7d63583a30f78f5cfe0913fed4ee1a44e0e26dc1835740558ca53ef95c2650be

General

Target

Hesap hareketleriniz.exe
Size

1.1MB
MD5

f8cb3827be49821b2ab5a48741fc55ab
SHA1

506c306aeabda2be2322f8291b8dac5c0ece9a30
SHA256

890b8e57454bafbe3dd79e1a4a42ef308cd072d079822e9275960e6be9418551
SHA512

45c61e2ac124e5ec4b473e26ae821af4e5160b636578ad320723914382393836f35ae890923e20ef8cde7a5a6cad5a7b82dd2eb9d64fc91c2e5ff37fe81ff293

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d.vbs	notepad.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 352 set thread context of 3628	352	Hesap hareketleriniz.exe	82

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
352	Hesap hareketleriniz.exe
352	Hesap hareketleriniz.exe
4652	powershell.exe
4652	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
352	Hesap hareketleriniz.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4652	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 352 wrote to memory of 3560	352	Hesap hareketleriniz.exe	81
PID 352 wrote to memory of 3560	352	Hesap hareketleriniz.exe	81
PID 352 wrote to memory of 3560	352	Hesap hareketleriniz.exe	81
PID 352 wrote to memory of 3560	352	Hesap hareketleriniz.exe	81
PID 352 wrote to memory of 3560	352	Hesap hareketleriniz.exe	81
PID 352 wrote to memory of 3628	352	Hesap hareketleriniz.exe	82
PID 352 wrote to memory of 3628	352	Hesap hareketleriniz.exe	82
PID 352 wrote to memory of 3628	352	Hesap hareketleriniz.exe	82
PID 3628 wrote to memory of 1352	3628	Hesap hareketleriniz.exe	90
PID 3628 wrote to memory of 1352	3628	Hesap hareketleriniz.exe	90
PID 3628 wrote to memory of 1352	3628	Hesap hareketleriniz.exe	90
PID 1352 wrote to memory of 4652	1352	cmd.exe	92
PID 1352 wrote to memory of 4652	1352	cmd.exe	92
PID 1352 wrote to memory of 4652	1352	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe
"C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:352
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  - Drops startup file
  PID:3560
- C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe
  "C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4652

Network

DNS

151.122.125.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

151.122.125.40.in-addr.arpa

IN PTR

Response
DNS

9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa

Remote address:

8.8.8.8:53

Request

9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa

IN PTR

Response

52.152.108.96:443

260 B
5

8.8.8.8:53

151.122.125.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

151.122.125.40.in-addr.arpa
8.8.8.8:53

9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa

dns

118 B
204 B
1
1

DNS Request

9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/352-130-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/3628-133-0x0000000000CC0000-0x0000000000D84000-memory.dmp

Filesize
784KB

Download
memory/3628-134-0x0000000000CC0000-0x0000000000D84000-memory.dmp

Filesize
784KB

Download
memory/3628-135-0x0000000004D70000-0x0000000005314000-memory.dmp

Filesize
5.6MB

Download
memory/3628-136-0x0000000004C30000-0x0000000004CCC000-memory.dmp

Filesize
624KB

Download
memory/3628-137-0x00000000053A0000-0x0000000005406000-memory.dmp

Filesize
408KB

Download
memory/3628-138-0x0000000005710000-0x00000000057A2000-memory.dmp

Filesize
584KB

Download
memory/4652-141-0x0000000002760000-0x0000000002796000-memory.dmp

Filesize
216KB

Download
memory/4652-142-0x0000000005240000-0x0000000005868000-memory.dmp

Filesize
6.2MB

Download
memory/4652-143-0x00000000051A0000-0x00000000051C2000-memory.dmp

Filesize
136KB

Download
memory/4652-144-0x0000000005920000-0x0000000005986000-memory.dmp

Filesize
408KB

Download
memory/4652-145-0x0000000005FE0000-0x0000000005FFE000-memory.dmp

Filesize
120KB

Download
memory/4652-146-0x00000000078C0000-0x0000000007F3A000-memory.dmp

Filesize
6.5MB

Download
memory/4652-147-0x00000000062F0000-0x000000000630A000-memory.dmp

Filesize
104KB

Download
memory/4652-148-0x0000000007240000-0x00000000072D6000-memory.dmp

Filesize
600KB

Download
memory/4652-149-0x0000000006440000-0x0000000006462000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing