Behavioral task
behavioral1
Sample
aa609c7363a8dd21471794ffb981051d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
aa609c7363a8dd21471794ffb981051d.exe
Resource
win10v2004-20240226-en
General
-
Target
aa609c7363a8dd21471794ffb981051d.exe
-
Size
224KB
-
MD5
aa609c7363a8dd21471794ffb981051d
-
SHA1
2b48265b4b705cd06d765084f254cb088cefbdd4
-
SHA256
0f60e086a4cf0a293a52d601635c3899802817c03192f4cd61f7198f8b6bf58a
-
SHA512
4c19e02d85b6fda1ff66e827028e8f0dc55147a5f5fed1de238bc6fa8488965e138c1d611c3b6b3b607258a5395e8bef38b231bde254cd6f2bff995b90e9f497
-
SSDEEP
6144:qtkEoAM4iYQqA4PwYXXwRV4GmTH9dcMf6QFoYJZwYX:aPwYXXwRV4PBFoLYX
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tazebama.dl_ -
Executes dropped EXE 1 IoCs
pid Process 5092 tazebama.dl_ -
Loads dropped DLL 1 IoCs
pid Process 1164 aa609c7363a8dd21471794ffb981051d.exe -
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: tazebama.dl_ File opened (read-only) \??\S: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\Q: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\X: tazebama.dl_ File opened (read-only) \??\W: tazebama.dl_ File opened (read-only) \??\W: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\N: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\E: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\P: tazebama.dl_ File opened (read-only) \??\N: tazebama.dl_ File opened (read-only) \??\H: tazebama.dl_ File opened (read-only) \??\Y: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\R: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\K: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\E: tazebama.dl_ File opened (read-only) \??\Z: tazebama.dl_ File opened (read-only) \??\I: tazebama.dl_ File opened (read-only) \??\X: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\J: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\V: tazebama.dl_ File opened (read-only) \??\G: tazebama.dl_ File opened (read-only) \??\U: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\I: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\H: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\G: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\L: tazebama.dl_ File opened (read-only) \??\J: tazebama.dl_ File opened (read-only) \??\M: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\L: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\O: tazebama.dl_ File opened (read-only) \??\T: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\R: tazebama.dl_ File opened (read-only) \??\Q: tazebama.dl_ File opened (read-only) \??\M: tazebama.dl_ File opened (read-only) \??\K: tazebama.dl_ File opened (read-only) \??\Z: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\P: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\T: tazebama.dl_ File opened (read-only) \??\S: tazebama.dl_ File opened (read-only) \??\O: aa609c7363a8dd21471794ffb981051d.exe File opened (read-only) \??\Y: tazebama.dl_ File opened (read-only) \??\V: aa609c7363a8dd21471794ffb981051d.exe -
Drops autorun.inf file 1 TTPs 6 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf tazebama.dl_ File opened for modification F:\autorun.inf aa609c7363a8dd21471794ffb981051d.exe File opened for modification C:\autorun.inf aa609c7363a8dd21471794ffb981051d.exe File opened for modification C:\autorun.inf tazebama.dl_ File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf tazebama.dl_ File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf aa609c7363a8dd21471794ffb981051d.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACRORD32.EXE aa609c7363a8dd21471794ffb981051d.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 4740 1164 WerFault.exe 85 4752 5092 WerFault.exe 86 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1164 aa609c7363a8dd21471794ffb981051d.exe 1164 aa609c7363a8dd21471794ffb981051d.exe 5092 tazebama.dl_ 5092 tazebama.dl_ -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1164 wrote to memory of 5092 1164 aa609c7363a8dd21471794ffb981051d.exe 86 PID 1164 wrote to memory of 5092 1164 aa609c7363a8dd21471794ffb981051d.exe 86 PID 1164 wrote to memory of 5092 1164 aa609c7363a8dd21471794ffb981051d.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa609c7363a8dd21471794ffb981051d.exe"C:\Users\Admin\AppData\Local\Temp\aa609c7363a8dd21471794ffb981051d.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
PID:5092 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 7443⤵
- Program crash
PID:4752
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 7722⤵
- Program crash
PID:4740
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5092 -ip 50921⤵PID:2856
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1164 -ip 11641⤵PID:1172
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5b2f6eb7d24e5c616c7e719938798faee
SHA1be0929c8dc5e1b8b87ac85f514ee5dd14f20f0ea
SHA256558df9e93c5c64e808af697a2916b57d71bc6bd8b12248414c145e53914f9c11
SHA512667bb1c0c42ff50cc9c16e1a947c61722fe5ca477e02fcf07d585394920709596ee066622a70441847cb6326e7125371f4b35e49d47edbcb31daf11f63c638d8
-
Filesize
151KB
MD52aa33237570a03fef7faedabc43e3ae4
SHA197c07c7aa476b1986c5fe9a343bb7215727bb565
SHA256e96a77d58b74c1964327481e7c1f4d126d2d345039adb4f86c073dc74dcdcbb0
SHA51282c2d660ee8287435ebfd21938b54321c0c36fa357372f25addf32a3b926d7e4b5a5490d62286ef761b732c04857618a968cd1c74a17046fcbdec5e386f5886a
-
Filesize
32KB
MD5b6a03576e595afacb37ada2f1d5a0529
SHA1d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8
SHA2561707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad
SHA512181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c
-
Filesize
71KB
MD506e00660f58e611ea3dbdd8efb7ce1b2
SHA1a5eef68368db99e36cfd88ed92a78f8599ee60cb
SHA256fa146aea7325d82a04815027afb08131cbb1a7cb225a4a582c0d599c53865162
SHA512dce65f6d68ee6fc59b6b55a2ed09507cc27ba8e976e83121d396113887d45f77a4f10b79359e6633cb8bbf6c6c1bed17fbc78fe4c749c2a774e75e7c15c413a3
-
Filesize
126B
MD5163e20cbccefcdd42f46e43a94173c46
SHA14c7b5048e8608e2a75799e00ecf1bbb4773279ae
SHA2567780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e
SHA512e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8
-
Filesize
232KB
MD58fce0459de0fd589aa1b0e4fb1f70b16
SHA16edfcf2c62dfd3712c16b62fbcca38e91b581cd8
SHA25648fa297fd86a1b742aac2b7964e64bb06f4e02eee5944f21ff56a6ac21da7279
SHA5128d2e0546d20f38a15c3b4279fc534986105bc6e677e1b714f40f5aec76a696c01713db54d6d5a38a524fdd2506f2d7b93d5a4e35d2a1d983106049f041162c92