Analysis
-
max time kernel
147s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
17-04-2023 12:31
Static task
static1
Behavioral task
behavioral1
Sample
Ziraat Bankasi Swift Mesaji_pdf.exe
Resource
win7-20230220-en
General
-
Target
Ziraat Bankasi Swift Mesaji_pdf.exe
-
Size
367KB
-
MD5
b202fbf7da253a4eb12808791ad0a4c5
-
SHA1
04577bf9f9a526612533547eac8538eae371af2d
-
SHA256
cd24796ce83ec93f4e5e116d5402986cca52840cf878f7cdedc63f865734d409
-
SHA512
cb738d3c8b1a96ef652c1d3e6d0dad01ec174b5f5f772dff8ac522d92a0d91456ce8a7de6cf1846b6ecfbe73cbf56dfe5115daee591af6767127509a8229cb9c
-
SSDEEP
6144:wT5Uzm/ONiIvlIxyOPZ06YUOHB/ZXIsy9/l/uzYf5CW1CQ64B6GuWhWJJgRPGCWp:wT5j6l4C6YlHcsy9NH5CaC98JujJgRPM
Malware Config
Extracted
formbook
4.1
be83
woodlandscancercare.org.uk
hosting-delightful.lol
bilpreco.com
diplomk-v-habarovske.com
dzgck.com
jsdappraisals.com
digitalnishant.com
bluevibesgift.com
wowchershoo.co.uk
eudoriaofficial.online
ourcampaign2024.net
barlogcode.com
calmingscents.biz
thewaterfallproject.africa
www-1911.com
cigapp.online
wooddroppers.africa
casmiya.com
haruminailbar.com
drivermindset.com
kittysew.com
codinformer.com
carextra247.co.uk
hackldesign.com
jollyshopping.shop
ibufalari.com
cloudcapgear.com
afro.fitness
liverightseniorcareinc.com
imetmyselfinyou.com
easy-exchange.net
crowesnestvenue.com
bigszeieveryone.com
excavatorsmachines.com
39gaokk.com
cedarcreekmartinsville.com
lcllog.com
buylikeking.com
ag1elite.com
burnoutstudio.co.uk
aldafiq.com
foxdamold.com
doanses2022.click
bellanight.net
mouhc.online
carlosarenas.online
datifybase.com
allinahealthaetna.rsvp
alanmockler.com
jeevesalarm.com
fixmaster.africa
goxoasantander.com
austinmotorvillage.net
homespreadmechanics.com
irvinedigitalrealty.com
lacigalerouge.com
bjhybaobiao.com
channamphat.com
hotelmalabarresort.com
honstarnet.com
3dseal.online
heureka-health.ch
efefwonder.buzz
migswelders.com
777584.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/544-80-0x0000000000400000-0x0000000001462000-memory.dmp formbook behavioral1/memory/544-88-0x0000000000400000-0x0000000001462000-memory.dmp formbook behavioral1/memory/1808-90-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/1808-92-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
Ziraat Bankasi Swift Mesaji_pdf.exeZiraat Bankasi Swift Mesaji_pdf.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Ziraat Bankasi Swift Mesaji_pdf.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Ziraat Bankasi Swift Mesaji_pdf.exe -
Loads dropped DLL 1 IoCs
Processes:
Ziraat Bankasi Swift Mesaji_pdf.exepid process 1380 Ziraat Bankasi Swift Mesaji_pdf.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
Ziraat Bankasi Swift Mesaji_pdf.exepid process 544 Ziraat Bankasi Swift Mesaji_pdf.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Ziraat Bankasi Swift Mesaji_pdf.exeZiraat Bankasi Swift Mesaji_pdf.exepid process 1380 Ziraat Bankasi Swift Mesaji_pdf.exe 544 Ziraat Bankasi Swift Mesaji_pdf.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Ziraat Bankasi Swift Mesaji_pdf.exeZiraat Bankasi Swift Mesaji_pdf.exewininit.exedescription pid process target process PID 1380 set thread context of 544 1380 Ziraat Bankasi Swift Mesaji_pdf.exe Ziraat Bankasi Swift Mesaji_pdf.exe PID 544 set thread context of 1264 544 Ziraat Bankasi Swift Mesaji_pdf.exe Explorer.EXE PID 1808 set thread context of 1264 1808 wininit.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
Ziraat Bankasi Swift Mesaji_pdf.exedescription ioc process File opened for modification C:\Windows\Hemichordate.Ros Ziraat Bankasi Swift Mesaji_pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
Ziraat Bankasi Swift Mesaji_pdf.exewininit.exepid process 544 Ziraat Bankasi Swift Mesaji_pdf.exe 544 Ziraat Bankasi Swift Mesaji_pdf.exe 1808 wininit.exe 1808 wininit.exe 1808 wininit.exe 1808 wininit.exe 1808 wininit.exe 1808 wininit.exe 1808 wininit.exe 1808 wininit.exe 1808 wininit.exe 1808 wininit.exe 1808 wininit.exe 1808 wininit.exe 1808 wininit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Ziraat Bankasi Swift Mesaji_pdf.exeZiraat Bankasi Swift Mesaji_pdf.exewininit.exepid process 1380 Ziraat Bankasi Swift Mesaji_pdf.exe 544 Ziraat Bankasi Swift Mesaji_pdf.exe 544 Ziraat Bankasi Swift Mesaji_pdf.exe 544 Ziraat Bankasi Swift Mesaji_pdf.exe 1808 wininit.exe 1808 wininit.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Ziraat Bankasi Swift Mesaji_pdf.exeExplorer.EXEwininit.exedescription pid process Token: SeDebugPrivilege 544 Ziraat Bankasi Swift Mesaji_pdf.exe Token: SeShutdownPrivilege 1264 Explorer.EXE Token: SeDebugPrivilege 1808 wininit.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Ziraat Bankasi Swift Mesaji_pdf.exeExplorer.EXEwininit.exedescription pid process target process PID 1380 wrote to memory of 544 1380 Ziraat Bankasi Swift Mesaji_pdf.exe Ziraat Bankasi Swift Mesaji_pdf.exe PID 1380 wrote to memory of 544 1380 Ziraat Bankasi Swift Mesaji_pdf.exe Ziraat Bankasi Swift Mesaji_pdf.exe PID 1380 wrote to memory of 544 1380 Ziraat Bankasi Swift Mesaji_pdf.exe Ziraat Bankasi Swift Mesaji_pdf.exe PID 1380 wrote to memory of 544 1380 Ziraat Bankasi Swift Mesaji_pdf.exe Ziraat Bankasi Swift Mesaji_pdf.exe PID 1380 wrote to memory of 544 1380 Ziraat Bankasi Swift Mesaji_pdf.exe Ziraat Bankasi Swift Mesaji_pdf.exe PID 1264 wrote to memory of 1808 1264 Explorer.EXE wininit.exe PID 1264 wrote to memory of 1808 1264 Explorer.EXE wininit.exe PID 1264 wrote to memory of 1808 1264 Explorer.EXE wininit.exe PID 1264 wrote to memory of 1808 1264 Explorer.EXE wininit.exe PID 1808 wrote to memory of 1572 1808 wininit.exe cmd.exe PID 1808 wrote to memory of 1572 1808 wininit.exe cmd.exe PID 1808 wrote to memory of 1572 1808 wininit.exe cmd.exe PID 1808 wrote to memory of 1572 1808 wininit.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji_pdf.exe"2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji_pdf.exe"3⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji_pdf.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\DORME.iniFilesize
31B
MD53000f7f0f12b7139ea28160c52098e25
SHA19d032395f38d341881019b996e591160d542054b
SHA256467b09ff26622746d205628ae325ec9838461bc5fe741b3757bb39ddec87ecb1
SHA512a76a2f1e3686e2ffd03388ec7dbcd4afa6ae53ccd3aa40c6fbbf0c994eee5e2685d0c412f15ec4506c1175f5a84712e1a8b7ae32e6a0327e1ba47321a59e0ee2
-
\Users\Admin\AppData\Local\Temp\nsyFC9A.tmp\System.dllFilesize
12KB
MD5d968cb2b98b83c03a9f02dd9b8df97dc
SHA1d784c9b7a92dce58a5038beb62a48ff509e166a0
SHA256a4ec98011ef99e595912718c1a1bf1aa67bfc2192575729d42f559d01f67b95c
SHA5122ee41dc68f329a1519a8073ece7d746c9f3bf45d8ef3b915deb376af37e26074134af5f83c8af0fe0ab227f0d1acca9f37e5ca7ae37c46c3bcc0331fe5e2b97e
-
memory/544-85-0x0000000001470000-0x00000000063F5000-memory.dmpFilesize
79.5MB
-
memory/544-84-0x00000000364B0000-0x00000000364C4000-memory.dmpFilesize
80KB
-
memory/544-78-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/544-80-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/544-81-0x0000000001470000-0x00000000063F5000-memory.dmpFilesize
79.5MB
-
memory/544-82-0x0000000036630000-0x0000000036933000-memory.dmpFilesize
3.0MB
-
memory/544-88-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/544-77-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/544-76-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1264-101-0x0000000006B90000-0x0000000006CFE000-memory.dmpFilesize
1.4MB
-
memory/1264-94-0x00000000037A0000-0x00000000038A0000-memory.dmpFilesize
1024KB
-
memory/1264-83-0x00000000060F0000-0x000000000623C000-memory.dmpFilesize
1.3MB
-
memory/1264-98-0x0000000006B90000-0x0000000006CFE000-memory.dmpFilesize
1.4MB
-
memory/1264-97-0x0000000006B90000-0x0000000006CFE000-memory.dmpFilesize
1.4MB
-
memory/1264-95-0x00000000060F0000-0x000000000623C000-memory.dmpFilesize
1.3MB
-
memory/1808-86-0x0000000000930000-0x000000000094A000-memory.dmpFilesize
104KB
-
memory/1808-92-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1808-96-0x0000000000370000-0x0000000000403000-memory.dmpFilesize
588KB
-
memory/1808-91-0x0000000002070000-0x0000000002373000-memory.dmpFilesize
3.0MB
-
memory/1808-90-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1808-87-0x0000000000930000-0x000000000094A000-memory.dmpFilesize
104KB