Analysis
-
max time kernel
150s -
max time network
53s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15-05-2021 12:43
Static task
static1
Behavioral task
behavioral1
Sample
0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5.exe
Resource
win7v20210408
General
-
Target
0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5.exe
-
Size
1.3MB
-
MD5
48648aa5677354a1c0bfc88c129af92f
-
SHA1
ab1a6027c7d7f77f260455fd13bc4ef6ef0110a1
-
SHA256
0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5
-
SHA512
572c33f8641b774a30eee507e4a47eaf11c54978f2780d978d2042ae6ca52183b40f21b61a00dbdb4ee7d3c34d5e808ce6cb33bf075d59e29f9ce838726d6c7f
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
deneme 12 - Kopya.exedeneme 12 - Kopya.exepid process 3588 deneme 12 - Kopya.exe 3896 deneme 12 - Kopya.exe -
Drops file in System32 directory 6 IoCs
Processes:
0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5.exedeneme 12 - Kopya.exedescription ioc process File created C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259283828 0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5.exe File created C:\Windows\SysWOW64\Injector + by Unpublished.exe 0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5.exe File opened for modification C:\Windows\SysWOW64\Injector + by Unpublished.exe 0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5.exe File created C:\Windows\SysWOW64\deneme 12 - Kopya.exe 0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5.exe File opened for modification C:\Windows\SysWOW64\deneme 12 - Kopya.exe 0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5.exe File opened for modification C:\Windows\SysWOW64\deneme 12 - Kopya.exe deneme 12 - Kopya.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
deneme 12 - Kopya.exedescription pid process target process PID 3588 set thread context of 3896 3588 deneme 12 - Kopya.exe deneme 12 - Kopya.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
deneme 12 - Kopya.exedescription pid process Token: SeIncreaseQuotaPrivilege 3896 deneme 12 - Kopya.exe Token: SeSecurityPrivilege 3896 deneme 12 - Kopya.exe Token: SeTakeOwnershipPrivilege 3896 deneme 12 - Kopya.exe Token: SeLoadDriverPrivilege 3896 deneme 12 - Kopya.exe Token: SeSystemProfilePrivilege 3896 deneme 12 - Kopya.exe Token: SeSystemtimePrivilege 3896 deneme 12 - Kopya.exe Token: SeProfSingleProcessPrivilege 3896 deneme 12 - Kopya.exe Token: SeIncBasePriorityPrivilege 3896 deneme 12 - Kopya.exe Token: SeCreatePagefilePrivilege 3896 deneme 12 - Kopya.exe Token: SeBackupPrivilege 3896 deneme 12 - Kopya.exe Token: SeRestorePrivilege 3896 deneme 12 - Kopya.exe Token: SeShutdownPrivilege 3896 deneme 12 - Kopya.exe Token: SeDebugPrivilege 3896 deneme 12 - Kopya.exe Token: SeSystemEnvironmentPrivilege 3896 deneme 12 - Kopya.exe Token: SeChangeNotifyPrivilege 3896 deneme 12 - Kopya.exe Token: SeRemoteShutdownPrivilege 3896 deneme 12 - Kopya.exe Token: SeUndockPrivilege 3896 deneme 12 - Kopya.exe Token: SeManageVolumePrivilege 3896 deneme 12 - Kopya.exe Token: SeImpersonatePrivilege 3896 deneme 12 - Kopya.exe Token: SeCreateGlobalPrivilege 3896 deneme 12 - Kopya.exe Token: 33 3896 deneme 12 - Kopya.exe Token: 34 3896 deneme 12 - Kopya.exe Token: 35 3896 deneme 12 - Kopya.exe Token: 36 3896 deneme 12 - Kopya.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
deneme 12 - Kopya.exepid process 3588 deneme 12 - Kopya.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5.exedeneme 12 - Kopya.exedescription pid process target process PID 2988 wrote to memory of 3588 2988 0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5.exe deneme 12 - Kopya.exe PID 2988 wrote to memory of 3588 2988 0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5.exe deneme 12 - Kopya.exe PID 2988 wrote to memory of 3588 2988 0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5.exe deneme 12 - Kopya.exe PID 3588 wrote to memory of 3896 3588 deneme 12 - Kopya.exe deneme 12 - Kopya.exe PID 3588 wrote to memory of 3896 3588 deneme 12 - Kopya.exe deneme 12 - Kopya.exe PID 3588 wrote to memory of 3896 3588 deneme 12 - Kopya.exe deneme 12 - Kopya.exe PID 3588 wrote to memory of 3896 3588 deneme 12 - Kopya.exe deneme 12 - Kopya.exe PID 3588 wrote to memory of 3896 3588 deneme 12 - Kopya.exe deneme 12 - Kopya.exe PID 3588 wrote to memory of 3896 3588 deneme 12 - Kopya.exe deneme 12 - Kopya.exe PID 3588 wrote to memory of 3896 3588 deneme 12 - Kopya.exe deneme 12 - Kopya.exe PID 3588 wrote to memory of 3896 3588 deneme 12 - Kopya.exe deneme 12 - Kopya.exe PID 3588 wrote to memory of 3896 3588 deneme 12 - Kopya.exe deneme 12 - Kopya.exe PID 3588 wrote to memory of 3896 3588 deneme 12 - Kopya.exe deneme 12 - Kopya.exe PID 3588 wrote to memory of 3896 3588 deneme 12 - Kopya.exe deneme 12 - Kopya.exe PID 3588 wrote to memory of 3896 3588 deneme 12 - Kopya.exe deneme 12 - Kopya.exe PID 3588 wrote to memory of 3896 3588 deneme 12 - Kopya.exe deneme 12 - Kopya.exe PID 3588 wrote to memory of 3896 3588 deneme 12 - Kopya.exe deneme 12 - Kopya.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5.exe"C:\Users\Admin\AppData\Local\Temp\0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\deneme 12 - Kopya.exe"C:\Windows\System32\deneme 12 - Kopya.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\deneme 12 - Kopya.exe
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3896
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\deneme 12 - Kopya.exeMD5
dfd73c773fb43e7a812c19e48d83ab21
SHA1d083d1de7151d49ce8103a7e431dfe3cb0017635
SHA256426fc237ea38ea0ed1ed73da4ae192abe9d83895788b036a33704c499a56ed1c
SHA51261a4c3032b2c065db04769b3375d529dcbbe3bc7fb795d827b3d29240b160a1021474ef910124fe140a001a89185d99fa1d773cffeac1a211e1a8dcbcf82f72a
-
C:\Windows\SysWOW64\deneme 12 - Kopya.exeMD5
dfd73c773fb43e7a812c19e48d83ab21
SHA1d083d1de7151d49ce8103a7e431dfe3cb0017635
SHA256426fc237ea38ea0ed1ed73da4ae192abe9d83895788b036a33704c499a56ed1c
SHA51261a4c3032b2c065db04769b3375d529dcbbe3bc7fb795d827b3d29240b160a1021474ef910124fe140a001a89185d99fa1d773cffeac1a211e1a8dcbcf82f72a
-
C:\Windows\SysWOW64\deneme 12 - Kopya.exeMD5
dfd73c773fb43e7a812c19e48d83ab21
SHA1d083d1de7151d49ce8103a7e431dfe3cb0017635
SHA256426fc237ea38ea0ed1ed73da4ae192abe9d83895788b036a33704c499a56ed1c
SHA51261a4c3032b2c065db04769b3375d529dcbbe3bc7fb795d827b3d29240b160a1021474ef910124fe140a001a89185d99fa1d773cffeac1a211e1a8dcbcf82f72a
-
memory/3588-114-0x0000000000000000-mapping.dmp
-
memory/3588-122-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/3896-119-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/3896-120-0x000000000048E828-mapping.dmp
-
memory/3896-123-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/3896-124-0x0000000000610000-0x000000000075A000-memory.dmpFilesize
1.3MB