Analysis
-
max time kernel
152s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 07:17
Static task
static1
Behavioral task
behavioral1
Sample
Ziraat Bankasi Swift Mesaji20221129-34221.exe
Resource
win7-20220812-en
General
-
Target
Ziraat Bankasi Swift Mesaji20221129-34221.exe
-
Size
719KB
-
MD5
6a0ff43510923c27b144bf86b5e0a867
-
SHA1
880c264f12ea2175a81f7030dec9c7043093253f
-
SHA256
52426e75e25f69d9d7a8121464fe16a213ab48519ae10b2e2fc028ce86794a8b
-
SHA512
18f0247de11b5d3a7139f8c577560a2987fa706ed0b1eb8f08b01384d320508edbce31ceab050a82a09a97b8892680b3cab3e878bac4a1e7bfaa797ac8595c60
-
SSDEEP
12288:vX1wDXZCg8FEJLIJWyBgFuPDhd55slqVvsH4B4oks60PoSpK:vFwJpVIJxBnTzsOBI0Poo
Malware Config
Extracted
formbook
qmpa
IEiN8oqOnNUEkfZd
LWyAr1P5PHPV
tMGP9gYCIc9DKQ==
fWi2stCh2E3DBWuEK612
B3LCCi2JvPxfNA==
NjLnNjX+DDWt/VuEK612
AvK5/JdMDLztPRg=
U+zn2FswDLztPRg=
3bRIXGwsIc9DKQ==
EXmAoj3/7Cyl+VuEK612
1gkKPklP1odxx7c/Zm+L6HeV4g==
1cMaHDg0ypV0vbT2Ibh+/5Cj5xmAVxA=
MSyBdIV+6nFRloTQAwmFklQ=
qilszGJvhMUsHgaUx/MNSKuo6A==
WYKLwmYEij4q2Hy6sOc=
sjII/IyFmORBFPJ2dVjpG0Q=
mTjzaRwZ9OsEkfZd
iL27vFhbX5ECbBIJxvJKbPHFf9M=
5A5Xr0D5PHPV
IpxsaTO4a1/I
O0akl/OtJu4=
W/Uo1VYpCLztPRg=
TxppXmMgUNC7BQOgzfIMSKuo6A==
R9Qsn1NYXIn0L9fTueU=
O5nTCTAIUYiqFQU=
qUA5LcysmdcEkfZd
jzY2a8iJvPxfNA==
G3Sjzt+b4lfVJo/AOp24sw==
pXEEKkfNMVnK
S6Cz2nc10oNrsJ0P+fA6jH48paMTEw==
sIDiCIeUrOAEkfZd
wKQkm/9lVVnI
uiIfKsOIQjwn8J2V5J1r
zHF4c+ypQ7ztPRg=
KwzbHrpTv3laKtfTueU=
k6JZiCC1KtFSIwiZk47UDt64Yss=
2fLFESoxpllKl5KxYXiW9toW+3DhXwE=
7VAnHMvgw84gTPYPyw==
ArIxekAPMmnRInupMqXfEUA=
ASdaAujYAQRRPg==
4h0THru60PsqyyGCBax+
6Ko6ZoljwEKxwljcDEOZuw==
gjO1ys5bRoj94slTOp24sw==
x4IVLlJKz4x/ybAzVoWSTt64Yss=
ilPsNVL6IaVE0bkfc+w=
wCKB0/SQg704jfUv3/wSSKuo6A==
+eR0tEZJMepVMA==
U42K55D5PHPV
goRIp7OCvDSpg20JCAE/rGT6/w==
2SoyM+br3hJySS1aDQoQZXe784VlUAU=
4LE7N1ZjxDsdfXYAGAzoUV0=
Z9D0XXcxIc9DKQ==
50BLU/bJfGFWsqJD76Yrr3H8
bHozX/y2emhZnX/3FxMQSKuo6A==
ETn+luu5Ugm4IkmeMBDfTcUDByHHFQ==
DWeErEUN29PLqCBSde+C6Z21HgbBWAkLRA==
ervK+g4HIc9DKQ==
/eaqAhTqH4X/5bEhHgzoUV0=
JUtMz3n5PHPV
LT8KV/+eGcivBfE8HwzoUV0=
/xyfrdbaaSMUdmW3/qcrr3H8
ZgQYKcKUKOPQtBidD5krr3H8
Qcd6yWA3xM1ftS1xI/t/BPCeS8M=
nmDfwNfXAQRRPg==
erwgcb.top
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Ziraat Bankasi Swift Mesaji20221129-34221.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Ziraat Bankasi Swift Mesaji20221129-34221.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Ziraat Bankasi Swift Mesaji20221129-34221.exeZiraat Bankasi Swift Mesaji20221129-34221.exenetsh.exedescription pid process target process PID 4764 set thread context of 820 4764 Ziraat Bankasi Swift Mesaji20221129-34221.exe Ziraat Bankasi Swift Mesaji20221129-34221.exe PID 820 set thread context of 3092 820 Ziraat Bankasi Swift Mesaji20221129-34221.exe Explorer.EXE PID 3844 set thread context of 3092 3844 netsh.exe Explorer.EXE -
Processes:
netsh.exedescription ioc process Key created \Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 netsh.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
Ziraat Bankasi Swift Mesaji20221129-34221.exenetsh.exepid process 820 Ziraat Bankasi Swift Mesaji20221129-34221.exe 820 Ziraat Bankasi Swift Mesaji20221129-34221.exe 820 Ziraat Bankasi Swift Mesaji20221129-34221.exe 820 Ziraat Bankasi Swift Mesaji20221129-34221.exe 820 Ziraat Bankasi Swift Mesaji20221129-34221.exe 820 Ziraat Bankasi Swift Mesaji20221129-34221.exe 820 Ziraat Bankasi Swift Mesaji20221129-34221.exe 820 Ziraat Bankasi Swift Mesaji20221129-34221.exe 3844 netsh.exe 3844 netsh.exe 3844 netsh.exe 3844 netsh.exe 3844 netsh.exe 3844 netsh.exe 3844 netsh.exe 3844 netsh.exe 3844 netsh.exe 3844 netsh.exe 3844 netsh.exe 3844 netsh.exe 3844 netsh.exe 3844 netsh.exe 3844 netsh.exe 3844 netsh.exe 3844 netsh.exe 3844 netsh.exe 3844 netsh.exe 3844 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3092 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
Ziraat Bankasi Swift Mesaji20221129-34221.exenetsh.exepid process 820 Ziraat Bankasi Swift Mesaji20221129-34221.exe 820 Ziraat Bankasi Swift Mesaji20221129-34221.exe 820 Ziraat Bankasi Swift Mesaji20221129-34221.exe 3844 netsh.exe 3844 netsh.exe 3844 netsh.exe 3844 netsh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Ziraat Bankasi Swift Mesaji20221129-34221.exenetsh.exedescription pid process Token: SeDebugPrivilege 820 Ziraat Bankasi Swift Mesaji20221129-34221.exe Token: SeDebugPrivilege 3844 netsh.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Ziraat Bankasi Swift Mesaji20221129-34221.exeExplorer.EXEnetsh.exedescription pid process target process PID 4764 wrote to memory of 820 4764 Ziraat Bankasi Swift Mesaji20221129-34221.exe Ziraat Bankasi Swift Mesaji20221129-34221.exe PID 4764 wrote to memory of 820 4764 Ziraat Bankasi Swift Mesaji20221129-34221.exe Ziraat Bankasi Swift Mesaji20221129-34221.exe PID 4764 wrote to memory of 820 4764 Ziraat Bankasi Swift Mesaji20221129-34221.exe Ziraat Bankasi Swift Mesaji20221129-34221.exe PID 4764 wrote to memory of 820 4764 Ziraat Bankasi Swift Mesaji20221129-34221.exe Ziraat Bankasi Swift Mesaji20221129-34221.exe PID 4764 wrote to memory of 820 4764 Ziraat Bankasi Swift Mesaji20221129-34221.exe Ziraat Bankasi Swift Mesaji20221129-34221.exe PID 4764 wrote to memory of 820 4764 Ziraat Bankasi Swift Mesaji20221129-34221.exe Ziraat Bankasi Swift Mesaji20221129-34221.exe PID 3092 wrote to memory of 3844 3092 Explorer.EXE netsh.exe PID 3092 wrote to memory of 3844 3092 Explorer.EXE netsh.exe PID 3092 wrote to memory of 3844 3092 Explorer.EXE netsh.exe PID 3844 wrote to memory of 4600 3844 netsh.exe Firefox.exe PID 3844 wrote to memory of 4600 3844 netsh.exe Firefox.exe PID 3844 wrote to memory of 4600 3844 netsh.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji20221129-34221.exe"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji20221129-34221.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji20221129-34221.exe"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji20221129-34221.exe"3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:820 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:4600
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/820-143-0x00000000010A0000-0x00000000013EA000-memory.dmpFilesize
3.3MB
-
memory/820-141-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/820-144-0x0000000000AA0000-0x0000000000AB0000-memory.dmpFilesize
64KB
-
memory/820-137-0x0000000000000000-mapping.dmp
-
memory/820-138-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/820-140-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/820-142-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/3092-152-0x0000000007CD0000-0x0000000007DA2000-memory.dmpFilesize
840KB
-
memory/3092-150-0x0000000002C00000-0x0000000002CF9000-memory.dmpFilesize
996KB
-
memory/3092-145-0x0000000002C00000-0x0000000002CF9000-memory.dmpFilesize
996KB
-
memory/3092-154-0x0000000007CD0000-0x0000000007DA2000-memory.dmpFilesize
840KB
-
memory/3844-149-0x00000000012A0000-0x00000000015EA000-memory.dmpFilesize
3.3MB
-
memory/3844-146-0x0000000000000000-mapping.dmp
-
memory/3844-147-0x00000000009E0000-0x00000000009FE000-memory.dmpFilesize
120KB
-
memory/3844-148-0x0000000000550000-0x000000000057D000-memory.dmpFilesize
180KB
-
memory/3844-151-0x00000000010C0000-0x000000000114F000-memory.dmpFilesize
572KB
-
memory/3844-153-0x0000000000550000-0x000000000057D000-memory.dmpFilesize
180KB
-
memory/4764-134-0x0000000005510000-0x00000000055A2000-memory.dmpFilesize
584KB
-
memory/4764-133-0x0000000005B80000-0x0000000006124000-memory.dmpFilesize
5.6MB
-
memory/4764-136-0x0000000007D20000-0x0000000007DBC000-memory.dmpFilesize
624KB
-
memory/4764-135-0x00000000054F0000-0x00000000054FA000-memory.dmpFilesize
40KB
-
memory/4764-132-0x0000000000A80000-0x0000000000B3A000-memory.dmpFilesize
744KB