Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
08-12-2022 11:00
Static task
static1
Behavioral task
behavioral1
Sample
Ödeme Tavsiye Notu - 0000274553.PDF.exe
Resource
win7-20220901-en
General
-
Target
Ödeme Tavsiye Notu - 0000274553.PDF.exe
-
Size
535KB
-
MD5
40f56e889ab81bdb74a78010b3fe006b
-
SHA1
03fb1836e3ea68ed18a41b10ce530d09f3ff3308
-
SHA256
4c143b9e9804d87732fa2ca95ddc355cb0b5944ad57f33b6fe08fac0947d32f5
-
SHA512
f3b0bfd497390cfaf0e3eadc6f54f3ad804812d2cdd46654916f580bddb4be10e50d42535c96a1aa14256884490045317e5756662d460fbb592077b6d4af9894
-
SSDEEP
12288:slzAKpkuaBv1XP2uqLerOEU0iFr2FDaJ3:slDpQ/WXEU0iUDG
Malware Config
Extracted
formbook
m9ae
nWTQpX6TYm6dfT3Lcw==
7JaBLgMm8EKn2AlTy5Ksj4Jq
yWRJIhE3viQgqEpZS3o=
ES9dFo0bytF8vlvRcg==
aX/aBZn29pD+cg==
lU64sYOZV7ZVpUy1ag==
9BpOCYAPv8L8TyIFAiTp2PSqLg==
uEJ2RyQ1BcBXfFr8kT5Z1KV0
oVM42Ury9pD+cg==
0Zl3VkcuKaY+
OjZeGI8dw67Z6eWtnOoBfoI=
ytwFn9j4i+N8nKYRSgcfh3xn5LU=
xMb1+YkOyxmbxJ53JsP7Pg==
HODQpzTBS1gVoi4X0hStKQ==
fQ417ycwD+ziKt1u0hStKQ==
nsApOqE62sA8uS735uCXVP+YcrQ=
4aobG3oZ3AHqTPs=
P2LEwJatZbQZUTayTW0=
/bopO7NR6clCfT3Lcw==
bBxRRkFY01R+20pZS3o=
enylSY//R0Euo5Hc
s3hoHGn+blzIzLD2XcWsj4Jq
MvZlcWyHEnNHRGHB
qDJgM38Zlp2BriDZBnI=
JlaRDbpPJo43fT3Lcw==
aZgM/YERpLJOfT3Lcw==
dgcdTgcuKaY+
N12TQ5X0uI7/dA==
85d5Cn4gEuXNHOY=
XGyjNRUvzkzpFEb98NiZYf+YcrQ=
nUc1kamtJHlHRGHB
M+1WZ6NvT6VHRGHB
k1iSQqU6E3biHW3Ev1x/
yoeZZ9suKaY+
yiqErKzdOA==
I8FYQ4Mx9pD+cg==
e3sMggibmaRHRGHB
YBxPTjVYD4c2WVRYdfxP9f/w5W+IU0g=
A6GFXmNsA4y3ByPuEXU=
RkSck9R+79lCe5vEv1x/
c4Hf8OWx18LuWN4pPnA=
IK6UOZcpvKTL2/PbBHI=
dpbLY0FV8mxHRGHB
RoTt48Dgi/aZtJ/Ev1x/
4/FRPhpH3TPGD0uYB7Yf2PSqLg==
5A5CBZYyzanG52lgk7V7K8G4gdDu5w==
p8IpCMzdxqyj2UpZS3o=
cToa+3QRpLJOfT3Lcw==
Lat9/Yk19pD+cg==
CrjklYWQN6tXfIjEv1x/
SfQyB+TxpJSt20pZS3o=
eTEdrAOeVYJ4Cx6WSxqnYGgz01Yv7w==
NP7rnOJz7QXxQfk=
hrYdLa1V+exp20UX0hStKQ==
R+gl+MvhTQHqTPs=
CC6YqK+3hWJYpEseExvt2PSqLg==
VmybWD1f6EIreDUVP47Yw5la3rI=
Sgv5moChVKcQSZYjwYWyvbeuMw==
rtxt7QYo5mxHRGHB
cH/l/4Ecn61OfT3Lcw==
T4iddmuQEGhd1NwMviZm
cyH/sQGRb8s6e5vEv1x/
Y3DL3M3XS86ftJ7Ev1x/
U2jGyqnCYcDDJt3mAjZDxf+YcrQ=
spirituallyzen.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
svenboa.exesvenboa.exepid process 1152 svenboa.exe 696 svenboa.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
svenboa.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation svenboa.exe -
Loads dropped DLL 3 IoCs
Processes:
Ödeme Tavsiye Notu - 0000274553.PDF.exesvenboa.exemsdt.exepid process 1492 Ödeme Tavsiye Notu - 0000274553.PDF.exe 1152 svenboa.exe 1276 msdt.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svenboa.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\apce = "C:\\Users\\Admin\\AppData\\Roaming\\vndynyjhjpjxs\\qdhypphyeracdw.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\svenboa.exe\" C:\\Users\\Admin\\App" svenboa.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
svenboa.exesvenboa.exemsdt.exedescription pid process target process PID 1152 set thread context of 696 1152 svenboa.exe svenboa.exe PID 696 set thread context of 1424 696 svenboa.exe Explorer.EXE PID 1276 set thread context of 1424 1276 msdt.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
msdt.exedescription ioc process Key created \Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msdt.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
svenboa.exemsdt.exepid process 696 svenboa.exe 696 svenboa.exe 696 svenboa.exe 696 svenboa.exe 1276 msdt.exe 1276 msdt.exe 1276 msdt.exe 1276 msdt.exe 1276 msdt.exe 1276 msdt.exe 1276 msdt.exe 1276 msdt.exe 1276 msdt.exe 1276 msdt.exe 1276 msdt.exe 1276 msdt.exe 1276 msdt.exe 1276 msdt.exe 1276 msdt.exe 1276 msdt.exe 1276 msdt.exe 1276 msdt.exe 1276 msdt.exe 1276 msdt.exe 1276 msdt.exe 1276 msdt.exe 1276 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1424 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
svenboa.exesvenboa.exemsdt.exepid process 1152 svenboa.exe 696 svenboa.exe 696 svenboa.exe 696 svenboa.exe 1276 msdt.exe 1276 msdt.exe 1276 msdt.exe 1276 msdt.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svenboa.exemsdt.exedescription pid process Token: SeDebugPrivilege 696 svenboa.exe Token: SeDebugPrivilege 1276 msdt.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1424 Explorer.EXE 1424 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1424 Explorer.EXE 1424 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Ödeme Tavsiye Notu - 0000274553.PDF.exesvenboa.exeExplorer.EXEmsdt.exedescription pid process target process PID 1492 wrote to memory of 1152 1492 Ödeme Tavsiye Notu - 0000274553.PDF.exe svenboa.exe PID 1492 wrote to memory of 1152 1492 Ödeme Tavsiye Notu - 0000274553.PDF.exe svenboa.exe PID 1492 wrote to memory of 1152 1492 Ödeme Tavsiye Notu - 0000274553.PDF.exe svenboa.exe PID 1492 wrote to memory of 1152 1492 Ödeme Tavsiye Notu - 0000274553.PDF.exe svenboa.exe PID 1152 wrote to memory of 696 1152 svenboa.exe svenboa.exe PID 1152 wrote to memory of 696 1152 svenboa.exe svenboa.exe PID 1152 wrote to memory of 696 1152 svenboa.exe svenboa.exe PID 1152 wrote to memory of 696 1152 svenboa.exe svenboa.exe PID 1152 wrote to memory of 696 1152 svenboa.exe svenboa.exe PID 1424 wrote to memory of 1276 1424 Explorer.EXE msdt.exe PID 1424 wrote to memory of 1276 1424 Explorer.EXE msdt.exe PID 1424 wrote to memory of 1276 1424 Explorer.EXE msdt.exe PID 1424 wrote to memory of 1276 1424 Explorer.EXE msdt.exe PID 1276 wrote to memory of 1888 1276 msdt.exe Firefox.exe PID 1276 wrote to memory of 1888 1276 msdt.exe Firefox.exe PID 1276 wrote to memory of 1888 1276 msdt.exe Firefox.exe PID 1276 wrote to memory of 1888 1276 msdt.exe Firefox.exe PID 1276 wrote to memory of 1888 1276 msdt.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Ödeme Tavsiye Notu - 0000274553.PDF.exe"C:\Users\Admin\AppData\Local\Temp\Ödeme Tavsiye Notu - 0000274553.PDF.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svenboa.exe"C:\Users\Admin\AppData\Local\Temp\svenboa.exe" C:\Users\Admin\AppData\Local\Temp\stgmpxbhdcx.tyv3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svenboa.exe"C:\Users\Admin\AppData\Local\Temp\svenboa.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\rjoqr.iFilesize
185KB
MD55a363369f79b9aa5fb7f30c36255cdca
SHA1ab1c4fa718eae050ffd726f23a25dac9c05f6408
SHA2567d0d734491e4b96aa91ddb7da56c78d6d5e6f43476c4b496b8061b5859794dca
SHA512c10b5c08482e4acbac15f125a4d9ee19fa2af67d02809794d9b9218cb50b9b0d9b229542ee959e74806ddd69264f6fb444548f616017acac3664a8839ad3e9f1
-
C:\Users\Admin\AppData\Local\Temp\stgmpxbhdcx.tyvFilesize
7KB
MD5916c81137e81c83b2301ded71317eaf8
SHA154b3b7538b9cf0648c615ab02020414213b80e98
SHA25618c6e9457b9571852cb9857037dcc3b17c9bcdaf50d56da147440624fad58fdf
SHA5125f4a9e7999a0b41e60c50d8bf36ef6c1e9435057f8999460822c9b40b7e189963a508458b9fc9d4eaadc831f3ea4b785cba8c28d320c3f8180aa99b89701e52d
-
C:\Users\Admin\AppData\Local\Temp\svenboa.exeFilesize
287KB
MD5ee906eb277fa085c43d530fef366449c
SHA143faf3d997e01f647f654b606d4f4e130b7d74a3
SHA256b1941867cd5af254cafe02824733f022da84f8d826851004b39bb3535977366b
SHA512bf234d8a8ed84c9025cdd5e386c2293a6d0cdf9450512375253edf336b3c11fd2f3e7a34a0fb096700f6432d03fcf5468bfa0f294d49bf2d55a258553ad5a24d
-
C:\Users\Admin\AppData\Local\Temp\svenboa.exeFilesize
287KB
MD5ee906eb277fa085c43d530fef366449c
SHA143faf3d997e01f647f654b606d4f4e130b7d74a3
SHA256b1941867cd5af254cafe02824733f022da84f8d826851004b39bb3535977366b
SHA512bf234d8a8ed84c9025cdd5e386c2293a6d0cdf9450512375253edf336b3c11fd2f3e7a34a0fb096700f6432d03fcf5468bfa0f294d49bf2d55a258553ad5a24d
-
C:\Users\Admin\AppData\Local\Temp\svenboa.exeFilesize
287KB
MD5ee906eb277fa085c43d530fef366449c
SHA143faf3d997e01f647f654b606d4f4e130b7d74a3
SHA256b1941867cd5af254cafe02824733f022da84f8d826851004b39bb3535977366b
SHA512bf234d8a8ed84c9025cdd5e386c2293a6d0cdf9450512375253edf336b3c11fd2f3e7a34a0fb096700f6432d03fcf5468bfa0f294d49bf2d55a258553ad5a24d
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
810KB
MD5c6ec991471d42128268ea10236d9cdb8
SHA1d569350d02db6a118136220da8de40a9973084f1
SHA2561b755cc3093dd45a0df857854aedfeb3c8f3622cff5bc491f2d492ebfa3ef8e0
SHA512a67ed46547b9270c8a5a7a947b375cb6baf3211072f90170aae2bb6ce9c4fe9d7be3e9d782420dcfdbc19a1f232b3be561ca503b80e8dc3e036a62c54cad5b57
-
\Users\Admin\AppData\Local\Temp\svenboa.exeFilesize
287KB
MD5ee906eb277fa085c43d530fef366449c
SHA143faf3d997e01f647f654b606d4f4e130b7d74a3
SHA256b1941867cd5af254cafe02824733f022da84f8d826851004b39bb3535977366b
SHA512bf234d8a8ed84c9025cdd5e386c2293a6d0cdf9450512375253edf336b3c11fd2f3e7a34a0fb096700f6432d03fcf5468bfa0f294d49bf2d55a258553ad5a24d
-
\Users\Admin\AppData\Local\Temp\svenboa.exeFilesize
287KB
MD5ee906eb277fa085c43d530fef366449c
SHA143faf3d997e01f647f654b606d4f4e130b7d74a3
SHA256b1941867cd5af254cafe02824733f022da84f8d826851004b39bb3535977366b
SHA512bf234d8a8ed84c9025cdd5e386c2293a6d0cdf9450512375253edf336b3c11fd2f3e7a34a0fb096700f6432d03fcf5468bfa0f294d49bf2d55a258553ad5a24d
-
memory/696-67-0x0000000000930000-0x0000000000C33000-memory.dmpFilesize
3.0MB
-
memory/696-68-0x0000000000422000-0x0000000000424000-memory.dmpFilesize
8KB
-
memory/696-65-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/696-66-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/696-69-0x0000000000080000-0x0000000000090000-memory.dmpFilesize
64KB
-
memory/696-63-0x00000000004012B0-mapping.dmp
-
memory/1152-56-0x0000000000000000-mapping.dmp
-
memory/1276-74-0x0000000000080000-0x00000000000AD000-memory.dmpFilesize
180KB
-
memory/1276-71-0x0000000000000000-mapping.dmp
-
memory/1276-73-0x00000000007B0000-0x00000000008A4000-memory.dmpFilesize
976KB
-
memory/1276-75-0x0000000002320000-0x0000000002623000-memory.dmpFilesize
3.0MB
-
memory/1276-76-0x0000000001E80000-0x0000000001F0F000-memory.dmpFilesize
572KB
-
memory/1424-70-0x0000000006A20000-0x0000000006B4F000-memory.dmpFilesize
1.2MB
-
memory/1424-77-0x0000000006BE0000-0x0000000006CC6000-memory.dmpFilesize
920KB
-
memory/1424-78-0x0000000006BE0000-0x0000000006CC6000-memory.dmpFilesize
920KB
-
memory/1492-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmpFilesize
8KB