7d63583a30f78f5cfe0913fed4ee1a44e0e26dc1835740558ca53ef95c2650be

General

Target

Hesap hareketleriniz.exe
Size

1.1MB
MD5

f8cb3827be49821b2ab5a48741fc55ab
SHA1

506c306aeabda2be2322f8291b8dac5c0ece9a30
SHA256

890b8e57454bafbe3dd79e1a4a42ef308cd072d079822e9275960e6be9418551
SHA512

45c61e2ac124e5ec4b473e26ae821af4e5160b636578ad320723914382393836f35ae890923e20ef8cde7a5a6cad5a7b82dd2eb9d64fc91c2e5ff37fe81ff293

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

notepad.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d.vbs notepad.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Hesap hareketleriniz.exe

description pid process target process

PID 352 set thread context of 3628 352 Hesap hareketleriniz.exe Hesap hareketleriniz.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Hesap hareketleriniz.exepowershell.exe

pid process

352 Hesap hareketleriniz.exe
352 Hesap hareketleriniz.exe
4652 powershell.exe
4652 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Hesap hareketleriniz.exe

pid process

352 Hesap hareketleriniz.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4652 powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d.vbs	notepad.exe

description	pid	process	target process
PID 352 set thread context of 3628	352	Hesap hareketleriniz.exe	Hesap hareketleriniz.exe

pid	process
352	Hesap hareketleriniz.exe
352	Hesap hareketleriniz.exe
4652	powershell.exe
4652	powershell.exe

pid	process
352	Hesap hareketleriniz.exe

description	pid	process
Token: SeDebugPrivilege	4652	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Hesap hareketleriniz.exeHesap hareketleriniz.execmd.exe

description	pid	process	target process
PID 352 wrote to memory of 3560	352	Hesap hareketleriniz.exe	notepad.exe
PID 352 wrote to memory of 3560	352	Hesap hareketleriniz.exe	notepad.exe
PID 352 wrote to memory of 3560	352	Hesap hareketleriniz.exe	notepad.exe
PID 352 wrote to memory of 3560	352	Hesap hareketleriniz.exe	notepad.exe
PID 352 wrote to memory of 3560	352	Hesap hareketleriniz.exe	notepad.exe
PID 352 wrote to memory of 3628	352	Hesap hareketleriniz.exe	Hesap hareketleriniz.exe
PID 352 wrote to memory of 3628	352	Hesap hareketleriniz.exe	Hesap hareketleriniz.exe
PID 352 wrote to memory of 3628	352	Hesap hareketleriniz.exe	Hesap hareketleriniz.exe
PID 3628 wrote to memory of 1352	3628	Hesap hareketleriniz.exe	cmd.exe
PID 3628 wrote to memory of 1352	3628	Hesap hareketleriniz.exe	cmd.exe
PID 3628 wrote to memory of 1352	3628	Hesap hareketleriniz.exe	cmd.exe
PID 1352 wrote to memory of 4652	1352	cmd.exe	powershell.exe
PID 1352 wrote to memory of 4652	1352	cmd.exe	powershell.exe
PID 1352 wrote to memory of 4652	1352	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe
"C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:352

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
2⤵
- Drops startup file
PID:3560

C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe
"C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/352-130-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1352-139-0x0000000000000000-mapping.dmp

Download
memory/3560-131-0x0000000000000000-mapping.dmp

Download
memory/3628-132-0x0000000000000000-mapping.dmp

Download
memory/3628-133-0x0000000000CC0000-0x0000000000D84000-memory.dmp

Filesize
784KB

Download
memory/3628-134-0x0000000000CC0000-0x0000000000D84000-memory.dmp

Filesize
784KB

Download
memory/3628-135-0x0000000004D70000-0x0000000005314000-memory.dmp

Filesize
5.6MB

Download
memory/3628-136-0x0000000004C30000-0x0000000004CCC000-memory.dmp

Filesize
624KB

Download
memory/3628-137-0x00000000053A0000-0x0000000005406000-memory.dmp

Filesize
408KB

Download
memory/3628-138-0x0000000005710000-0x00000000057A2000-memory.dmp

Filesize
584KB

Download
memory/4652-140-0x0000000000000000-mapping.dmp

Download
memory/4652-141-0x0000000002760000-0x0000000002796000-memory.dmp

Filesize
216KB

Download
memory/4652-142-0x0000000005240000-0x0000000005868000-memory.dmp

Filesize
6.2MB

Download
memory/4652-143-0x00000000051A0000-0x00000000051C2000-memory.dmp

Filesize
136KB

Download
memory/4652-144-0x0000000005920000-0x0000000005986000-memory.dmp

Filesize
408KB

Download
memory/4652-145-0x0000000005FE0000-0x0000000005FFE000-memory.dmp

Filesize
120KB

Download
memory/4652-146-0x00000000078C0000-0x0000000007F3A000-memory.dmp

Filesize
6.5MB

Download
memory/4652-147-0x00000000062F0000-0x000000000630A000-memory.dmp

Filesize
104KB

Download
memory/4652-148-0x0000000007240000-0x00000000072D6000-memory.dmp

Filesize
600KB

Download
memory/4652-149-0x0000000006440000-0x0000000006462000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads