Analysis
-
max time kernel
11s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-06-2021 12:05
Static task
static1
Behavioral task
behavioral1
Sample
Ziraat Bankasi Swift Mesaji.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Ziraat Bankasi Swift Mesaji.exe
Resource
win10v20210410
General
-
Target
Ziraat Bankasi Swift Mesaji.exe
-
Size
340KB
-
MD5
a840d9d68a287bb0ee95efd5b1b5f31e
-
SHA1
4bcb7ec055dc73a6d0c14731c444da9a8def654c
-
SHA256
66e4907f25770f55833861cbb7309a916941c6d5bf9604944f0b84b57c9e9b11
-
SHA512
f961f0938a715648bbf1aa0bf1a2ef49dc39557c6dbb700f8ee31e8a27ccdf7098a9ca8241c7c2b423e91193e34f329576a8c6d7a1ff0ded14d8f6d27a9d1d86
Malware Config
Extracted
azorult
http://smkn1cilegon.sch.id/huPI/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Loads dropped DLL 2 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exepid process 4016 Ziraat Bankasi Swift Mesaji.exe 4016 Ziraat Bankasi Swift Mesaji.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exedescription pid process target process PID 4016 set thread context of 1612 4016 Ziraat Bankasi Swift Mesaji.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exepid process 4016 Ziraat Bankasi Swift Mesaji.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exedescription pid process target process PID 4016 wrote to memory of 1612 4016 Ziraat Bankasi Swift Mesaji.exe MSBuild.exe PID 4016 wrote to memory of 1612 4016 Ziraat Bankasi Swift Mesaji.exe MSBuild.exe PID 4016 wrote to memory of 1612 4016 Ziraat Bankasi Swift Mesaji.exe MSBuild.exe PID 4016 wrote to memory of 1612 4016 Ziraat Bankasi Swift Mesaji.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nst1E4D.tmp\System.dllMD5
56a321bd011112ec5d8a32b2f6fd3231
SHA1df20e3a35a1636de64df5290ae5e4e7572447f78
SHA256bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
SHA5125354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3
-
\Users\Admin\AppData\Local\Temp\nst1E4D.tmp\System.dllMD5
56a321bd011112ec5d8a32b2f6fd3231
SHA1df20e3a35a1636de64df5290ae5e4e7572447f78
SHA256bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
SHA5125354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3
-
memory/1612-116-0x000000000041A684-mapping.dmp
-
memory/1612-117-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB