Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
13-06-2022 06:35
Static task
static1
Behavioral task
behavioral1
Sample
Ziraat Bankasi Swift Mesaji.exe
Resource
win7-20220414-en
General
-
Target
Ziraat Bankasi Swift Mesaji.exe
-
Size
457KB
-
MD5
bfd5416efae1ecc1517f4b286c30b655
-
SHA1
6debd272160fe05b0c3397f612f1c8e7d005f376
-
SHA256
7f64aa4801b0cbae5fdda52ae4fe848ef03650a4dec91b4f4d5131a0def6b464
-
SHA512
4e29a8d547abaed04837a4e02a0b47b5b8d1a8fc435eadcb8115b5b4d3464c5239aef5a25becfb995a0f3da2536bce798bcf944d422a7211d2aef3725e8ff7c4
Malware Config
Extracted
formbook
4.1
pr28
warehouseufohighbay.com
kingasia77.xyz
americanoutfittes.com
jemodaevangica.com
holigantv82.com
creamkidslife.com
skillzplanetoutreach.com
goldencityofficial.com
choiceaccessorise.com
kdgkzy.com
patra.tech
chicaglo.com
9491countyroad106.com
theultracleanser.com
lesmacarons.biz
kfaluminum.com
institutodiversidade.com
woodanqnmz.store
teslabuyerusa.com
cityofbastop.com
firegillibrand.com
npsyu5n-periv.com
nflstreams.pro
resuelve-deuda-latam-pro.com
281564.com
ezeehookz.com
rvestdewseherore.xyz
modderplaten.com
getdapp.xyz
tutsempire.com
scientiaimaging.com
cryptoriver-island.xyz
occidentalinn.net
decouvredesproduits.com
queensize.xyz
ipandu.net
yingxinyiyuan.com
suddeniink.com
guestwin.com
curahintstudio.xyz
5g00au.com
ncfirerestoration.com
diabeticlifeinsurancequotes.com
sex-intim-kropivnickiy.online
metashae.com
flora-kana.com
productsamerica.store
buliangdh90.xyz
georgiatourz.com
coveredbyaaa.com
wirethreepebble.com
jeffreygraper.com
temerecesunjamon.com
trynica.com
nubehost365.com
phulieumaytanbinh.com
bluprintthebrand.com
mitchellcafeteresa.com
longtorsoswimwear.com
savannahfengshui.com
0zc8l0.xyz
eby6.com
kantinuai.com
4kph.com
knottynikkibaby.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1708-62-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1708-63-0x000000000041F1C0-mapping.dmp formbook behavioral1/memory/1708-65-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/844-72-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook behavioral1/memory/844-76-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1692 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.execmmon32.exedescription pid process target process PID 852 set thread context of 1708 852 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 1708 set thread context of 1428 1708 Ziraat Bankasi Swift Mesaji.exe Explorer.EXE PID 844 set thread context of 1428 844 cmmon32.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.execmmon32.exepid process 1708 Ziraat Bankasi Swift Mesaji.exe 1708 Ziraat Bankasi Swift Mesaji.exe 844 cmmon32.exe 844 cmmon32.exe 844 cmmon32.exe 844 cmmon32.exe 844 cmmon32.exe 844 cmmon32.exe 844 cmmon32.exe 844 cmmon32.exe 844 cmmon32.exe 844 cmmon32.exe 844 cmmon32.exe 844 cmmon32.exe 844 cmmon32.exe 844 cmmon32.exe 844 cmmon32.exe 844 cmmon32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.execmmon32.exepid process 1708 Ziraat Bankasi Swift Mesaji.exe 1708 Ziraat Bankasi Swift Mesaji.exe 1708 Ziraat Bankasi Swift Mesaji.exe 844 cmmon32.exe 844 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.execmmon32.exedescription pid process Token: SeDebugPrivilege 1708 Ziraat Bankasi Swift Mesaji.exe Token: SeDebugPrivilege 844 cmmon32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1428 Explorer.EXE 1428 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1428 Explorer.EXE 1428 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exeExplorer.EXEcmmon32.exedescription pid process target process PID 852 wrote to memory of 1708 852 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 852 wrote to memory of 1708 852 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 852 wrote to memory of 1708 852 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 852 wrote to memory of 1708 852 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 852 wrote to memory of 1708 852 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 852 wrote to memory of 1708 852 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 852 wrote to memory of 1708 852 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 1428 wrote to memory of 844 1428 Explorer.EXE cmmon32.exe PID 1428 wrote to memory of 844 1428 Explorer.EXE cmmon32.exe PID 1428 wrote to memory of 844 1428 Explorer.EXE cmmon32.exe PID 1428 wrote to memory of 844 1428 Explorer.EXE cmmon32.exe PID 844 wrote to memory of 1692 844 cmmon32.exe cmd.exe PID 844 wrote to memory of 1692 844 cmmon32.exe cmd.exe PID 844 wrote to memory of 1692 844 cmmon32.exe cmd.exe PID 844 wrote to memory of 1692 844 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/844-76-0x00000000000C0000-0x00000000000EF000-memory.dmpFilesize
188KB
-
memory/844-69-0x0000000000000000-mapping.dmp
-
memory/844-72-0x00000000000C0000-0x00000000000EF000-memory.dmpFilesize
188KB
-
memory/844-71-0x0000000000220000-0x000000000022D000-memory.dmpFilesize
52KB
-
memory/844-73-0x0000000001FD0000-0x00000000022D3000-memory.dmpFilesize
3.0MB
-
memory/844-74-0x0000000001DA0000-0x0000000001E34000-memory.dmpFilesize
592KB
-
memory/852-57-0x0000000004F80000-0x0000000004FEE000-memory.dmpFilesize
440KB
-
memory/852-54-0x0000000000B20000-0x0000000000B98000-memory.dmpFilesize
480KB
-
memory/852-58-0x0000000002190000-0x00000000021C4000-memory.dmpFilesize
208KB
-
memory/852-56-0x00000000006E0000-0x00000000006EE000-memory.dmpFilesize
56KB
-
memory/852-55-0x0000000076781000-0x0000000076783000-memory.dmpFilesize
8KB
-
memory/1428-77-0x0000000007CD0000-0x0000000007E43000-memory.dmpFilesize
1.4MB
-
memory/1428-75-0x0000000007CD0000-0x0000000007E43000-memory.dmpFilesize
1.4MB
-
memory/1428-68-0x00000000068C0000-0x0000000006A08000-memory.dmpFilesize
1.3MB
-
memory/1692-70-0x0000000000000000-mapping.dmp
-
memory/1708-59-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1708-67-0x00000000002F0000-0x0000000000305000-memory.dmpFilesize
84KB
-
memory/1708-66-0x0000000000BA0000-0x0000000000EA3000-memory.dmpFilesize
3.0MB
-
memory/1708-65-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1708-63-0x000000000041F1C0-mapping.dmp
-
memory/1708-62-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1708-60-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB