Overview

overview

10

Static

static

Havayolu f...r?.exe

windows7_x64

3

Havayolu f...r?.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    112s
  • max time network
    42s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 11:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Havayolu fatura ayr?nt?lar?.exe

  • Size

    1.1MB

  • MD5

    f59c38a6f1f351372576f5c539f4d2c5

  • SHA1

    21dff1b234b063f7110e6356a9f563605bf0e073

  • SHA256

    97f80d8f84f58704f90dee2f317ecc5807f5d250ebde54ff90426ad05ee9db95

  • SHA512

    4df0b1061bf16b3be0051f52c1727c884d277e012ce2c2d3b03ad8f80125ab6de6c98b4be40ce00bf70b3d4a3399fd7acfd9262c1d1deed3351d391d8617066d

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Havayolu fatura ayr_nt_lar_.exe
    "C:\Users\Admin\AppData\Local\Temp\Havayolu fatura ayr_nt_lar_.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1240
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PcZrmntFYPVyHG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDB43.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1392
    • C:\Users\Admin\AppData\Local\Temp\Havayolu fatura ayr_nt_lar_.exe
      "{path}"
      2⤵
        PID:108
      • C:\Users\Admin\AppData\Local\Temp\Havayolu fatura ayr_nt_lar_.exe
        "{path}"
        2⤵
          PID:1984
        • C:\Users\Admin\AppData\Local\Temp\Havayolu fatura ayr_nt_lar_.exe
          "{path}"
          2⤵
            PID:1260
          • C:\Users\Admin\AppData\Local\Temp\Havayolu fatura ayr_nt_lar_.exe
            "{path}"
            2⤵
              PID:432
            • C:\Users\Admin\AppData\Local\Temp\Havayolu fatura ayr_nt_lar_.exe
              "{path}"
              2⤵
                PID:1712

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmpDB43.tmp
              Filesize

              1KB

              MD5

              67f7172be94aec7f5076ee41beef13a4

              SHA1

              46092579ffdbacb1e2aca39dc1fddcd1874462e0

              SHA256

              356c7c83e02da9f5768801467b5cea40e955ff6a81281cb2b8c4193dad8fefad

              SHA512

              f14b1fd1bc7de88eee0e02703ffaa3832050722e7c518bfa54251084a22c288b206f6d448216769a182379b57a09ef5ec81d38955fcc20377f6c0a3829b48a86

              Download Submit

            • memory/1240-54-0x0000000000360000-0x000000000048A000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/1240-55-0x00000000753E1000-0x00000000753E3000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1240-56-0x00000000004A0000-0x00000000004B0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1240-57-0x0000000005300000-0x00000000053BC000-memory.dmp

              Filesize

              752KB

              Download

            • memory/1240-58-0x0000000005920000-0x00000000059D8000-memory.dmp

              Filesize

              736KB

              Download

            • memory/1392-59-0x0000000000000000-mapping.dmp

              Download