Analysis
-
max time kernel
297s -
max time network
302s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10-01-2023 13:46
Static task
static1
Behavioral task
behavioral1
Sample
satın alma emri.exe
Resource
win7-20220812-en
General
-
Target
satın alma emri.exe
-
Size
487KB
-
MD5
2835d7df2d359384850fde1118d404e9
-
SHA1
c855c1b467018305ffc888dcacb6c3cefe770d46
-
SHA256
00a3aca00bfdb0a069304055c547544673f4567e73269fdb324de62f0bce75b1
-
SHA512
0c2eb10575809127f8253c2813c3e8b719368334d5be8db082dd1948a9ab4e2979e9e9b0b8b0bbae893a44a9eae76a1606507582a34aee25a448b8bad633ade8
-
SSDEEP
12288:aYmoYpOURMrRGYrJ67/CPe+MUads07QSpJFIA:aYcoUiFf62JhaK0PlH
Malware Config
Extracted
formbook
4.1
tc10
mwigyu.com
sepuluholx.com
nsdigitalagency.com
horrorkore.com
santaclaracoimbrakarate.com
myeternalsummer.com
laosmidnight-lotto.com
haremp.xyz
boyace.top
unusualwithdrawal.com
wildflowerkidsri.com
backlitvps.dev
topwellgas.com
k3nnsworld3.com
wanbang.xyz
cntvc.net
sjcamden.church
pussit24.com
claml.com
statisticsturkey.com
gamebetservice.site
medicfield.com
richardsargeant.com
power-stabilizer.com
xn--budgetarakiralama-isb.com
jizzblow.com
instantphotography.online
sy-kaili.com
procurriengineers.com
tudoffers.store
nc125f.fun
vegangangster.com
paidthinking.com
jzecca.com
hr-energys.com
mnsms.com
thediplomatrealty.com
egenolfmachine.site
kedao.top
serenitisolutions.com
agprograms.tech
sinymp.com
dichoscolombia.com
chancesbetting.com
blackfoxmusicgroup.com
salvoconducto.online
webrangro.com
petsworthy.com
epergun.com
1013637.xyz
raitarantula.com
all-about-chandeliers.com
boothclothingco.com
stfidelis.net
data-science-13819.com
coraphsyicaltherapy.com
hotronixheatpresses.com
bernardnelfadigital.com
monarchmunchies.com
tasbo.online
equity321.com
jesocial.com
dlwhzs.com
twomobi.com
rhondarisley.site
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/940-65-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/940-72-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1692-75-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
lktvmstysq.exelktvmstysq.exepid process 1928 lktvmstysq.exe 940 lktvmstysq.exe -
Loads dropped DLL 3 IoCs
Processes:
satın alma emri.exelktvmstysq.exepid process 2036 satın alma emri.exe 2036 satın alma emri.exe 1928 lktvmstysq.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
lktvmstysq.exelktvmstysq.exechkdsk.exedescription pid process target process PID 1928 set thread context of 940 1928 lktvmstysq.exe lktvmstysq.exe PID 940 set thread context of 1212 940 lktvmstysq.exe Explorer.EXE PID 940 set thread context of 1212 940 lktvmstysq.exe Explorer.EXE PID 1692 set thread context of 1212 1692 chkdsk.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
lktvmstysq.exechkdsk.exepid process 940 lktvmstysq.exe 940 lktvmstysq.exe 940 lktvmstysq.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe 1692 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
lktvmstysq.exelktvmstysq.exechkdsk.exepid process 1928 lktvmstysq.exe 940 lktvmstysq.exe 940 lktvmstysq.exe 940 lktvmstysq.exe 940 lktvmstysq.exe 1692 chkdsk.exe 1692 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
lktvmstysq.exechkdsk.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 940 lktvmstysq.exe Token: SeDebugPrivilege 1692 chkdsk.exe Token: SeShutdownPrivilege 1212 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
satın alma emri.exelktvmstysq.exelktvmstysq.exechkdsk.exedescription pid process target process PID 2036 wrote to memory of 1928 2036 satın alma emri.exe lktvmstysq.exe PID 2036 wrote to memory of 1928 2036 satın alma emri.exe lktvmstysq.exe PID 2036 wrote to memory of 1928 2036 satın alma emri.exe lktvmstysq.exe PID 2036 wrote to memory of 1928 2036 satın alma emri.exe lktvmstysq.exe PID 1928 wrote to memory of 940 1928 lktvmstysq.exe lktvmstysq.exe PID 1928 wrote to memory of 940 1928 lktvmstysq.exe lktvmstysq.exe PID 1928 wrote to memory of 940 1928 lktvmstysq.exe lktvmstysq.exe PID 1928 wrote to memory of 940 1928 lktvmstysq.exe lktvmstysq.exe PID 1928 wrote to memory of 940 1928 lktvmstysq.exe lktvmstysq.exe PID 940 wrote to memory of 1692 940 lktvmstysq.exe chkdsk.exe PID 940 wrote to memory of 1692 940 lktvmstysq.exe chkdsk.exe PID 940 wrote to memory of 1692 940 lktvmstysq.exe chkdsk.exe PID 940 wrote to memory of 1692 940 lktvmstysq.exe chkdsk.exe PID 1692 wrote to memory of 1376 1692 chkdsk.exe cmd.exe PID 1692 wrote to memory of 1376 1692 chkdsk.exe cmd.exe PID 1692 wrote to memory of 1376 1692 chkdsk.exe cmd.exe PID 1692 wrote to memory of 1376 1692 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\satın alma emri.exe"C:\Users\Admin\AppData\Local\Temp\satın alma emri.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lktvmstysq.exe"C:\Users\Admin\AppData\Local\Temp\lktvmstysq.exe" C:\Users\Admin\AppData\Local\Temp\oemjvdasg.ckc3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lktvmstysq.exe"C:\Users\Admin\AppData\Local\Temp\lktvmstysq.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"5⤵
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"5⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\lktvmstysq.exe"6⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\kgenmlobjm.gyfFilesize
205KB
MD59fa260c7fa876084b938a3de39ac5ef4
SHA18fa1150192f4b8498878fd9144c00ab03f66c19b
SHA2562a93da7c0fe739ac96a3f323bded713dc2e4ae1f7c79dbdff47e0f515df85a5c
SHA512e50a9a797af782e75c13f29b225f01796f41ed6f7433497acc3a3454ea9f91b0409d2b90c96ef03a8455d1995ad600f4ab246211ce83acc5e74dd0407349d861
-
C:\Users\Admin\AppData\Local\Temp\lktvmstysq.exeFilesize
84KB
MD5141563c08cf578669dc1f32b4efc37a7
SHA118472b2b477f641fb8044601974dfe10afd137ee
SHA256f94b39222ad2e24d867dc8a1cb1c3631f48884121c8acd6307a2bf12f1f73636
SHA512bd3ab408c5d19570078d2fcb3457691abcc25016e1c503b412c1fdc88f00ff3d52684c77e79e3c87b28d149c1a9592303dc40efa6abfe2012916f5a842ce0dcb
-
C:\Users\Admin\AppData\Local\Temp\lktvmstysq.exeFilesize
84KB
MD5141563c08cf578669dc1f32b4efc37a7
SHA118472b2b477f641fb8044601974dfe10afd137ee
SHA256f94b39222ad2e24d867dc8a1cb1c3631f48884121c8acd6307a2bf12f1f73636
SHA512bd3ab408c5d19570078d2fcb3457691abcc25016e1c503b412c1fdc88f00ff3d52684c77e79e3c87b28d149c1a9592303dc40efa6abfe2012916f5a842ce0dcb
-
C:\Users\Admin\AppData\Local\Temp\lktvmstysq.exeFilesize
84KB
MD5141563c08cf578669dc1f32b4efc37a7
SHA118472b2b477f641fb8044601974dfe10afd137ee
SHA256f94b39222ad2e24d867dc8a1cb1c3631f48884121c8acd6307a2bf12f1f73636
SHA512bd3ab408c5d19570078d2fcb3457691abcc25016e1c503b412c1fdc88f00ff3d52684c77e79e3c87b28d149c1a9592303dc40efa6abfe2012916f5a842ce0dcb
-
C:\Users\Admin\AppData\Local\Temp\oemjvdasg.ckcFilesize
5KB
MD50a743599ce10d0448b1deba94a0c8a54
SHA18fa6705e0710aac1cb7f2d42a56adb406c70ca94
SHA2569c81427ce7bcef6a0055f46ca0e151eff4a79493996592a8effa5fc39cedc389
SHA512782a6817f4acd5148985b5ce8a637fbd1d0e1bc078add9c9b9cfc9a3cfb60a83cf65126a91552b2f7f9d1b263f5b4ddc62ac753c0ccc1200551560e020560752
-
\Users\Admin\AppData\Local\Temp\lktvmstysq.exeFilesize
84KB
MD5141563c08cf578669dc1f32b4efc37a7
SHA118472b2b477f641fb8044601974dfe10afd137ee
SHA256f94b39222ad2e24d867dc8a1cb1c3631f48884121c8acd6307a2bf12f1f73636
SHA512bd3ab408c5d19570078d2fcb3457691abcc25016e1c503b412c1fdc88f00ff3d52684c77e79e3c87b28d149c1a9592303dc40efa6abfe2012916f5a842ce0dcb
-
\Users\Admin\AppData\Local\Temp\lktvmstysq.exeFilesize
84KB
MD5141563c08cf578669dc1f32b4efc37a7
SHA118472b2b477f641fb8044601974dfe10afd137ee
SHA256f94b39222ad2e24d867dc8a1cb1c3631f48884121c8acd6307a2bf12f1f73636
SHA512bd3ab408c5d19570078d2fcb3457691abcc25016e1c503b412c1fdc88f00ff3d52684c77e79e3c87b28d149c1a9592303dc40efa6abfe2012916f5a842ce0dcb
-
\Users\Admin\AppData\Local\Temp\lktvmstysq.exeFilesize
84KB
MD5141563c08cf578669dc1f32b4efc37a7
SHA118472b2b477f641fb8044601974dfe10afd137ee
SHA256f94b39222ad2e24d867dc8a1cb1c3631f48884121c8acd6307a2bf12f1f73636
SHA512bd3ab408c5d19570078d2fcb3457691abcc25016e1c503b412c1fdc88f00ff3d52684c77e79e3c87b28d149c1a9592303dc40efa6abfe2012916f5a842ce0dcb
-
memory/940-66-0x0000000000730000-0x0000000000A33000-memory.dmpFilesize
3.0MB
-
memory/940-65-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/940-67-0x0000000000330000-0x0000000000344000-memory.dmpFilesize
80KB
-
memory/940-69-0x00000000003A0000-0x00000000003B4000-memory.dmpFilesize
80KB
-
memory/940-63-0x000000000041F0E0-mapping.dmp
-
memory/940-72-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1212-79-0x0000000004E90000-0x0000000004FBF000-memory.dmpFilesize
1.2MB
-
memory/1212-78-0x0000000004E90000-0x0000000004FBF000-memory.dmpFilesize
1.2MB
-
memory/1212-68-0x0000000006350000-0x00000000064D3000-memory.dmpFilesize
1.5MB
-
memory/1212-70-0x0000000003DE0000-0x0000000003EC6000-memory.dmpFilesize
920KB
-
memory/1376-73-0x0000000000000000-mapping.dmp
-
memory/1692-71-0x0000000000000000-mapping.dmp
-
memory/1692-74-0x0000000000A90000-0x0000000000A97000-memory.dmpFilesize
28KB
-
memory/1692-75-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1692-76-0x0000000002030000-0x0000000002333000-memory.dmpFilesize
3.0MB
-
memory/1692-77-0x0000000001EA0000-0x0000000001F33000-memory.dmpFilesize
588KB
-
memory/1928-57-0x0000000000000000-mapping.dmp
-
memory/2036-54-0x0000000075521000-0x0000000075523000-memory.dmpFilesize
8KB