Analysis
-
max time kernel
148s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
27-03-2023 10:29
Static task
static1
Behavioral task
behavioral1
Sample
Ziraat Bankasi Swift Mesaji.exe
Resource
win7-20230220-en
General
-
Target
Ziraat Bankasi Swift Mesaji.exe
-
Size
293KB
-
MD5
7211ccbff4e2557e067609dcbf6839ae
-
SHA1
0780420e2f12a4cb8e6f3fb717afba2ea7e102e0
-
SHA256
856c3482c119fdecb777d14ef351c90a24a045cf8da8cafbb2d229619cb11bbf
-
SHA512
a546bc8450b220425a3e6a70a6de0df3e98bcb8d7aa2a0dd0d533e72582c852e9a85ee002eb5260e55ac8b9344ab826d7b85de9ebf97ee0248a476c99830c751
-
SSDEEP
6144:H6+/tV2ye/x3BfF+WL/uVQXXXv+fHLhTySnjprxwPLbQ7:Pn2ye/DMWL2VCv+frh+w9W87
Malware Config
Extracted
formbook
4.1
mi94
realdigitalmarketing.co.uk
athle91.com
zetuinteriors.africa
jewelry2adore.biz
sneakersuomo.com
hotcoa.com
bestpetfinds.com
elatedfreedom.com
louisegoulet.com
licensescape.com
jenniferfalconerrealtor.com
xqan.net
textare.net
doctorlinkscsk.link
bizformspro.com
ameriealthcaritasfl.com
hanfengmeiye.com
anjin98.com
credit-cards-54889.com
dinero.news
naijastudy.africa
cursosweb22.online
furniture-61686.com
furniture-42269.com
emiu6696.com
herhustlenation.com
kevinjasperinc.africa
hear-aid-92727.com
goodlifeprojectofficial.com
freshteak.com
bellvaniamail.com
peterslawonline.com
analogfair.com
fornettobarbecues.com
6880365.com
couragetokingdom.com
luivix.online
3ay82.xyz
tmcgroup.africa
canadianbreederprogram.com
funtime28.online
customcarpentry.uk
anotherworldrecord.com
aux100000epices.com
edelman-production.com
honorproduct.com
danuzioneto.com
iltuosentiero.com
healthinsurancearena.com
hunterboots--canada.com
irestoreart.com
lapalmaaccesible.com
khbmfbank.africa
laxmi.digital
leqidt.tax
fluffyjet.online
chuckclouds.com
bril-kre-l25.buzz
centracul.online
legacyengravers.com
guesstheword.net
ded-morozvrn.online
lemonga.com
crrgbb.com
crosswalkconsulting.co.uk
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Formbook payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/692-92-0x0000000000400000-0x0000000001462000-memory.dmp formbook behavioral1/memory/692-96-0x0000000000400000-0x0000000001462000-memory.dmp formbook behavioral1/memory/692-104-0x0000000000400000-0x0000000001462000-memory.dmp formbook behavioral1/memory/1808-111-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/1808-113-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Ziraat Bankasi Swift Mesaji.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Ziraat Bankasi Swift Mesaji.exe -
Loads dropped DLL 1 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exepid process 316 Ziraat Bankasi Swift Mesaji.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exepid process 692 Ziraat Bankasi Swift Mesaji.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exepid process 316 Ziraat Bankasi Swift Mesaji.exe 692 Ziraat Bankasi Swift Mesaji.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exehelp.exedescription pid process target process PID 316 set thread context of 692 316 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 692 set thread context of 1220 692 Ziraat Bankasi Swift Mesaji.exe Explorer.EXE PID 692 set thread context of 1220 692 Ziraat Bankasi Swift Mesaji.exe Explorer.EXE PID 1808 set thread context of 1220 1808 help.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exedescription ioc process File opened for modification C:\Windows\Undualize\Stjdelenes73\Hattiesburg.Coh Ziraat Bankasi Swift Mesaji.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exehelp.exepid process 692 Ziraat Bankasi Swift Mesaji.exe 692 Ziraat Bankasi Swift Mesaji.exe 692 Ziraat Bankasi Swift Mesaji.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exehelp.exepid process 316 Ziraat Bankasi Swift Mesaji.exe 692 Ziraat Bankasi Swift Mesaji.exe 692 Ziraat Bankasi Swift Mesaji.exe 692 Ziraat Bankasi Swift Mesaji.exe 692 Ziraat Bankasi Swift Mesaji.exe 1808 help.exe 1808 help.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exeExplorer.EXEhelp.exedescription pid process Token: SeDebugPrivilege 692 Ziraat Bankasi Swift Mesaji.exe Token: SeShutdownPrivilege 1220 Explorer.EXE Token: SeDebugPrivilege 1808 help.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exehelp.exedescription pid process target process PID 316 wrote to memory of 692 316 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 316 wrote to memory of 692 316 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 316 wrote to memory of 692 316 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 316 wrote to memory of 692 316 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 316 wrote to memory of 692 316 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 692 wrote to memory of 1808 692 Ziraat Bankasi Swift Mesaji.exe help.exe PID 692 wrote to memory of 1808 692 Ziraat Bankasi Swift Mesaji.exe help.exe PID 692 wrote to memory of 1808 692 Ziraat Bankasi Swift Mesaji.exe help.exe PID 692 wrote to memory of 1808 692 Ziraat Bankasi Swift Mesaji.exe help.exe PID 1808 wrote to memory of 528 1808 help.exe cmd.exe PID 1808 wrote to memory of 528 1808 help.exe cmd.exe PID 1808 wrote to memory of 528 1808 help.exe cmd.exe PID 1808 wrote to memory of 528 1808 help.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"3⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\DORME.iniFilesize
31B
MD53000f7f0f12b7139ea28160c52098e25
SHA19d032395f38d341881019b996e591160d542054b
SHA256467b09ff26622746d205628ae325ec9838461bc5fe741b3757bb39ddec87ecb1
SHA512a76a2f1e3686e2ffd03388ec7dbcd4afa6ae53ccd3aa40c6fbbf0c994eee5e2685d0c412f15ec4506c1175f5a84712e1a8b7ae32e6a0327e1ba47321a59e0ee2
-
\Users\Admin\AppData\Local\Temp\nsi253.tmp\System.dllFilesize
11KB
MD5e23600029d1b09bdb1d422fb4e46f5a6
SHA15d64a2f6a257a98a689a3db9a087a0fd5f180096
SHA2567342b73593b3aa1b15e3731bfb1afd1961802a5c66343bac9a2c737ee94f4e38
SHA512c971f513142633ce0e6ec6a04c754a286da8016563dab368c3fac83aef81fa3e9df1003c4b63d00a46351a9d18eaa7ae7645caef172e5e1d6e29123ab864e7ac
-
memory/316-86-0x0000000003400000-0x0000000005F13000-memory.dmpFilesize
43.1MB
-
memory/316-87-0x0000000003400000-0x0000000005F13000-memory.dmpFilesize
43.1MB
-
memory/692-94-0x0000000001470000-0x0000000003F83000-memory.dmpFilesize
43.1MB
-
memory/692-89-0x0000000001470000-0x0000000003F83000-memory.dmpFilesize
43.1MB
-
memory/692-90-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/692-92-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/692-104-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/692-93-0x0000000001470000-0x0000000003F83000-memory.dmpFilesize
43.1MB
-
memory/692-96-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/692-99-0x0000000033DC0000-0x0000000033DD5000-memory.dmpFilesize
84KB
-
memory/692-98-0x0000000034220000-0x0000000034523000-memory.dmpFilesize
3.0MB
-
memory/692-107-0x0000000001470000-0x0000000003F83000-memory.dmpFilesize
43.1MB
-
memory/692-88-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/692-102-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1220-101-0x0000000002D20000-0x0000000002E20000-memory.dmpFilesize
1024KB
-
memory/1220-103-0x00000000062E0000-0x0000000006470000-memory.dmpFilesize
1.6MB
-
memory/1220-100-0x0000000006010000-0x0000000006194000-memory.dmpFilesize
1.5MB
-
memory/1220-114-0x00000000062E0000-0x0000000006470000-memory.dmpFilesize
1.6MB
-
memory/1220-117-0x0000000006470000-0x00000000065CF000-memory.dmpFilesize
1.4MB
-
memory/1220-118-0x0000000006470000-0x00000000065CF000-memory.dmpFilesize
1.4MB
-
memory/1220-120-0x0000000006470000-0x00000000065CF000-memory.dmpFilesize
1.4MB
-
memory/1808-106-0x0000000000F60000-0x0000000000F66000-memory.dmpFilesize
24KB
-
memory/1808-108-0x0000000000F60000-0x0000000000F66000-memory.dmpFilesize
24KB
-
memory/1808-111-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1808-112-0x0000000000910000-0x0000000000C13000-memory.dmpFilesize
3.0MB
-
memory/1808-113-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1808-116-0x0000000000640000-0x00000000006D4000-memory.dmpFilesize
592KB