Analysis
-
max time kernel
45s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 19:06
Behavioral task
behavioral1
Sample
ZoralMt2/Metin2.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
ZoralMt2/Metin2.exe
Resource
win10v2004-20221111-en
General
-
Target
ZoralMt2/Metin2.exe
-
Size
619KB
-
MD5
aac0d0a0ee44507e808062e7490182ab
-
SHA1
90c0bad36477ad99961eac4f5eab433821d286d1
-
SHA256
faccfbbdc313a2f4b1d80119de898312b8fd84f586c4d5cf2482382910940f1b
-
SHA512
f999ce49df95145891ba3d9e268556d61c50a6b0e75edc39909dac916546bae900b2f35538780b4f5dff005dafe5ec6d043cdb34068836d0ca43e9027aa80124
-
SSDEEP
3072:sr85CdAnnnnnnnnnnnnnnnnttKR7EEusaY89j+sEoyV5/hH1ARqAnnnnnnnnnnn2:k9d2gR7Tusa99j+qouY2gR7Tusa99j+B
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
Metin2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" Metin2.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
Metin2.exepid process 832 Metin2.exe -
Loads dropped DLL 2 IoCs
Processes:
Metin2.exepid process 1200 Metin2.exe 1200 Metin2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
Metin2.exedescription ioc process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe Metin2.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe Metin2.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE Metin2.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE Metin2.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE Metin2.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe Metin2.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe Metin2.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE Metin2.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE Metin2.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE Metin2.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE Metin2.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE Metin2.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe Metin2.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe Metin2.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe Metin2.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE Metin2.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE Metin2.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe Metin2.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE Metin2.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE Metin2.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE Metin2.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE Metin2.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe Metin2.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe Metin2.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE Metin2.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe Metin2.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE Metin2.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE Metin2.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe Metin2.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE Metin2.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE Metin2.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE Metin2.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE Metin2.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE Metin2.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE Metin2.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe Metin2.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe Metin2.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE Metin2.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE Metin2.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe Metin2.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE Metin2.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE Metin2.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE Metin2.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe Metin2.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe Metin2.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE Metin2.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE Metin2.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE Metin2.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE Metin2.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE Metin2.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE Metin2.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe Metin2.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE Metin2.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE Metin2.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE Metin2.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE Metin2.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE Metin2.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE Metin2.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe Metin2.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE Metin2.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE Metin2.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE Metin2.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE Metin2.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe Metin2.exe -
Drops file in Windows directory 1 IoCs
Processes:
Metin2.exedescription ioc process File opened for modification C:\Windows\svchost.com Metin2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1896 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
Metin2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" Metin2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1896 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Metin2.exepid process 832 Metin2.exe 832 Metin2.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Metin2.exeMetin2.execmd.exedescription pid process target process PID 1200 wrote to memory of 832 1200 Metin2.exe Metin2.exe PID 1200 wrote to memory of 832 1200 Metin2.exe Metin2.exe PID 1200 wrote to memory of 832 1200 Metin2.exe Metin2.exe PID 1200 wrote to memory of 832 1200 Metin2.exe Metin2.exe PID 832 wrote to memory of 1640 832 Metin2.exe cmd.exe PID 832 wrote to memory of 1640 832 Metin2.exe cmd.exe PID 832 wrote to memory of 1640 832 Metin2.exe cmd.exe PID 832 wrote to memory of 1640 832 Metin2.exe cmd.exe PID 832 wrote to memory of 1640 832 Metin2.exe cmd.exe PID 1640 wrote to memory of 1896 1640 cmd.exe taskkill.exe PID 1640 wrote to memory of 1896 1640 cmd.exe taskkill.exe PID 1640 wrote to memory of 1896 1640 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZoralMt2\Metin2.exe"C:\Users\Admin\AppData\Local\Temp\ZoralMt2\Metin2.exe"1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\Metin2.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\Metin2.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\3582-490\killpatcher.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM "Metin2.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\Metin2.exeFilesize
579KB
MD53f64795b285d66ef47df701eedecd782
SHA1213dd8b0a0fbbb3e22a04ab45e937487acef6a6b
SHA256d0a95f9f6554b6d0dce5b30319c6343617f510a766d0f8aae3f8287c0db15179
SHA5128797625438292bbf32ea58c29ea9a9ab000fb08aa60140a4d1aedf394bda6e01c2df0dae47cd2473af1af47c55e312ca2b0d783f361c49a995e24d280f0cc66f
-
C:\Users\Admin\AppData\Local\Temp\3582-490\Metin2.exeFilesize
579KB
MD53f64795b285d66ef47df701eedecd782
SHA1213dd8b0a0fbbb3e22a04ab45e937487acef6a6b
SHA256d0a95f9f6554b6d0dce5b30319c6343617f510a766d0f8aae3f8287c0db15179
SHA5128797625438292bbf32ea58c29ea9a9ab000fb08aa60140a4d1aedf394bda6e01c2df0dae47cd2473af1af47c55e312ca2b0d783f361c49a995e24d280f0cc66f
-
C:\Users\Admin\AppData\Local\Temp\3582-490\killpatcher.batFilesize
113B
MD52f4fa31e1af75fb8a7a1cc8497c1bdaf
SHA1b70e1dc3ba7b771c60ec29ee975275665a22fab1
SHA256e4a5eda223b791d5609b6c6483c22986a3059172d37a73ac32805df1f53ea2c5
SHA512d2f67ac309cee25e922dc995871989638cfb0a31121b86ae2140e51f4d74b06d8894bc6aeb5a559ab02b61571f2cc392be71f66eee1a8d26c1730c7dc5575541
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEFilesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\Metin2.exeFilesize
579KB
MD53f64795b285d66ef47df701eedecd782
SHA1213dd8b0a0fbbb3e22a04ab45e937487acef6a6b
SHA256d0a95f9f6554b6d0dce5b30319c6343617f510a766d0f8aae3f8287c0db15179
SHA5128797625438292bbf32ea58c29ea9a9ab000fb08aa60140a4d1aedf394bda6e01c2df0dae47cd2473af1af47c55e312ca2b0d783f361c49a995e24d280f0cc66f
-
memory/832-56-0x0000000000000000-mapping.dmp
-
memory/832-59-0x000007FEF37E0000-0x000007FEF4203000-memory.dmpFilesize
10.1MB
-
memory/832-60-0x000007FEF2740000-0x000007FEF37D6000-memory.dmpFilesize
16.6MB
-
memory/832-62-0x0000000002156000-0x0000000002175000-memory.dmpFilesize
124KB
-
memory/1200-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmpFilesize
8KB
-
memory/1640-63-0x0000000000000000-mapping.dmp
-
memory/1896-65-0x0000000000000000-mapping.dmp