7b7eb8b4b865a8d4a7fbfc54aee13159659e8354f49c8b2bec56e139bd80209e

General

Target

Hesap hareketleriniz.exe
Size

1.2MB
MD5

a11cb2b444cb1a165e23fc97fe1304cb
SHA1

65dbfdd4da931bd749f99b5a3c766baa61012e6c
SHA256

0329eea7ab274894de8d7f91105cdea35e86e45e73c9c4411c5fae7cd564832c
SHA512

3f217cac3d11bf3c4ef5e5df824ee0fe25b7f20b549e16c046211cc16914c51480397b1923db65cbe03beeec2e56c55a57602dc1fb05f79bbb021a0107621bd1

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

notepad.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eee.vbs notepad.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Hesap hareketleriniz.exe

description pid process target process

PID 3180 set thread context of 2232 3180 Hesap hareketleriniz.exe Hesap hareketleriniz.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Hesap hareketleriniz.exepowershell.exe

pid process

3180 Hesap hareketleriniz.exe
3180 Hesap hareketleriniz.exe
4460 powershell.exe
4460 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Hesap hareketleriniz.exe

pid process

3180 Hesap hareketleriniz.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4460 powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eee.vbs	notepad.exe

description	pid	process	target process
PID 3180 set thread context of 2232	3180	Hesap hareketleriniz.exe	Hesap hareketleriniz.exe

pid	process
3180	Hesap hareketleriniz.exe
3180	Hesap hareketleriniz.exe
4460	powershell.exe
4460	powershell.exe

pid	process
3180	Hesap hareketleriniz.exe

description	pid	process
Token: SeDebugPrivilege	4460	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Hesap hareketleriniz.exeHesap hareketleriniz.execmd.exe

description	pid	process	target process
PID 3180 wrote to memory of 4920	3180	Hesap hareketleriniz.exe	notepad.exe
PID 3180 wrote to memory of 4920	3180	Hesap hareketleriniz.exe	notepad.exe
PID 3180 wrote to memory of 4920	3180	Hesap hareketleriniz.exe	notepad.exe
PID 3180 wrote to memory of 4920	3180	Hesap hareketleriniz.exe	notepad.exe
PID 3180 wrote to memory of 4920	3180	Hesap hareketleriniz.exe	notepad.exe
PID 3180 wrote to memory of 2232	3180	Hesap hareketleriniz.exe	Hesap hareketleriniz.exe
PID 3180 wrote to memory of 2232	3180	Hesap hareketleriniz.exe	Hesap hareketleriniz.exe
PID 3180 wrote to memory of 2232	3180	Hesap hareketleriniz.exe	Hesap hareketleriniz.exe
PID 2232 wrote to memory of 4556	2232	Hesap hareketleriniz.exe	cmd.exe
PID 2232 wrote to memory of 4556	2232	Hesap hareketleriniz.exe	cmd.exe
PID 2232 wrote to memory of 4556	2232	Hesap hareketleriniz.exe	cmd.exe
PID 4556 wrote to memory of 4460	4556	cmd.exe	powershell.exe
PID 4556 wrote to memory of 4460	4556	cmd.exe	powershell.exe
PID 4556 wrote to memory of 4460	4556	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe
"C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
2⤵
- Drops startup file
PID:4920

C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe
"C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4460

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2232-138-0x0000000005710000-0x00000000057A2000-memory.dmp

Filesize
584KB

Download
memory/2232-132-0x0000000000000000-mapping.dmp

Download
memory/2232-133-0x0000000000BF0000-0x0000000000CB4000-memory.dmp

Filesize
784KB

Download
memory/2232-134-0x0000000000BF0000-0x0000000000CB4000-memory.dmp

Filesize
784KB

Download
memory/2232-135-0x0000000004CA0000-0x0000000005244000-memory.dmp

Filesize
5.6MB

Download
memory/2232-136-0x0000000005250000-0x00000000052EC000-memory.dmp

Filesize
624KB

Download
memory/2232-137-0x0000000005370000-0x00000000053D6000-memory.dmp

Filesize
408KB

Download
memory/3180-130-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/4460-140-0x0000000000000000-mapping.dmp

Download
memory/4460-141-0x0000000004980000-0x00000000049B6000-memory.dmp

Filesize
216KB

Download
memory/4460-142-0x0000000005100000-0x0000000005728000-memory.dmp

Filesize
6.2MB

Download
memory/4460-143-0x0000000005070000-0x0000000005092000-memory.dmp

Filesize
136KB

Download
memory/4460-144-0x00000000059A0000-0x0000000005A06000-memory.dmp

Filesize
408KB

Download
memory/4460-145-0x0000000005B50000-0x0000000005B6E000-memory.dmp

Filesize
120KB

Download
memory/4460-146-0x0000000007570000-0x0000000007BEA000-memory.dmp

Filesize
6.5MB

Download
memory/4460-147-0x0000000006410000-0x000000000642A000-memory.dmp

Filesize
104KB

Download
memory/4460-148-0x0000000007190000-0x0000000007226000-memory.dmp

Filesize
600KB

Download
memory/4460-149-0x0000000006500000-0x0000000006522000-memory.dmp

Filesize
136KB

Download
memory/4556-139-0x0000000000000000-mapping.dmp

Download
memory/4920-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads