Overview

overview

10

Static

static

Hesap hare...iz.exe

windows7_x64

10

Hesap hare...iz.exe

windows10-2004_x64

7

Analysis

  • max time kernel
    168s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 11:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Hesap hareketleriniz.exe

  • Size

    1.1MB

  • MD5

    f8cb3827be49821b2ab5a48741fc55ab

  • SHA1

    506c306aeabda2be2322f8291b8dac5c0ece9a30

  • SHA256

    890b8e57454bafbe3dd79e1a4a42ef308cd072d079822e9275960e6be9418551

  • SHA512

    45c61e2ac124e5ec4b473e26ae821af4e5160b636578ad320723914382393836f35ae890923e20ef8cde7a5a6cad5a7b82dd2eb9d64fc91c2e5ff37fe81ff293

Score
7/10

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe
    "C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:352
    • C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\system32\notepad.exe"
      2⤵
      • Drops startup file
      PID:3560
    • C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe
      "C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3628
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1352
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Hesap hareketleriniz.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/352-130-0x0000000000400000-0x0000000000517000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3628-133-0x0000000000CC0000-0x0000000000D84000-memory.dmp

    Filesize

    784KB

    Download

  • memory/3628-134-0x0000000000CC0000-0x0000000000D84000-memory.dmp

    Filesize

    784KB

    Download

  • memory/3628-135-0x0000000004D70000-0x0000000005314000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3628-136-0x0000000004C30000-0x0000000004CCC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3628-137-0x00000000053A0000-0x0000000005406000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3628-138-0x0000000005710000-0x00000000057A2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4652-141-0x0000000002760000-0x0000000002796000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4652-142-0x0000000005240000-0x0000000005868000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4652-143-0x00000000051A0000-0x00000000051C2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4652-144-0x0000000005920000-0x0000000005986000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4652-145-0x0000000005FE0000-0x0000000005FFE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4652-146-0x00000000078C0000-0x0000000007F3A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4652-147-0x00000000062F0000-0x000000000630A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4652-148-0x0000000007240000-0x00000000072D6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4652-149-0x0000000006440000-0x0000000006462000-memory.dmp

    Filesize

    136KB

    Download