Analysis
-
max time kernel
47s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-01-2023 20:31
Static task
static1
Behavioral task
behavioral1
Sample
FATURA VE BELGELER.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
FATURA VE BELGELER.exe
Resource
win10v2004-20220812-en
General
-
Target
FATURA VE BELGELER.exe
-
Size
6KB
-
MD5
8cdcf9d4502ce65a9bf4fcc5f5fa54d3
-
SHA1
b534efd9dd2902ab2172cc9f2f07fc8ff1acac0d
-
SHA256
53ab8d99f27bef0bdbc4a0d0a02de34254fde15d202708e379bf2ff84d2ecfef
-
SHA512
61379ff5617c577fa62c2fcbe4c2ae419f6a5f236edc7f0e1f4ceb356841fb500b0aa78291cacb0e33abf82b928058f225cfd5fb37879e71d370a6ceffd5e883
-
SSDEEP
96:DpMKEpKgeQV6lfxV9n5Hl9cItU2RM1FVbWm7atAkuaLzNt:DuKTqQl/95HnZtJy9bWqa/DN
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5883437677:AAHeJkSINF-WhhSkVwvmtUtf8IUR1jbdjNM/sendMessage?chat_id=5739567068
Signatures
-
Detect PureCrypter injector 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1884-56-0x0000000005830000-0x000000000589E000-memory.dmp family_purecrypter -
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1576-66-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1576-68-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1576-69-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1576-70-0x0000000000420BFE-mapping.dmp family_snakekeylogger behavioral1/memory/1576-72-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1576-74-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Disables RegEdit via registry modification 1 IoCs
Processes:
REG.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" REG.exe -
Disables Task Manager via registry modification
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
FATURA VE BELGELER.exedescription pid process target process PID 1884 set thread context of 1576 1884 FATURA VE BELGELER.exe MSBuild.exe -
Drops file in Windows directory 1 IoCs
Processes:
MSBuild.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 1 IoCs
-
Processes:
FATURA VE BELGELER.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 FATURA VE BELGELER.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 FATURA VE BELGELER.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeFATURA VE BELGELER.exeMSBuild.exepid process 764 powershell.exe 1884 FATURA VE BELGELER.exe 1576 MSBuild.exe 1576 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
FATURA VE BELGELER.exepowershell.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 1884 FATURA VE BELGELER.exe Token: SeDebugPrivilege 764 powershell.exe Token: SeDebugPrivilege 1576 MSBuild.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
FATURA VE BELGELER.exeMSBuild.exedescription pid process target process PID 1884 wrote to memory of 764 1884 FATURA VE BELGELER.exe powershell.exe PID 1884 wrote to memory of 764 1884 FATURA VE BELGELER.exe powershell.exe PID 1884 wrote to memory of 764 1884 FATURA VE BELGELER.exe powershell.exe PID 1884 wrote to memory of 764 1884 FATURA VE BELGELER.exe powershell.exe PID 1884 wrote to memory of 928 1884 FATURA VE BELGELER.exe MSBuild.exe PID 1884 wrote to memory of 928 1884 FATURA VE BELGELER.exe MSBuild.exe PID 1884 wrote to memory of 928 1884 FATURA VE BELGELER.exe MSBuild.exe PID 1884 wrote to memory of 928 1884 FATURA VE BELGELER.exe MSBuild.exe PID 1884 wrote to memory of 1576 1884 FATURA VE BELGELER.exe MSBuild.exe PID 1884 wrote to memory of 1576 1884 FATURA VE BELGELER.exe MSBuild.exe PID 1884 wrote to memory of 1576 1884 FATURA VE BELGELER.exe MSBuild.exe PID 1884 wrote to memory of 1576 1884 FATURA VE BELGELER.exe MSBuild.exe PID 1884 wrote to memory of 1576 1884 FATURA VE BELGELER.exe MSBuild.exe PID 1884 wrote to memory of 1576 1884 FATURA VE BELGELER.exe MSBuild.exe PID 1884 wrote to memory of 1576 1884 FATURA VE BELGELER.exe MSBuild.exe PID 1884 wrote to memory of 1576 1884 FATURA VE BELGELER.exe MSBuild.exe PID 1884 wrote to memory of 1576 1884 FATURA VE BELGELER.exe MSBuild.exe PID 1576 wrote to memory of 1388 1576 MSBuild.exe REG.exe PID 1576 wrote to memory of 1388 1576 MSBuild.exe REG.exe PID 1576 wrote to memory of 1388 1576 MSBuild.exe REG.exe PID 1576 wrote to memory of 1388 1576 MSBuild.exe REG.exe -
outlook_office_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FATURA VE BELGELER.exe"C:\Users\Admin\AppData\Local\Temp\FATURA VE BELGELER.exe"1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
- Accesses Microsoft Outlook profiles
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f3⤵
- Disables RegEdit via registry modification
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/764-60-0x000000006E380000-0x000000006E92B000-memory.dmpFilesize
5.7MB
-
memory/764-62-0x000000006E380000-0x000000006E92B000-memory.dmpFilesize
5.7MB
-
memory/764-61-0x000000006E380000-0x000000006E92B000-memory.dmpFilesize
5.7MB
-
memory/764-58-0x0000000000000000-mapping.dmp
-
memory/1388-76-0x0000000000000000-mapping.dmp
-
memory/1576-63-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1576-64-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1576-66-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1576-68-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1576-69-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1576-70-0x0000000000420BFE-mapping.dmp
-
memory/1576-72-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1576-74-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1884-57-0x00000000060D0000-0x0000000006162000-memory.dmpFilesize
584KB
-
memory/1884-56-0x0000000005830000-0x000000000589E000-memory.dmpFilesize
440KB
-
memory/1884-54-0x00000000002C0000-0x00000000002C8000-memory.dmpFilesize
32KB
-
memory/1884-55-0x0000000075201000-0x0000000075203000-memory.dmpFilesize
8KB