3d64a1e349d2dba5ec7861f12c6315caf67e7efc8011b1a30f76688804fd9609

General

Target

Yeni belge 2020-08-20 11.04.05.exe
Size

849KB
MD5

d765b519f90ed452b44a550324a2fdda
SHA1

a0aa9fe545a65c75361e46c1b5678d37f36ac949
SHA256

ab5b1c3d9e87aacfe6b37cc962e80a62a3acef7eddcdca78649eda365c04fa45
SHA512

45b94f148178ffcb71942785eaa65780756564d62b11b10755d3fac93863f7e972bc48287eaa4f4215c70328d8185eb566842b5ca288d11d4ac08a9fcd8f600d

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

Yeni belge 2020-08-20 11.04.05.exe

description pid process target process

PID 4076 set thread context of 784 4076 Yeni belge 2020-08-20 11.04.05.exe Yeni belge 2020-08-20 11.04.05.exe

description	pid	process	target process
PID 4076 set thread context of 784	4076	Yeni belge 2020-08-20 11.04.05.exe	Yeni belge 2020-08-20 11.04.05.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Yeni belge 2020-08-20 11.04.05.exepowershell.exe

pid	process
4076	Yeni belge 2020-08-20 11.04.05.exe
4076	Yeni belge 2020-08-20 11.04.05.exe
4076	Yeni belge 2020-08-20 11.04.05.exe
4076	Yeni belge 2020-08-20 11.04.05.exe
1148	powershell.exe
1148	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Yeni belge 2020-08-20 11.04.05.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4076 Yeni belge 2020-08-20 11.04.05.exe
Token: SeDebugPrivilege 1148 powershell.exe

description	pid	process
Token: SeDebugPrivilege	4076	Yeni belge 2020-08-20 11.04.05.exe
Token: SeDebugPrivilege	1148	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Yeni belge 2020-08-20 11.04.05.exeYeni belge 2020-08-20 11.04.05.execmd.exe

description	pid	process	target process
PID 4076 wrote to memory of 784	4076	Yeni belge 2020-08-20 11.04.05.exe	Yeni belge 2020-08-20 11.04.05.exe
PID 4076 wrote to memory of 784	4076	Yeni belge 2020-08-20 11.04.05.exe	Yeni belge 2020-08-20 11.04.05.exe
PID 4076 wrote to memory of 784	4076	Yeni belge 2020-08-20 11.04.05.exe	Yeni belge 2020-08-20 11.04.05.exe
PID 4076 wrote to memory of 784	4076	Yeni belge 2020-08-20 11.04.05.exe	Yeni belge 2020-08-20 11.04.05.exe
PID 4076 wrote to memory of 784	4076	Yeni belge 2020-08-20 11.04.05.exe	Yeni belge 2020-08-20 11.04.05.exe
PID 4076 wrote to memory of 784	4076	Yeni belge 2020-08-20 11.04.05.exe	Yeni belge 2020-08-20 11.04.05.exe
PID 4076 wrote to memory of 784	4076	Yeni belge 2020-08-20 11.04.05.exe	Yeni belge 2020-08-20 11.04.05.exe
PID 4076 wrote to memory of 784	4076	Yeni belge 2020-08-20 11.04.05.exe	Yeni belge 2020-08-20 11.04.05.exe
PID 784 wrote to memory of 4784	784	Yeni belge 2020-08-20 11.04.05.exe	cmd.exe
PID 784 wrote to memory of 4784	784	Yeni belge 2020-08-20 11.04.05.exe	cmd.exe
PID 784 wrote to memory of 4784	784	Yeni belge 2020-08-20 11.04.05.exe	cmd.exe
PID 4784 wrote to memory of 1148	4784	cmd.exe	powershell.exe
PID 4784 wrote to memory of 1148	4784	cmd.exe	powershell.exe
PID 4784 wrote to memory of 1148	4784	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Yeni belge 2020-08-20 11.04.05.exe
"C:\Users\Admin\AppData\Local\Temp\Yeni belge 2020-08-20 11.04.05.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Users\Admin\AppData\Local\Temp\Yeni belge 2020-08-20 11.04.05.exe
  "{path}"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:784
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Yeni belge 2020-08-20 11.04.05.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Yeni belge 2020-08-20 11.04.05.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Yeni belge 2020-08-20 11.04.05.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
memory/784-135-0x0000000000000000-mapping.dmp

Download
memory/784-137-0x00000000052A0000-0x0000000005306000-memory.dmp

Filesize
408KB

Download
memory/784-136-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1148-140-0x0000000000000000-mapping.dmp

Download
memory/1148-144-0x0000000005990000-0x00000000059F6000-memory.dmp

Filesize
408KB

Download
memory/1148-149-0x0000000006DD0000-0x0000000006DF2000-memory.dmp

Filesize
136KB

Download
memory/1148-148-0x0000000007850000-0x00000000078E6000-memory.dmp

Filesize
600KB

Download
memory/1148-147-0x0000000006D00000-0x0000000006D1A000-memory.dmp

Filesize
104KB

Download
memory/1148-146-0x0000000007ED0000-0x000000000854A000-memory.dmp

Filesize
6.5MB

Download
memory/1148-145-0x0000000006880000-0x000000000689E000-memory.dmp

Filesize
120KB

Download
memory/1148-141-0x0000000002E70000-0x0000000002EA6000-memory.dmp

Filesize
216KB

Download
memory/1148-142-0x0000000005A50000-0x0000000006078000-memory.dmp

Filesize
6.2MB

Download
memory/1148-143-0x00000000057F0000-0x0000000005812000-memory.dmp

Filesize
136KB

Download
memory/4076-134-0x0000000009970000-0x0000000009A0C000-memory.dmp

Filesize
624KB

Download
memory/4076-130-0x00000000004A0000-0x000000000057A000-memory.dmp

Filesize
872KB

Download
memory/4076-131-0x0000000007950000-0x0000000007EF4000-memory.dmp

Filesize
5.6MB

Download
memory/4076-132-0x0000000007440000-0x00000000074D2000-memory.dmp

Filesize
584KB

Download
memory/4076-133-0x0000000007400000-0x000000000740A000-memory.dmp

Filesize
40KB

Download
memory/4784-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing