4dea4adae2cca4200e5c12ef9f29b5b62ddf100b91d75ff99a42a4db46023cee

General

Target

Hesap hareketleriniz.exe
Size

1.2MB
MD5

59f619e37d60f82d7575236914115aa1
SHA1

d2dc034f8b5ad108c5c588d40f8937668fd72198
SHA256

724e4c39841778153489d4c665f37fd5f3baabe4f151b2e78ccbe585c6f5c5b9
SHA512

a5ab15cc6e6b8368d599f0a031353c597215ad8eb2cf8a22a3938bc9eb03babbcc52c96773faaa764271945350941f98003d285da9d1be85576b82d51efc31a8

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

notepad.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sss.vbs notepad.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Hesap hareketleriniz.exe

description pid process target process

PID 4892 set thread context of 2696 4892 Hesap hareketleriniz.exe Hesap hareketleriniz.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Hesap hareketleriniz.exepowershell.exe

pid process

4892 Hesap hareketleriniz.exe
4892 Hesap hareketleriniz.exe
2556 powershell.exe
2556 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Hesap hareketleriniz.exe

pid process

4892 Hesap hareketleriniz.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2556 powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sss.vbs	notepad.exe

description	pid	process	target process
PID 4892 set thread context of 2696	4892	Hesap hareketleriniz.exe	Hesap hareketleriniz.exe

pid	process
4892	Hesap hareketleriniz.exe
4892	Hesap hareketleriniz.exe
2556	powershell.exe
2556	powershell.exe

pid	process
4892	Hesap hareketleriniz.exe

description	pid	process
Token: SeDebugPrivilege	2556	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Hesap hareketleriniz.exeHesap hareketleriniz.execmd.exe

description	pid	process	target process
PID 4892 wrote to memory of 908	4892	Hesap hareketleriniz.exe	notepad.exe
PID 4892 wrote to memory of 908	4892	Hesap hareketleriniz.exe	notepad.exe
PID 4892 wrote to memory of 908	4892	Hesap hareketleriniz.exe	notepad.exe
PID 4892 wrote to memory of 908	4892	Hesap hareketleriniz.exe	notepad.exe
PID 4892 wrote to memory of 908	4892	Hesap hareketleriniz.exe	notepad.exe
PID 4892 wrote to memory of 2696	4892	Hesap hareketleriniz.exe	Hesap hareketleriniz.exe
PID 4892 wrote to memory of 2696	4892	Hesap hareketleriniz.exe	Hesap hareketleriniz.exe
PID 4892 wrote to memory of 2696	4892	Hesap hareketleriniz.exe	Hesap hareketleriniz.exe
PID 2696 wrote to memory of 1084	2696	Hesap hareketleriniz.exe	cmd.exe
PID 2696 wrote to memory of 1084	2696	Hesap hareketleriniz.exe	cmd.exe
PID 2696 wrote to memory of 1084	2696	Hesap hareketleriniz.exe	cmd.exe
PID 1084 wrote to memory of 2556	1084	cmd.exe	powershell.exe
PID 1084 wrote to memory of 2556	1084	cmd.exe	powershell.exe
PID 1084 wrote to memory of 2556	1084	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe
"C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
2⤵
- Drops startup file
PID:908

C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe
"C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/908-131-0x0000000000000000-mapping.dmp

Download
memory/1084-139-0x0000000000000000-mapping.dmp

Download
memory/2556-145-0x0000000005F80000-0x0000000005F9E000-memory.dmp

Filesize
120KB

Download
memory/2556-142-0x00000000050C0000-0x00000000056E8000-memory.dmp

Filesize
6.2MB

Download
memory/2556-149-0x0000000006530000-0x0000000006552000-memory.dmp

Filesize
136KB

Download
memory/2556-148-0x0000000007090000-0x0000000007126000-memory.dmp

Filesize
600KB

Download
memory/2556-147-0x0000000006470000-0x000000000648A000-memory.dmp

Filesize
104KB

Download
memory/2556-146-0x0000000007670000-0x0000000007CEA000-memory.dmp

Filesize
6.5MB

Download
memory/2556-144-0x00000000057C0000-0x0000000005826000-memory.dmp

Filesize
408KB

Download
memory/2556-143-0x0000000005720000-0x0000000005742000-memory.dmp

Filesize
136KB

Download
memory/2556-140-0x0000000000000000-mapping.dmp

Download
memory/2556-141-0x0000000002660000-0x0000000002696000-memory.dmp

Filesize
216KB

Download
memory/2696-137-0x0000000005340000-0x00000000053A6000-memory.dmp

Filesize
408KB

Download
memory/2696-132-0x0000000000000000-mapping.dmp

Download
memory/2696-138-0x0000000005710000-0x00000000057A2000-memory.dmp

Filesize
584KB

Download
memory/2696-134-0x0000000000C30000-0x0000000000CF4000-memory.dmp

Filesize
784KB

Download
memory/2696-136-0x00000000051F0000-0x000000000528C000-memory.dmp

Filesize
624KB

Download
memory/2696-135-0x0000000004BF0000-0x0000000005194000-memory.dmp

Filesize
5.6MB

Download
memory/2696-133-0x0000000000C30000-0x0000000000CF4000-memory.dmp

Filesize
784KB

Download
memory/4892-130-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads