22e473a7adb1bf3da0d6b900d5ec9f1b4a455bde122d31d6509b8d7b5bd9eab1

General

Target

kart bilgisi.exe
Size

21KB
MD5

0257e00e166306625f0e143cc40f73de
SHA1

d5117bcbb4759aad0b619c9aab45897148d90316
SHA256

22e473a7adb1bf3da0d6b900d5ec9f1b4a455bde122d31d6509b8d7b5bd9eab1
SHA512

0bd64f2ac63e5f2283e40a2c6b0b83f9b1e3300be6bda0a3904491e50d1f6c7b3ae9d9cdacaa0b82de29c14eaf396cd8060f1bb86520963105c6bd674c730654

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

kart bilgisi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\kart bilgisi.exe\""	kart bilgisi.exe

Drops startup file 2 IoCs

Processes:

kart bilgisi.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kart bilgisi.exe	kart bilgisi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kart bilgisi.exe	kart bilgisi.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kart bilgisi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kart bilgisi.exe"	kart bilgisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\kart bilgisi.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kart bilgisi.exe"	kart bilgisi.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

Processes:

kart bilgisi.exe

pid	process
1676	kart bilgisi.exe
1676	kart bilgisi.exe
1676	kart bilgisi.exe
1676	kart bilgisi.exe
1676	kart bilgisi.exe
1676	kart bilgisi.exe
1676	kart bilgisi.exe
1676	kart bilgisi.exe
1676	kart bilgisi.exe
1676	kart bilgisi.exe
1676	kart bilgisi.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

kart bilgisi.exe

description	pid	process	target process
PID 1676 set thread context of 1592	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 set thread context of 1652	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 set thread context of 792	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 set thread context of 1072	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 set thread context of 980	1676	kart bilgisi.exe	kart bilgisi.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

kart bilgisi.exe

pid process

1676 kart bilgisi.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

kart bilgisi.exe

description pid process

Token: SeDebugPrivilege 1676 kart bilgisi.exe

description	pid	process
Token: SeDebugPrivilege	1676	kart bilgisi.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

kart bilgisi.exe

description	pid	process	target process
PID 1676 wrote to memory of 1592	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 1592	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 1592	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 1592	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 1592	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 1592	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 1592	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 1592	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 1592	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 1652	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 1652	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 1652	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 1652	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 1652	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 1652	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 1652	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 1652	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 1652	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 792	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 792	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 792	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 792	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 792	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 792	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 792	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 792	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 792	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 1072	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 1072	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 1072	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 1072	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 1072	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 1072	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 1072	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 1072	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 1072	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 980	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 980	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 980	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 980	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 980	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 980	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 980	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 980	1676	kart bilgisi.exe	kart bilgisi.exe
PID 1676 wrote to memory of 980	1676	kart bilgisi.exe	kart bilgisi.exe

C:\Users\Admin\AppData\Local\Temp\kart bilgisi.exe
"C:\Users\Admin\AppData\Local\Temp\kart bilgisi.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Local\Temp\kart bilgisi.exe
"C:\Users\Admin\AppData\Local\Temp\kart bilgisi.exe"
2⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\kart bilgisi.exe
"C:\Users\Admin\AppData\Local\Temp\kart bilgisi.exe"
2⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\kart bilgisi.exe
"C:\Users\Admin\AppData\Local\Temp\kart bilgisi.exe"
2⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\kart bilgisi.exe
"C:\Users\Admin\AppData\Local\Temp\kart bilgisi.exe"
2⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\kart bilgisi.exe
"C:\Users\Admin\AppData\Local\Temp\kart bilgisi.exe"
2⤵
PID:980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/792-14-0x00000000004172EC-mapping.dmp

Download
memory/980-23-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/980-20-0x00000000004172EC-mapping.dmp

Download
memory/1072-17-0x00000000004172EC-mapping.dmp

Download
memory/1592-9-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1592-8-0x00000000004172EC-mapping.dmp

Download
memory/1592-7-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1652-11-0x00000000004172EC-mapping.dmp

Download
memory/1676-2-0x00000000741A0000-0x000000007488E000-memory.dmp

Filesize
6.9MB

Download
memory/1676-6-0x0000000000530000-0x000000000057B000-memory.dmp

Filesize
300KB

Download
memory/1676-5-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1676-3-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1676-22-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads