22e473a7adb1bf3da0d6b900d5ec9f1b4a455bde122d31d6509b8d7b5bd9eab1

General

Target

kart bilgisi.exe
Size

21KB
MD5

0257e00e166306625f0e143cc40f73de
SHA1

d5117bcbb4759aad0b619c9aab45897148d90316
SHA256

22e473a7adb1bf3da0d6b900d5ec9f1b4a455bde122d31d6509b8d7b5bd9eab1
SHA512

0bd64f2ac63e5f2283e40a2c6b0b83f9b1e3300be6bda0a3904491e50d1f6c7b3ae9d9cdacaa0b82de29c14eaf396cd8060f1bb86520963105c6bd674c730654

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

kart bilgisi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\kart bilgisi.exe\""	kart bilgisi.exe

Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 4164 created 3288	4164	WerFault.exe	kart bilgisi.exe
PID 4176 created 808	4176	WerFault.exe	kart bilgisi.exe
PID 4148 created 4200	4148	WerFault.exe	kart bilgisi.exe
PID 4168 created 2928	4168	WerFault.exe	kart bilgisi.exe

Drops startup file 2 IoCs

Processes:

kart bilgisi.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kart bilgisi.exe	kart bilgisi.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kart bilgisi.exe	kart bilgisi.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kart bilgisi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kart bilgisi.exe"	kart bilgisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\kart bilgisi.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kart bilgisi.exe"	kart bilgisi.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

Processes:

kart bilgisi.exe

pid	process
4640	kart bilgisi.exe
4640	kart bilgisi.exe
4640	kart bilgisi.exe
4640	kart bilgisi.exe
4640	kart bilgisi.exe
4640	kart bilgisi.exe
4640	kart bilgisi.exe
4640	kart bilgisi.exe
4640	kart bilgisi.exe
4640	kart bilgisi.exe
4640	kart bilgisi.exe
4640	kart bilgisi.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

kart bilgisi.exe

description	pid	process	target process
PID 4640 set thread context of 3708	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 set thread context of 2928	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 set thread context of 4200	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 set thread context of 808	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 set thread context of 3288	4640	kart bilgisi.exe	kart bilgisi.exe

Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4148	4200	WerFault.exe	kart bilgisi.exe
4164	3288	WerFault.exe	kart bilgisi.exe
4168	2928	WerFault.exe	kart bilgisi.exe
4176	808	WerFault.exe	kart bilgisi.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

Processes:

kart bilgisi.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
4640	kart bilgisi.exe
4164	WerFault.exe
4168	WerFault.exe
4164	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4164	WerFault.exe
4168	WerFault.exe
4164	WerFault.exe
4168	WerFault.exe
4164	WerFault.exe
4168	WerFault.exe
4164	WerFault.exe
4168	WerFault.exe
4164	WerFault.exe
4168	WerFault.exe
4164	WerFault.exe
4168	WerFault.exe
4164	WerFault.exe
4168	WerFault.exe
4164	WerFault.exe
4168	WerFault.exe
4164	WerFault.exe
4168	WerFault.exe
4164	WerFault.exe
4168	WerFault.exe
4164	WerFault.exe
4168	WerFault.exe
4164	WerFault.exe
4168	WerFault.exe
4164	WerFault.exe
4148	WerFault.exe
4176	WerFault.exe
4148	WerFault.exe
4176	WerFault.exe
4176	WerFault.exe
4148	WerFault.exe
4176	WerFault.exe
4148	WerFault.exe
4148	WerFault.exe
4176	WerFault.exe
4148	WerFault.exe
4148	WerFault.exe
4148	WerFault.exe
4148	WerFault.exe
4148	WerFault.exe
4148	WerFault.exe
4148	WerFault.exe
4176	WerFault.exe
4148	WerFault.exe
4176	WerFault.exe
4148	WerFault.exe
4148	WerFault.exe
4176	WerFault.exe
4176	WerFault.exe
4176	WerFault.exe
4176	WerFault.exe
4176	WerFault.exe
4176	WerFault.exe
4176	WerFault.exe
4176	WerFault.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

kart bilgisi.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	4640	kart bilgisi.exe
Token: SeRestorePrivilege	4176	WerFault.exe
Token: SeBackupPrivilege	4176	WerFault.exe
Token: SeRestorePrivilege	4168	WerFault.exe
Token: SeBackupPrivilege	4168	WerFault.exe
Token: SeRestorePrivilege	4164	WerFault.exe
Token: SeBackupPrivilege	4164	WerFault.exe
Token: SeBackupPrivilege	4168	WerFault.exe
Token: SeRestorePrivilege	4148	WerFault.exe
Token: SeBackupPrivilege	4148	WerFault.exe
Token: SeDebugPrivilege	4164	WerFault.exe
Token: SeDebugPrivilege	4168	WerFault.exe
Token: SeDebugPrivilege	4148	WerFault.exe
Token: SeDebugPrivilege	4176	WerFault.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

kart bilgisi.exe

description	pid	process	target process
PID 4640 wrote to memory of 3708	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 3708	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 3708	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 3708	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 3708	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 3708	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 3708	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 3708	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 2928	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 2928	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 2928	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 2928	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 2928	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 2928	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 2928	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 2928	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 4200	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 4200	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 4200	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 4200	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 4200	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 4200	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 4200	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 4200	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 808	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 808	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 808	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 808	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 808	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 808	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 808	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 808	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 3288	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 3288	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 3288	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 3288	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 3288	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 3288	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 3288	4640	kart bilgisi.exe	kart bilgisi.exe
PID 4640 wrote to memory of 3288	4640	kart bilgisi.exe	kart bilgisi.exe

C:\Users\Admin\AppData\Local\Temp\kart bilgisi.exe
"C:\Users\Admin\AppData\Local\Temp\kart bilgisi.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4640

C:\Users\Admin\AppData\Local\Temp\kart bilgisi.exe
"C:\Users\Admin\AppData\Local\Temp\kart bilgisi.exe"
2⤵
PID:3708

C:\Users\Admin\AppData\Local\Temp\kart bilgisi.exe
"C:\Users\Admin\AppData\Local\Temp\kart bilgisi.exe"
2⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 508
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Users\Admin\AppData\Local\Temp\kart bilgisi.exe
"C:\Users\Admin\AppData\Local\Temp\kart bilgisi.exe"
2⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 508
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Users\Admin\AppData\Local\Temp\kart bilgisi.exe
"C:\Users\Admin\AppData\Local\Temp\kart bilgisi.exe"
2⤵
PID:808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 508
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Users\Admin\AppData\Local\Temp\kart bilgisi.exe
"C:\Users\Admin\AppData\Local\Temp\kart bilgisi.exe"
2⤵
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 508
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A4B.tmp.WERInternalMetadata.xml
MD5
2e668a237e9e35ab52b3d7f70322d91a

SHA1
5b90d67b724f02e119f243615a4c2efe464b1e9c

SHA256
a121435e435b6155de6cce976dd2616a7cac07db5c1a5145dc0df8c32a3d515f

SHA512
69b08d0279879852ba70325f2f8dcf92bb616fa1d1e474cb87eca5d90bfdc006bb4d9f5e66e038f08f4eed3b93765c1b829e6b9168fa5cffe8562cdc138f2e2f

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A4B.tmp.WERInternalMetadata.xml
MD5
1357f0b82196d3029b839977f7330d6f

SHA1
0a360230b3983f8e6aa8cf80075b71321bc27f2c

SHA256
1ad9d4e889a01098a04dd2c4799f296dfa753ef1cce1d8eaf1a8d6b1876996af

SHA512
3b4f630c3b5efd9412560a30c2a47b5e8f19c416a2b394c3dc1d19c5b796c16019992414c507642d83bf49a21b31a601a33df68705027328f4919193f0614faa

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A5A.tmp.WERInternalMetadata.xml
MD5
133e1d57259574809183b3523f0225de

SHA1
143b4e5f7a3b59da28c440c03f67a9e2515cfbde

SHA256
85970866ca49a30e029ec989e5c689e4e3eb46f47f968d7af45f576e58c416d5

SHA512
389cf0e930cd64a89fc97ba64c42774496d5fa16e486ae77b027108f695b9f94366f36f331c66211281a8baf3a7cc22cb161d56b8d1306e17582743917a29af7

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A5A.tmp.WERInternalMetadata.xml
MD5
52b8e189e947f6fc27fff4e9d5ed0097

SHA1
5a6d5f9395599de22bb3209893863ac206a23742

SHA256
e2d32a50036d9c1144c7902c101d4c0350af2fc1087613799194a7da9d886e3d

SHA512
d91a01e8083003d902e489c1b556fddf02b9b3681dca5fdd367e72bdf4882f1b0eacc099591d7928e89fa5385245604a2c10a5dfeda28c140f2c385c6e7a41bb

Download Submit
memory/808-18-0x00000000004172EC-mapping.dmp

Download
memory/2928-22-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2928-14-0x00000000004172EC-mapping.dmp

Download
memory/3288-20-0x00000000004172EC-mapping.dmp

Download
memory/3708-12-0x00000000004172EC-mapping.dmp

Download
memory/3708-11-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4148-29-0x00000000045D0000-0x00000000045D1000-memory.dmp

Filesize
4KB

Download
memory/4164-27-0x00000000045D0000-0x00000000045D1000-memory.dmp

Filesize
4KB

Download
memory/4168-30-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/4176-28-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/4200-16-0x00000000004172EC-mapping.dmp

Download
memory/4640-21-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

Filesize
4KB

Download
memory/4640-10-0x00000000059F0000-0x0000000005A3B000-memory.dmp

Filesize
300KB

Download
memory/4640-9-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/4640-2-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/4640-8-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/4640-7-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/4640-6-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/4640-5-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/4640-3-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads