Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:05
Static task
static1
Behavioral task
behavioral1
Sample
Akbank Bildirimi.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Akbank Bildirimi.exe
Resource
win10v2004-20220414-en
General
-
Target
Akbank Bildirimi.exe
-
Size
530KB
-
MD5
6864baa092a9d571a6b2b90994695ec8
-
SHA1
360b38f1050fa182cb4c579dd7af60d784d3f543
-
SHA256
6c731b9e623222de40d78c857573d713bafce156a4b42dd445a840fddfe585be
-
SHA512
91fde501a8d514ff2ffeb12d0deb7721c372ccbf657e962e4ad5b35f0500a6fb5aa7e1b150ea4042ded50d7e898b5e8f432c8ee5ef931a08462a314cc4e5dd80
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
gatefee22
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
gatefee22
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4516-139-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
CoreCCC Packer 1 IoCs
Detects CoreCCC packer used to load .NET malware.
Processes:
resource yara_rule behavioral2/memory/3588-130-0x0000000000B10000-0x0000000000B9A000-memory.dmp coreccc -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Akbank Bildirimi.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Akbank Bildirimi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Akbank Bildirimi.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Akbank Bildirimi.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Akbank Bildirimi.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Akbank Bildirimi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Akbank Bildirimi.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Akbank Bildirimi.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Akbank Bildirimi.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Akbank Bildirimi.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Akbank Bildirimi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Akbank Bildirimi.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Akbank Bildirimi.exedescription pid process target process PID 3588 set thread context of 4516 3588 Akbank Bildirimi.exe Akbank Bildirimi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Akbank Bildirimi.exepid process 4516 Akbank Bildirimi.exe 4516 Akbank Bildirimi.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Akbank Bildirimi.exedescription pid process Token: SeDebugPrivilege 4516 Akbank Bildirimi.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Akbank Bildirimi.exepid process 4516 Akbank Bildirimi.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Akbank Bildirimi.exeAkbank Bildirimi.exedescription pid process target process PID 3588 wrote to memory of 3804 3588 Akbank Bildirimi.exe schtasks.exe PID 3588 wrote to memory of 3804 3588 Akbank Bildirimi.exe schtasks.exe PID 3588 wrote to memory of 3804 3588 Akbank Bildirimi.exe schtasks.exe PID 3588 wrote to memory of 4516 3588 Akbank Bildirimi.exe Akbank Bildirimi.exe PID 3588 wrote to memory of 4516 3588 Akbank Bildirimi.exe Akbank Bildirimi.exe PID 3588 wrote to memory of 4516 3588 Akbank Bildirimi.exe Akbank Bildirimi.exe PID 3588 wrote to memory of 4516 3588 Akbank Bildirimi.exe Akbank Bildirimi.exe PID 3588 wrote to memory of 4516 3588 Akbank Bildirimi.exe Akbank Bildirimi.exe PID 3588 wrote to memory of 4516 3588 Akbank Bildirimi.exe Akbank Bildirimi.exe PID 3588 wrote to memory of 4516 3588 Akbank Bildirimi.exe Akbank Bildirimi.exe PID 3588 wrote to memory of 4516 3588 Akbank Bildirimi.exe Akbank Bildirimi.exe PID 4516 wrote to memory of 1932 4516 Akbank Bildirimi.exe netsh.exe PID 4516 wrote to memory of 1932 4516 Akbank Bildirimi.exe netsh.exe PID 4516 wrote to memory of 1932 4516 Akbank Bildirimi.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
Akbank Bildirimi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Akbank Bildirimi.exe -
outlook_win_path 1 IoCs
Processes:
Akbank Bildirimi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Akbank Bildirimi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Akbank Bildirimi.exe"C:\Users\Admin\AppData\Local\Temp\Akbank Bildirimi.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iCbkAkaGXo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9261.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Akbank Bildirimi.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9261.tmpFilesize
1KB
MD52b332daa2a0756e24f9af2b7a0fd51fd
SHA10fb5ed66afdcf96a643de25eaddd49fd61e7f583
SHA256abc23c7f53360ac686a70fd344dbdacfcba1504a36261b076c206ac9492383f6
SHA512ae8eaffefeb500f92fcdb97ced3f7450d5ab89cdee3d01007ed47d9a069e660fa4fd67d9061ed53500fb1e5fccd2e7635a85556f0be5ac47391a30313e976d86
-
memory/1932-141-0x0000000000000000-mapping.dmp
-
memory/3588-130-0x0000000000B10000-0x0000000000B9A000-memory.dmpFilesize
552KB
-
memory/3588-131-0x0000000005B20000-0x00000000060C4000-memory.dmpFilesize
5.6MB
-
memory/3588-132-0x0000000005570000-0x0000000005602000-memory.dmpFilesize
584KB
-
memory/3588-133-0x0000000005540000-0x000000000554A000-memory.dmpFilesize
40KB
-
memory/3588-134-0x0000000007A40000-0x0000000007ADC000-memory.dmpFilesize
624KB
-
memory/3588-135-0x0000000007E00000-0x0000000007E66000-memory.dmpFilesize
408KB
-
memory/3804-136-0x0000000000000000-mapping.dmp
-
memory/4516-138-0x0000000000000000-mapping.dmp
-
memory/4516-139-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4516-140-0x0000000006060000-0x00000000060B0000-memory.dmpFilesize
320KB