Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/02/2024, 23:01

General

  • Target

    aa609c7363a8dd21471794ffb981051d.exe

  • Size

    224KB

  • MD5

    aa609c7363a8dd21471794ffb981051d

  • SHA1

    2b48265b4b705cd06d765084f254cb088cefbdd4

  • SHA256

    0f60e086a4cf0a293a52d601635c3899802817c03192f4cd61f7198f8b6bf58a

  • SHA512

    4c19e02d85b6fda1ff66e827028e8f0dc55147a5f5fed1de238bc6fa8488965e138c1d611c3b6b3b607258a5395e8bef38b231bde254cd6f2bff995b90e9f497

  • SSDEEP

    6144:qtkEoAM4iYQqA4PwYXXwRV4GmTH9dcMf6QFoYJZwYX:aPwYXXwRV4PBFoLYX

Score
10/10

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 6 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 1 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa609c7363a8dd21471794ffb981051d.exe
    "C:\Users\Admin\AppData\Local\Temp\aa609c7363a8dd21471794ffb981051d.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1164
    • C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Suspicious behavior: EnumeratesProcesses
      PID:5092
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 744
        3⤵
        • Program crash
        PID:4752
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 772
      2⤵
      • Program crash
      PID:4740
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5092 -ip 5092
    1⤵
      PID:2856
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1164 -ip 1164
      1⤵
        PID:1172

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACRORD32.EXE

        Filesize

        2.6MB

        MD5

        b2f6eb7d24e5c616c7e719938798faee

        SHA1

        be0929c8dc5e1b8b87ac85f514ee5dd14f20f0ea

        SHA256

        558df9e93c5c64e808af697a2916b57d71bc6bd8b12248414c145e53914f9c11

        SHA512

        667bb1c0c42ff50cc9c16e1a947c61722fe5ca477e02fcf07d585394920709596ee066622a70441847cb6326e7125371f4b35e49d47edbcb31daf11f63c638d8

      • C:\Users\tazebama.dl_

        Filesize

        151KB

        MD5

        2aa33237570a03fef7faedabc43e3ae4

        SHA1

        97c07c7aa476b1986c5fe9a343bb7215727bb565

        SHA256

        e96a77d58b74c1964327481e7c1f4d126d2d345039adb4f86c073dc74dcdcbb0

        SHA512

        82c2d660ee8287435ebfd21938b54321c0c36fa357372f25addf32a3b926d7e4b5a5490d62286ef761b732c04857618a968cd1c74a17046fcbdec5e386f5886a

      • C:\Users\tazebama.dll

        Filesize

        32KB

        MD5

        b6a03576e595afacb37ada2f1d5a0529

        SHA1

        d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

        SHA256

        1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

        SHA512

        181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

      • C:\zPharaoh.exe

        Filesize

        71KB

        MD5

        06e00660f58e611ea3dbdd8efb7ce1b2

        SHA1

        a5eef68368db99e36cfd88ed92a78f8599ee60cb

        SHA256

        fa146aea7325d82a04815027afb08131cbb1a7cb225a4a582c0d599c53865162

        SHA512

        dce65f6d68ee6fc59b6b55a2ed09507cc27ba8e976e83121d396113887d45f77a4f10b79359e6633cb8bbf6c6c1bed17fbc78fe4c749c2a774e75e7c15c413a3

      • F:\1.taz

        Filesize

        126B

        MD5

        163e20cbccefcdd42f46e43a94173c46

        SHA1

        4c7b5048e8608e2a75799e00ecf1bbb4773279ae

        SHA256

        7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

        SHA512

        e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

      • F:\zPharaoh.exe

        Filesize

        232KB

        MD5

        8fce0459de0fd589aa1b0e4fb1f70b16

        SHA1

        6edfcf2c62dfd3712c16b62fbcca38e91b581cd8

        SHA256

        48fa297fd86a1b742aac2b7964e64bb06f4e02eee5944f21ff56a6ac21da7279

        SHA512

        8d2e0546d20f38a15c3b4279fc534986105bc6e677e1b714f40f5aec76a696c01713db54d6d5a38a524fdd2506f2d7b93d5a4e35d2a1d983106049f041162c92

      • memory/1164-0-0x0000000000400000-0x0000000000416000-memory.dmp

        Filesize

        88KB

      • memory/1164-11-0x0000000000400000-0x0000000000416000-memory.dmp

        Filesize

        88KB

      • memory/1164-42-0x0000000000400000-0x0000000000416000-memory.dmp

        Filesize

        88KB

      • memory/5092-9-0x0000000000400000-0x0000000000416000-memory.dmp

        Filesize

        88KB

      • memory/5092-43-0x0000000000400000-0x0000000000416000-memory.dmp

        Filesize

        88KB