f85606df4b72e97d27d10edac888f969bd3dc01500a3318100cdd048c6e790e9

General

Target

Satınalma Siparişi - 44733.exe
Size

959KB
MD5

65c40c15b9c997c8aa7f3b3e417d3b1b
SHA1

9695a4e5d1ffb1fbe1eb31e7370822abfcb660d6
SHA256

f85606df4b72e97d27d10edac888f969bd3dc01500a3318100cdd048c6e790e9
SHA512

10c61f35f279acdbb6d94965913e31e204b898ef3ec8b71e3592f1cf018efd5e37165dbe2d6ac9f87491cd1dbee1bdde3af1decef7c1d189623d09d04f518674
SSDEEP

12288:wsv3iF9BgOzsl767yAaUkmhQRGX0ltIOvHlu9Gr840vg3uhshC:tv3iZzzsl7OVyYFIflu9Gsg2

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2764	1712	WerFault.exe	12

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2908	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1712	Satınalma Siparişi - 44733.exe
1712	Satınalma Siparişi - 44733.exe
1712	Satınalma Siparişi - 44733.exe
1712	Satınalma Siparişi - 44733.exe
1712	Satınalma Siparişi - 44733.exe
1712	Satınalma Siparişi - 44733.exe
1712	Satınalma Siparişi - 44733.exe
1712	Satınalma Siparişi - 44733.exe
1712	Satınalma Siparişi - 44733.exe
1712	Satınalma Siparişi - 44733.exe
1712	Satınalma Siparişi - 44733.exe
1712	Satınalma Siparişi - 44733.exe
1712	Satınalma Siparişi - 44733.exe
2016	powershell.exe
2988	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	Satınalma Siparişi - 44733.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2988	1712	Satınalma Siparişi - 44733.exe	30
PID 1712 wrote to memory of 2988	1712	Satınalma Siparişi - 44733.exe	30
PID 1712 wrote to memory of 2988	1712	Satınalma Siparişi - 44733.exe	30
PID 1712 wrote to memory of 2988	1712	Satınalma Siparişi - 44733.exe	30
PID 1712 wrote to memory of 2016	1712	Satınalma Siparişi - 44733.exe	32
PID 1712 wrote to memory of 2016	1712	Satınalma Siparişi - 44733.exe	32
PID 1712 wrote to memory of 2016	1712	Satınalma Siparişi - 44733.exe	32
PID 1712 wrote to memory of 2016	1712	Satınalma Siparişi - 44733.exe	32
PID 1712 wrote to memory of 2908	1712	Satınalma Siparişi - 44733.exe	34
PID 1712 wrote to memory of 2908	1712	Satınalma Siparişi - 44733.exe	34
PID 1712 wrote to memory of 2908	1712	Satınalma Siparişi - 44733.exe	34
PID 1712 wrote to memory of 2908	1712	Satınalma Siparişi - 44733.exe	34
PID 1712 wrote to memory of 2764	1712	Satınalma Siparişi - 44733.exe	36
PID 1712 wrote to memory of 2764	1712	Satınalma Siparişi - 44733.exe	36
PID 1712 wrote to memory of 2764	1712	Satınalma Siparişi - 44733.exe	36
PID 1712 wrote to memory of 2764	1712	Satınalma Siparişi - 44733.exe	36

C:\Users\Admin\AppData\Local\Temp\Satınalma Siparişi - 44733.exe
"C:\Users\Admin\AppData\Local\Temp\Satınalma Siparişi - 44733.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Satınalma Siparişi - 44733.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XGKWARLoRaRTeH.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XGKWARLoRaRTeH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp63F1.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2908
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 1040
  2⤵
  - Program crash
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp63F1.tmp

Filesize
1KB

MD5
0ee391ba02d7e7ae908eaf57f24b2ece

SHA1
b5ea1281e4e9c7e8d82a9dff932093ad871e391d

SHA256
08d15b27f562e5759e59ae1f76737e4ec586e116e10549ffe22374b4aabf83ec

SHA512
4b32d76fb0bd1b747b3580dbc09950bd51af4ac2256be412834a529a080df292f317c0e3bae47ebf5ceefced9fec0a648fa5330db0d33d95faa9105c24862efc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3GYUKMRUYJUIMLX904B7.temp

Filesize
7KB

MD5
125e94353048d6f5a67f96e31bf93b92

SHA1
27100d993c2508fa69441abca9d6324517ca71bb

SHA256
80d21b84fe08c21a7765dd6e103bd79718f6554e1f486fe7883c73e2fcf951a0

SHA512
ad7f40ce997f47d545d5b1275a0b2cf0dc107ffb9d1c7d5cb73cc0c20f3afed76196c62f078bc8e380048d69d779f3e689e0179835c77ce22b5d232f4c3c9e23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
125e94353048d6f5a67f96e31bf93b92

SHA1
27100d993c2508fa69441abca9d6324517ca71bb

SHA256
80d21b84fe08c21a7765dd6e103bd79718f6554e1f486fe7883c73e2fcf951a0

SHA512
ad7f40ce997f47d545d5b1275a0b2cf0dc107ffb9d1c7d5cb73cc0c20f3afed76196c62f078bc8e380048d69d779f3e689e0179835c77ce22b5d232f4c3c9e23

Download Submit
memory/1712-59-0x0000000001080000-0x00000000010C0000-memory.dmp

Filesize
256KB

Download
memory/1712-58-0x0000000074A10000-0x00000000750FE000-memory.dmp

Filesize
6.9MB

Download
memory/1712-54-0x0000000001210000-0x0000000001304000-memory.dmp

Filesize
976KB

Download
memory/1712-60-0x0000000000610000-0x000000000061E000-memory.dmp

Filesize
56KB

Download
memory/1712-61-0x0000000006090000-0x0000000006126000-memory.dmp

Filesize
600KB

Download
memory/1712-57-0x00000000005A0000-0x00000000005B6000-memory.dmp

Filesize
88KB

Download
memory/1712-56-0x0000000001080000-0x00000000010C0000-memory.dmp

Filesize
256KB

Download
memory/1712-55-0x0000000074A10000-0x00000000750FE000-memory.dmp

Filesize
6.9MB

Download
memory/2016-79-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2016-76-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2016-78-0x000000006F7C0000-0x000000006FD6B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-74-0x000000006F7C0000-0x000000006FD6B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-81-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2016-84-0x000000006F7C0000-0x000000006FD6B000-memory.dmp

Filesize
5.7MB

Download
memory/2988-75-0x000000006F7C0000-0x000000006FD6B000-memory.dmp

Filesize
5.7MB

Download
memory/2988-77-0x000000006F7C0000-0x000000006FD6B000-memory.dmp

Filesize
5.7MB

Download
memory/2988-80-0x00000000024B0000-0x00000000024F0000-memory.dmp

Filesize
256KB

Download
memory/2988-82-0x00000000024B0000-0x00000000024F0000-memory.dmp

Filesize
256KB

Download
memory/2988-83-0x000000006F7C0000-0x000000006FD6B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads