Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 10:29
Static task
static1
Behavioral task
behavioral1
Sample
Ziraat Bankasi Swift Mesaji.exe
Resource
win7-20230220-en
General
-
Target
Ziraat Bankasi Swift Mesaji.exe
-
Size
293KB
-
MD5
7211ccbff4e2557e067609dcbf6839ae
-
SHA1
0780420e2f12a4cb8e6f3fb717afba2ea7e102e0
-
SHA256
856c3482c119fdecb777d14ef351c90a24a045cf8da8cafbb2d229619cb11bbf
-
SHA512
a546bc8450b220425a3e6a70a6de0df3e98bcb8d7aa2a0dd0d533e72582c852e9a85ee002eb5260e55ac8b9344ab826d7b85de9ebf97ee0248a476c99830c751
-
SSDEEP
6144:H6+/tV2ye/x3BfF+WL/uVQXXXv+fHLhTySnjprxwPLbQ7:Pn2ye/DMWL2VCv+frh+w9W87
Malware Config
Extracted
formbook
4.1
mi94
realdigitalmarketing.co.uk
athle91.com
zetuinteriors.africa
jewelry2adore.biz
sneakersuomo.com
hotcoa.com
bestpetfinds.com
elatedfreedom.com
louisegoulet.com
licensescape.com
jenniferfalconerrealtor.com
xqan.net
textare.net
doctorlinkscsk.link
bizformspro.com
ameriealthcaritasfl.com
hanfengmeiye.com
anjin98.com
credit-cards-54889.com
dinero.news
naijastudy.africa
cursosweb22.online
furniture-61686.com
furniture-42269.com
emiu6696.com
herhustlenation.com
kevinjasperinc.africa
hear-aid-92727.com
goodlifeprojectofficial.com
freshteak.com
bellvaniamail.com
peterslawonline.com
analogfair.com
fornettobarbecues.com
6880365.com
couragetokingdom.com
luivix.online
3ay82.xyz
tmcgroup.africa
canadianbreederprogram.com
funtime28.online
customcarpentry.uk
anotherworldrecord.com
aux100000epices.com
edelman-production.com
honorproduct.com
danuzioneto.com
iltuosentiero.com
healthinsurancearena.com
hunterboots--canada.com
irestoreart.com
lapalmaaccesible.com
khbmfbank.africa
laxmi.digital
leqidt.tax
fluffyjet.online
chuckclouds.com
bril-kre-l25.buzz
centracul.online
legacyengravers.com
guesstheword.net
ded-morozvrn.online
lemonga.com
crrgbb.com
crosswalkconsulting.co.uk
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4948-168-0x0000000000400000-0x0000000001654000-memory.dmp formbook behavioral2/memory/4948-177-0x0000000000400000-0x0000000001654000-memory.dmp formbook behavioral2/memory/3968-180-0x0000000000190000-0x00000000001BF000-memory.dmp formbook behavioral2/memory/3968-199-0x0000000000190000-0x00000000001BF000-memory.dmp formbook -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Ziraat Bankasi Swift Mesaji.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Ziraat Bankasi Swift Mesaji.exe -
Loads dropped DLL 1 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exepid process 4808 Ziraat Bankasi Swift Mesaji.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exepid process 4948 Ziraat Bankasi Swift Mesaji.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exepid process 4808 Ziraat Bankasi Swift Mesaji.exe 4948 Ziraat Bankasi Swift Mesaji.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.execontrol.exedescription pid process target process PID 4808 set thread context of 4948 4808 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 4948 set thread context of 732 4948 Ziraat Bankasi Swift Mesaji.exe Explorer.EXE PID 3968 set thread context of 732 3968 control.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exedescription ioc process File opened for modification C:\Windows\Undualize\Stjdelenes73\Hattiesburg.Coh Ziraat Bankasi Swift Mesaji.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.execontrol.exepid process 4948 Ziraat Bankasi Swift Mesaji.exe 4948 Ziraat Bankasi Swift Mesaji.exe 4948 Ziraat Bankasi Swift Mesaji.exe 4948 Ziraat Bankasi Swift Mesaji.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe 3968 control.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 732 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.execontrol.exepid process 4808 Ziraat Bankasi Swift Mesaji.exe 4948 Ziraat Bankasi Swift Mesaji.exe 4948 Ziraat Bankasi Swift Mesaji.exe 4948 Ziraat Bankasi Swift Mesaji.exe 3968 control.exe 3968 control.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.execontrol.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4948 Ziraat Bankasi Swift Mesaji.exe Token: SeDebugPrivilege 3968 control.exe Token: SeShutdownPrivilege 732 Explorer.EXE Token: SeCreatePagefilePrivilege 732 Explorer.EXE Token: SeShutdownPrivilege 732 Explorer.EXE Token: SeCreatePagefilePrivilege 732 Explorer.EXE Token: SeShutdownPrivilege 732 Explorer.EXE Token: SeCreatePagefilePrivilege 732 Explorer.EXE Token: SeShutdownPrivilege 732 Explorer.EXE Token: SeCreatePagefilePrivilege 732 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exeExplorer.EXEcontrol.exedescription pid process target process PID 4808 wrote to memory of 4948 4808 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 4808 wrote to memory of 4948 4808 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 4808 wrote to memory of 4948 4808 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 4808 wrote to memory of 4948 4808 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 732 wrote to memory of 3968 732 Explorer.EXE control.exe PID 732 wrote to memory of 3968 732 Explorer.EXE control.exe PID 732 wrote to memory of 3968 732 Explorer.EXE control.exe PID 3968 wrote to memory of 1668 3968 control.exe cmd.exe PID 3968 wrote to memory of 1668 3968 control.exe cmd.exe PID 3968 wrote to memory of 1668 3968 control.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"3⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsy76AD.tmp\System.dllFilesize
11KB
MD5e23600029d1b09bdb1d422fb4e46f5a6
SHA15d64a2f6a257a98a689a3db9a087a0fd5f180096
SHA2567342b73593b3aa1b15e3731bfb1afd1961802a5c66343bac9a2c737ee94f4e38
SHA512c971f513142633ce0e6ec6a04c754a286da8016563dab368c3fac83aef81fa3e9df1003c4b63d00a46351a9d18eaa7ae7645caef172e5e1d6e29123ab864e7ac
-
C:\Users\Admin\AppData\Roaming\DORME.iniFilesize
31B
MD53000f7f0f12b7139ea28160c52098e25
SHA19d032395f38d341881019b996e591160d542054b
SHA256467b09ff26622746d205628ae325ec9838461bc5fe741b3757bb39ddec87ecb1
SHA512a76a2f1e3686e2ffd03388ec7dbcd4afa6ae53ccd3aa40c6fbbf0c994eee5e2685d0c412f15ec4506c1175f5a84712e1a8b7ae32e6a0327e1ba47321a59e0ee2
-
memory/732-212-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-213-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-227-0x00000000010A0000-0x00000000010A2000-memory.dmpFilesize
8KB
-
memory/732-224-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-193-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-223-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-222-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-221-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-220-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-173-0x0000000009440000-0x00000000095C1000-memory.dmpFilesize
1.5MB
-
memory/732-219-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-218-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-217-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-216-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-215-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-214-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-182-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-183-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-184-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-186-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-185-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-187-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-191-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-189-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-190-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-192-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-188-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-225-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-205-0x0000000008CC0000-0x0000000008E1E000-memory.dmpFilesize
1.4MB
-
memory/732-194-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-195-0x0000000007850000-0x0000000007860000-memory.dmpFilesize
64KB
-
memory/732-197-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-198-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-211-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-210-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/732-202-0x0000000008CC0000-0x0000000008E1E000-memory.dmpFilesize
1.4MB
-
memory/732-204-0x0000000008CC0000-0x0000000008E1E000-memory.dmpFilesize
1.4MB
-
memory/732-196-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/3968-199-0x0000000000190000-0x00000000001BF000-memory.dmpFilesize
188KB
-
memory/3968-181-0x00000000023C0000-0x000000000270A000-memory.dmpFilesize
3.3MB
-
memory/3968-201-0x0000000000CA0000-0x0000000000D34000-memory.dmpFilesize
592KB
-
memory/3968-176-0x0000000000F80000-0x0000000000FA7000-memory.dmpFilesize
156KB
-
memory/3968-174-0x0000000000F80000-0x0000000000FA7000-memory.dmpFilesize
156KB
-
memory/3968-180-0x0000000000190000-0x00000000001BF000-memory.dmpFilesize
188KB
-
memory/4808-164-0x0000000004620000-0x0000000007133000-memory.dmpFilesize
43.1MB
-
memory/4808-165-0x0000000004620000-0x0000000007133000-memory.dmpFilesize
43.1MB
-
memory/4948-177-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/4948-172-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/4948-166-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/4948-171-0x00000000345C0000-0x000000003490A000-memory.dmpFilesize
3.3MB
-
memory/4948-170-0x0000000001660000-0x0000000004173000-memory.dmpFilesize
43.1MB
-
memory/4948-168-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/4948-169-0x0000000001660000-0x0000000004173000-memory.dmpFilesize
43.1MB
-
memory/4948-167-0x0000000001660000-0x0000000004173000-memory.dmpFilesize
43.1MB
-
memory/4948-175-0x0000000001660000-0x0000000004173000-memory.dmpFilesize
43.1MB