Analysis
-
max time kernel
19s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-04-2021 13:35
Behavioral task
behavioral1
Sample
Bu_senin_icin_Askm.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
Bu_senin_icin_Askm.exe
-
Size
658KB
-
MD5
acfd80a424bc1cf1505baddbd8dc310d
-
SHA1
4c9447e55fcafc784a31ec0ac20d033af3874a2a
-
SHA256
0345e5e50f1138a5184d72d01477c71b294c0bb671abd729116c828b73721f00
-
SHA512
7b8c18d3e4ef2d55c7a4f0306901042c242684551b9a1c86f038f60186da062111384c17221d50fb9b89b9b596a8e4640bb05305d5c66661e766dbc5fc81a5e4
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
Bu_senin_icin_Askm.exedescription pid process Token: SeIncreaseQuotaPrivilege 492 Bu_senin_icin_Askm.exe Token: SeSecurityPrivilege 492 Bu_senin_icin_Askm.exe Token: SeTakeOwnershipPrivilege 492 Bu_senin_icin_Askm.exe Token: SeLoadDriverPrivilege 492 Bu_senin_icin_Askm.exe Token: SeSystemProfilePrivilege 492 Bu_senin_icin_Askm.exe Token: SeSystemtimePrivilege 492 Bu_senin_icin_Askm.exe Token: SeProfSingleProcessPrivilege 492 Bu_senin_icin_Askm.exe Token: SeIncBasePriorityPrivilege 492 Bu_senin_icin_Askm.exe Token: SeCreatePagefilePrivilege 492 Bu_senin_icin_Askm.exe Token: SeBackupPrivilege 492 Bu_senin_icin_Askm.exe Token: SeRestorePrivilege 492 Bu_senin_icin_Askm.exe Token: SeShutdownPrivilege 492 Bu_senin_icin_Askm.exe Token: SeDebugPrivilege 492 Bu_senin_icin_Askm.exe Token: SeSystemEnvironmentPrivilege 492 Bu_senin_icin_Askm.exe Token: SeChangeNotifyPrivilege 492 Bu_senin_icin_Askm.exe Token: SeRemoteShutdownPrivilege 492 Bu_senin_icin_Askm.exe Token: SeUndockPrivilege 492 Bu_senin_icin_Askm.exe Token: SeManageVolumePrivilege 492 Bu_senin_icin_Askm.exe Token: SeImpersonatePrivilege 492 Bu_senin_icin_Askm.exe Token: SeCreateGlobalPrivilege 492 Bu_senin_icin_Askm.exe Token: 33 492 Bu_senin_icin_Askm.exe Token: 34 492 Bu_senin_icin_Askm.exe Token: 35 492 Bu_senin_icin_Askm.exe Token: 36 492 Bu_senin_icin_Askm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Bu_senin_icin_Askm.exepid process 492 Bu_senin_icin_Askm.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Bu_senin_icin_Askm.exedescription pid process target process PID 492 wrote to memory of 3312 492 Bu_senin_icin_Askm.exe iexplore.exe PID 492 wrote to memory of 3312 492 Bu_senin_icin_Askm.exe iexplore.exe PID 492 wrote to memory of 3312 492 Bu_senin_icin_Askm.exe iexplore.exe PID 492 wrote to memory of 3300 492 Bu_senin_icin_Askm.exe explorer.exe PID 492 wrote to memory of 3300 492 Bu_senin_icin_Askm.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bu_senin_icin_Askm.exe"C:\Users\Admin\AppData\Local\Temp\Bu_senin_icin_Askm.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/492-2-0x0000000002220000-0x0000000002221000-memory.dmpFilesize
4KB