a26430545b27b2b2a7a6aa6203d38a60344bd59740acaa1a6cec3c87eb276237

General

Target

Havayolu fatura ayr?nt?lar?.exe
Size

1.1MB
MD5

f59c38a6f1f351372576f5c539f4d2c5
SHA1

21dff1b234b063f7110e6356a9f563605bf0e073
SHA256

97f80d8f84f58704f90dee2f317ecc5807f5d250ebde54ff90426ad05ee9db95
SHA512

4df0b1061bf16b3be0051f52c1727c884d277e012ce2c2d3b03ad8f80125ab6de6c98b4be40ce00bf70b3d4a3399fd7acfd9262c1d1deed3351d391d8617066d

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1392 schtasks.exe

pid	process
1392	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

Havayolu fatura ayr_nt_lar_.exe

pid	process
1240	Havayolu fatura ayr_nt_lar_.exe
1240	Havayolu fatura ayr_nt_lar_.exe
1240	Havayolu fatura ayr_nt_lar_.exe
1240	Havayolu fatura ayr_nt_lar_.exe
1240	Havayolu fatura ayr_nt_lar_.exe
1240	Havayolu fatura ayr_nt_lar_.exe
1240	Havayolu fatura ayr_nt_lar_.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Havayolu fatura ayr_nt_lar_.exe

description pid process

Token: SeDebugPrivilege 1240 Havayolu fatura ayr_nt_lar_.exe

description	pid	process
Token: SeDebugPrivilege	1240	Havayolu fatura ayr_nt_lar_.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Havayolu fatura ayr_nt_lar_.exe

C:\Users\Admin\AppData\Local\Temp\Havayolu fatura ayr_nt_lar_.exe
"C:\Users\Admin\AppData\Local\Temp\Havayolu fatura ayr_nt_lar_.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PcZrmntFYPVyHG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDB43.tmp"
2⤵
- Creates scheduled task(s)
PID:1392

C:\Users\Admin\AppData\Local\Temp\Havayolu fatura ayr_nt_lar_.exe
"{path}"
2⤵
PID:108

C:\Users\Admin\AppData\Local\Temp\Havayolu fatura ayr_nt_lar_.exe
"{path}"
2⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\Havayolu fatura ayr_nt_lar_.exe
"{path}"
2⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\Havayolu fatura ayr_nt_lar_.exe
"{path}"
2⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\Havayolu fatura ayr_nt_lar_.exe
"{path}"
2⤵
PID:1712

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDB43.tmp
Filesize
1KB

MD5
67f7172be94aec7f5076ee41beef13a4

SHA1
46092579ffdbacb1e2aca39dc1fddcd1874462e0

SHA256
356c7c83e02da9f5768801467b5cea40e955ff6a81281cb2b8c4193dad8fefad

SHA512
f14b1fd1bc7de88eee0e02703ffaa3832050722e7c518bfa54251084a22c288b206f6d448216769a182379b57a09ef5ec81d38955fcc20377f6c0a3829b48a86

Download Submit
memory/1240-54-0x0000000000360000-0x000000000048A000-memory.dmp

Filesize
1.2MB

Download
memory/1240-55-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download
memory/1240-56-0x00000000004A0000-0x00000000004B0000-memory.dmp

Filesize
64KB

Download
memory/1240-57-0x0000000005300000-0x00000000053BC000-memory.dmp

Filesize
752KB

Download
memory/1240-58-0x0000000005920000-0x00000000059D8000-memory.dmp

Filesize
736KB

Download
memory/1392-59-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1240 wrote to memory of 1392	1240	Havayolu fatura ayr_nt_lar_.exe	schtasks.exe
PID 1240 wrote to memory of 1392	1240	Havayolu fatura ayr_nt_lar_.exe	schtasks.exe
PID 1240 wrote to memory of 1392	1240	Havayolu fatura ayr_nt_lar_.exe	schtasks.exe
PID 1240 wrote to memory of 1392	1240	Havayolu fatura ayr_nt_lar_.exe	schtasks.exe
PID 1240 wrote to memory of 108	1240	Havayolu fatura ayr_nt_lar_.exe	Havayolu fatura ayr_nt_lar_.exe
PID 1240 wrote to memory of 108	1240	Havayolu fatura ayr_nt_lar_.exe	Havayolu fatura ayr_nt_lar_.exe
PID 1240 wrote to memory of 108	1240	Havayolu fatura ayr_nt_lar_.exe	Havayolu fatura ayr_nt_lar_.exe
PID 1240 wrote to memory of 108	1240	Havayolu fatura ayr_nt_lar_.exe	Havayolu fatura ayr_nt_lar_.exe
PID 1240 wrote to memory of 1984	1240	Havayolu fatura ayr_nt_lar_.exe	Havayolu fatura ayr_nt_lar_.exe
PID 1240 wrote to memory of 1984	1240	Havayolu fatura ayr_nt_lar_.exe	Havayolu fatura ayr_nt_lar_.exe
PID 1240 wrote to memory of 1984	1240	Havayolu fatura ayr_nt_lar_.exe	Havayolu fatura ayr_nt_lar_.exe
PID 1240 wrote to memory of 1984	1240	Havayolu fatura ayr_nt_lar_.exe	Havayolu fatura ayr_nt_lar_.exe
PID 1240 wrote to memory of 1260	1240	Havayolu fatura ayr_nt_lar_.exe	Havayolu fatura ayr_nt_lar_.exe
PID 1240 wrote to memory of 1260	1240	Havayolu fatura ayr_nt_lar_.exe	Havayolu fatura ayr_nt_lar_.exe
PID 1240 wrote to memory of 1260	1240	Havayolu fatura ayr_nt_lar_.exe	Havayolu fatura ayr_nt_lar_.exe
PID 1240 wrote to memory of 1260	1240	Havayolu fatura ayr_nt_lar_.exe	Havayolu fatura ayr_nt_lar_.exe
PID 1240 wrote to memory of 432	1240	Havayolu fatura ayr_nt_lar_.exe	Havayolu fatura ayr_nt_lar_.exe
PID 1240 wrote to memory of 432	1240	Havayolu fatura ayr_nt_lar_.exe	Havayolu fatura ayr_nt_lar_.exe
PID 1240 wrote to memory of 432	1240	Havayolu fatura ayr_nt_lar_.exe	Havayolu fatura ayr_nt_lar_.exe
PID 1240 wrote to memory of 432	1240	Havayolu fatura ayr_nt_lar_.exe	Havayolu fatura ayr_nt_lar_.exe
PID 1240 wrote to memory of 1712	1240	Havayolu fatura ayr_nt_lar_.exe	Havayolu fatura ayr_nt_lar_.exe
PID 1240 wrote to memory of 1712	1240	Havayolu fatura ayr_nt_lar_.exe	Havayolu fatura ayr_nt_lar_.exe
PID 1240 wrote to memory of 1712	1240	Havayolu fatura ayr_nt_lar_.exe	Havayolu fatura ayr_nt_lar_.exe
PID 1240 wrote to memory of 1712	1240	Havayolu fatura ayr_nt_lar_.exe	Havayolu fatura ayr_nt_lar_.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads