Malware Analysis Report

2025-04-14 05:13

Sample ID 201213-q417tg2gb2
Target hesap hareketleriniz.bin
SHA256 4aceb37332d3353fcfdc0fa6cdcf21ca3f675689d69ad84dd0e397f6ffa57cbd
Tags
masslogger persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4aceb37332d3353fcfdc0fa6cdcf21ca3f675689d69ad84dd0e397f6ffa57cbd

Threat Level: Known bad

The file hesap hareketleriniz.bin was found to be: Known bad.

Malicious Activity Summary

masslogger persistence spyware stealer

MassLogger Main Payload

MassLogger

Modifies WinLogon for persistence

Drops startup file

Checks computer location settings

Deletes itself

Reads user/profile data of web browsers

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-12-13 11:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-12-13 11:39

Reported

2020-12-13 11:41

Platform

win7v20201028

Max time kernel

35s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\hesap hareketleriniz.bin.exe\"" C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hesap hareketleriniz.bin.exe C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hesap hareketleriniz.bin.exe C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe N/A

Reads user/profile data of web browsers

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hesap hareketleriniz.bin.exe" C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\hesap hareketleriniz.bin.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hesap hareketleriniz.bin.exe" C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1740 set thread context of 1484 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1964 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1964 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1964 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1740 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe
PID 1740 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe
PID 1740 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe
PID 1740 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe
PID 1740 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe
PID 1740 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe
PID 1740 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe
PID 1740 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe
PID 1740 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe
PID 1484 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1484 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe

"C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout 4.699

C:\Windows\SysWOW64\timeout.exe

timeout 4.699

C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe

"C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe'

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 hastebin.com udp
N/A 104.24.126.89:443 hastebin.com tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.243.119.179:80 api.ipify.org tcp
N/A 8.8.8.8:53 mail.porathacorp.com udp
N/A 103.6.196.138:587 mail.porathacorp.com tcp
N/A 8.8.8.8:53 www.download.windowsupdate.com udp

Files

memory/1740-2-0x00000000741A0000-0x000000007488E000-memory.dmp

memory/1740-3-0x0000000000E80000-0x0000000000E81000-memory.dmp

memory/1964-4-0x0000000000000000-mapping.dmp

memory/1832-5-0x0000000000000000-mapping.dmp

memory/1740-6-0x0000000000940000-0x0000000000951000-memory.dmp

memory/1740-8-0x0000000005930000-0x00000000059CD000-memory.dmp

memory/1484-9-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1484-10-0x000000000048184E-mapping.dmp

memory/1484-11-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1484-12-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1484-13-0x00000000741A0000-0x000000007488E000-memory.dmp

memory/820-16-0x0000000000000000-mapping.dmp

memory/1484-18-0x0000000004F50000-0x0000000004F89000-memory.dmp

memory/1484-19-0x0000000005C20000-0x0000000005CAD000-memory.dmp

memory/820-17-0x00000000741A0000-0x000000007488E000-memory.dmp

memory/820-20-0x0000000000F60000-0x0000000000F61000-memory.dmp

memory/820-21-0x0000000004720000-0x0000000004721000-memory.dmp

memory/820-22-0x0000000004600000-0x0000000004601000-memory.dmp

memory/820-23-0x0000000005240000-0x0000000005241000-memory.dmp

memory/820-26-0x0000000005690000-0x0000000005691000-memory.dmp

memory/820-31-0x00000000056F0000-0x00000000056F1000-memory.dmp

memory/820-32-0x00000000060E0000-0x00000000060E1000-memory.dmp

memory/820-39-0x0000000006240000-0x0000000006241000-memory.dmp

memory/820-40-0x00000000061F0000-0x00000000061F1000-memory.dmp

memory/820-54-0x0000000006300000-0x0000000006301000-memory.dmp

memory/820-55-0x0000000006310000-0x0000000006311000-memory.dmp

memory/1960-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 8a55cea336c1c8920bab66181d84d3ad
SHA1 07500955b95af7b4b31b5527abf47369d427a1b5
SHA256 c48cc59bde9a63adb37555215c36727b702a93bda97d754fd32595d83be2eda0
SHA512 f1891356ef1e12e4f65b8744790c266f8436d217dcdf054ec1d3fbc91a0d25395d7e06924ec48ef425d15ea9598866ecec371a82087c0b67f88acf6111261431

memory/1960-58-0x0000000073470000-0x0000000073B5E000-memory.dmp

memory/1960-59-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

memory/1960-60-0x0000000004980000-0x0000000004981000-memory.dmp

memory/1960-61-0x00000000011C0000-0x00000000011C1000-memory.dmp

memory/1960-62-0x0000000005300000-0x0000000005301000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3bf4f350-86fe-486e-8b87-41ab96d0ad9c

MD5 b6d38f250ccc9003dd70efd3b778117f
SHA1 d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a
SHA256 4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265
SHA512 67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 1e0ef1fa73f51a6cf2fdb9e59bec195c
SHA1 8a312d6665c73f6a29a6b51eafa2bf32a7cd2600
SHA256 27316b056c10ff4a53e9b4648ccc3dd9f2652825bb27a36d7097420485c4dc26
SHA512 50d307e313b6e966d08fdf9a4c451eeaac0e853c10defd40b55dd62a1ae824e2b2c907da040e3a026a0dead1a30445d81df58db28abf34f072cc924f5550e7d4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_aacd219d-c7ba-43ff-a67c-9ddc2f632d63

MD5 597009ea0430a463753e0f5b1d1a249e
SHA1 4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62
SHA256 3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d
SHA512 5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a

MD5 a725bb9fafcf91f3c6b7861a2bde6db2
SHA1 8bb5b83f3cc37ff1e5ea4f02acae38e72364c114
SHA256 51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431
SHA512 1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_644b5728-e9b5-45ab-9104-7136ec814422

MD5 be4d72095faf84233ac17b94744f7084
SHA1 cc78ce5b9c57573bd214a8f423ee622b00ebb1ec
SHA256 b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc
SHA512 43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69670b6c-d49a-42a9-993a-10d18807f7c6

MD5 5e3c7184a75d42dda1a83606a45001d8
SHA1 94ca15637721d88f30eb4b6220b805c5be0360ed
SHA256 8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59
SHA512 fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4408bb97-19ee-4815-b02c-5a0939dddad8

MD5 df44874327d79bd75e4264cb8dc01811
SHA1 1396b06debed65ea93c24998d244edebd3c0209d
SHA256 55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181
SHA512 95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e9f9468a-8cbd-4472-b808-e8b3772f4134

MD5 02ff38ac870de39782aeee04d7b48231
SHA1 0390d39fa216c9b0ecdb38238304e518fb2b5095
SHA256 fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876
SHA512 24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6532a425-51ae-4577-837f-c6e09d9fcfcf

MD5 75a8da7754349b38d64c87c938545b1b
SHA1 5c28c257d51f1c1587e29164cc03ea880c21b417
SHA256 bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96
SHA512 798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

memory/1960-72-0x0000000006200000-0x0000000006201000-memory.dmp

memory/1960-73-0x0000000006100000-0x0000000006101000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-12-13 11:39

Reported

2020-12-13 11:41

Platform

win10v20201028

Max time kernel

26s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\hesap hareketleriniz.bin.exe\"" C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hesap hareketleriniz.bin.exe C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hesap hareketleriniz.bin.exe C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\hesap hareketleriniz.bin.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hesap hareketleriniz.bin.exe" C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hesap hareketleriniz.bin.exe" C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 640 set thread context of 1160 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 640 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 640 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 640 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 508 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 508 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 508 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 640 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe
PID 640 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe
PID 640 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe
PID 640 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe
PID 640 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe
PID 640 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe
PID 640 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe
PID 640 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe
PID 1160 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1160 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe

"C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout 4.699

C:\Windows\SysWOW64\timeout.exe

timeout 4.699

C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe

"C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\hesap hareketleriniz.bin.exe'

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 hastebin.com udp
N/A 172.67.143.180:443 hastebin.com tcp

Files

memory/640-2-0x0000000073190000-0x000000007387E000-memory.dmp

memory/640-3-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/640-4-0x0000000004B20000-0x0000000004B21000-memory.dmp

memory/640-5-0x00000000050C0000-0x00000000050C1000-memory.dmp

memory/508-6-0x0000000000000000-mapping.dmp

memory/2620-7-0x0000000000000000-mapping.dmp

memory/640-8-0x0000000007110000-0x0000000007111000-memory.dmp

memory/640-11-0x0000000007070000-0x0000000007096000-memory.dmp

memory/640-12-0x0000000002410000-0x0000000002411000-memory.dmp

memory/640-13-0x0000000007070000-0x000000000710D000-memory.dmp

memory/1160-14-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1160-15-0x000000000048184E-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hesap hareketleriniz.bin.exe.log

MD5 617cff0b7bb8c3b933eb565334a9e1cd
SHA1 d65fd4ab596d36c620653a4063a4291a05516518
SHA256 b6d1695ae5cb23eb04f82cd83a40a1036c49acaf276386ccae03c925235ed676
SHA512 f9cf271f050531f48e7737ae467c973a8d69fd18acb82c95699db4ced6efc3971c5249fe361098ea86dd23e23da9b27dc5dcd7c00f395b1694fd3303810914db

memory/1160-17-0x0000000073190000-0x000000007387E000-memory.dmp

memory/1160-22-0x00000000058E0000-0x00000000058E1000-memory.dmp

memory/4052-23-0x0000000000000000-mapping.dmp

memory/4052-24-0x0000000073210000-0x00000000738FE000-memory.dmp

memory/4052-25-0x0000000004410000-0x0000000004411000-memory.dmp

memory/4052-26-0x0000000006F90000-0x0000000006F91000-memory.dmp

memory/4052-27-0x0000000006E80000-0x0000000006E81000-memory.dmp

memory/4052-28-0x0000000007630000-0x0000000007631000-memory.dmp

memory/4052-30-0x00000000077A0000-0x00000000077A1000-memory.dmp

memory/4052-31-0x0000000007B10000-0x0000000007B11000-memory.dmp

memory/4052-32-0x0000000007E50000-0x0000000007E51000-memory.dmp

memory/4052-33-0x0000000007F60000-0x0000000007F61000-memory.dmp

memory/4052-34-0x0000000009490000-0x0000000009491000-memory.dmp

memory/4052-35-0x0000000008C40000-0x0000000008C41000-memory.dmp

memory/4052-36-0x0000000008E10000-0x0000000008E11000-memory.dmp

memory/4052-37-0x0000000006B20000-0x0000000006B21000-memory.dmp