f85606df4b72e97d27d10edac888f969bd3dc01500a3318100cdd048c6e790e9

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2023, 06:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Satınalma Siparişi - 44733.exe
Size

959KB
MD5

65c40c15b9c997c8aa7f3b3e417d3b1b
SHA1

9695a4e5d1ffb1fbe1eb31e7370822abfcb660d6
SHA256

f85606df4b72e97d27d10edac888f969bd3dc01500a3318100cdd048c6e790e9
SHA512

10c61f35f279acdbb6d94965913e31e204b898ef3ec8b71e3592f1cf018efd5e37165dbe2d6ac9f87491cd1dbee1bdde3af1decef7c1d189623d09d04f518674
SSDEEP

12288:wsv3iF9BgOzsl767yAaUkmhQRGX0ltIOvHlu9Gr840vg3uhshC:tv3iZzzsl7OVyYFIflu9Gsg2

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
408	212	WerFault.exe	80

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3308	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
212	Satınalma Siparişi - 44733.exe
212	Satınalma Siparişi - 44733.exe
212	Satınalma Siparişi - 44733.exe
212	Satınalma Siparişi - 44733.exe
212	Satınalma Siparişi - 44733.exe
212	Satınalma Siparişi - 44733.exe
212	Satınalma Siparişi - 44733.exe
212	Satınalma Siparişi - 44733.exe
212	Satınalma Siparişi - 44733.exe
212	Satınalma Siparişi - 44733.exe
212	Satınalma Siparişi - 44733.exe
2268	powershell.exe
812	powershell.exe
212	Satınalma Siparişi - 44733.exe
212	Satınalma Siparişi - 44733.exe
2268	powershell.exe
812	powershell.exe
212	Satınalma Siparişi - 44733.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	212	Satınalma Siparişi - 44733.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 812	212	Satınalma Siparişi - 44733.exe	90
PID 212 wrote to memory of 812	212	Satınalma Siparişi - 44733.exe	90
PID 212 wrote to memory of 812	212	Satınalma Siparişi - 44733.exe	90
PID 212 wrote to memory of 2268	212	Satınalma Siparişi - 44733.exe	92
PID 212 wrote to memory of 2268	212	Satınalma Siparişi - 44733.exe	92
PID 212 wrote to memory of 2268	212	Satınalma Siparişi - 44733.exe	92
PID 212 wrote to memory of 3308	212	Satınalma Siparişi - 44733.exe	94
PID 212 wrote to memory of 3308	212	Satınalma Siparişi - 44733.exe	94
PID 212 wrote to memory of 3308	212	Satınalma Siparişi - 44733.exe	94

C:\Users\Admin\AppData\Local\Temp\Satınalma Siparişi - 44733.exe
"C:\Users\Admin\AppData\Local\Temp\Satınalma Siparişi - 44733.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Satınalma Siparişi - 44733.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:812
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XGKWARLoRaRTeH.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XGKWARLoRaRTeH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5D5D.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3308
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 1768
  2⤵
  - Program crash
  PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 212 -ip 212
1⤵
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c4e882651d54f2697ccc75b3e0b9880f

SHA1
94a4679e6538af25efd0f5d9c363235752e95a9c

SHA256
8b809dddc38eee98208990b1035c611babf8ead9a26f6f4341db183a9a010d46

SHA512
f7345fb99842cee2dc2de1327326f0e7b1f5e830efc6272e3bad1c96aae7fd4be2c2de4b474758e1177223c8f0da0216304b8859667166839860a197638eab3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wgambchh.jgc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5D5D.tmp

Filesize
1KB

MD5
f5e57e663b644a1531495b98cc22d5d8

SHA1
2ccaafe31655980db4c5774a3f9b9444958f843b

SHA256
59a6f7ac00568ba0455b44fc842483e497d5b786e230c00c946d440b879ae1f8

SHA512
59c01c24a5198c66becf13835d7952b925061081bc817c6eaf738197eda00cd6b40de697f48b2f1afc87c31538167f014135f564844fa3ec3fb402da1114d753

Download Submit
memory/212-136-0x0000000004BE0000-0x0000000004C72000-memory.dmp

Filesize
584KB

Download
memory/212-138-0x0000000004C90000-0x0000000004C9A000-memory.dmp

Filesize
40KB

Download
memory/212-139-0x0000000004FB0000-0x000000000504C000-memory.dmp

Filesize
624KB

Download
memory/212-140-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/212-141-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

Filesize
64KB

Download
memory/212-137-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

Filesize
64KB

Download
memory/212-133-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/212-135-0x0000000005270000-0x0000000005814000-memory.dmp

Filesize
5.6MB

Download
memory/212-202-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/212-134-0x0000000000100000-0x00000000001F4000-memory.dmp

Filesize
976KB

Download
memory/812-147-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/812-205-0x0000000007C70000-0x0000000007C7A000-memory.dmp

Filesize
40KB

Download
memory/812-216-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/812-154-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/812-146-0x0000000005330000-0x0000000005366000-memory.dmp

Filesize
216KB

Download
memory/812-156-0x0000000006110000-0x0000000006176000-memory.dmp

Filesize
408KB

Download
memory/812-148-0x00000000059E0000-0x0000000006008000-memory.dmp

Filesize
6.2MB

Download
memory/812-209-0x0000000007F20000-0x0000000007F28000-memory.dmp

Filesize
32KB

Download
memory/812-176-0x00000000068D0000-0x00000000068EE000-memory.dmp

Filesize
120KB

Download
memory/812-208-0x0000000007F40000-0x0000000007F5A000-memory.dmp

Filesize
104KB

Download
memory/812-203-0x0000000008240000-0x00000000088BA000-memory.dmp

Filesize
6.5MB

Download
memory/812-149-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/812-181-0x000000006FE10000-0x000000006FE5C000-memory.dmp

Filesize
304KB

Download
memory/812-182-0x000000007F500000-0x000000007F510000-memory.dmp

Filesize
64KB

Download
memory/2268-206-0x0000000007050000-0x00000000070E6000-memory.dmp

Filesize
600KB

Download
memory/2268-215-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/2268-179-0x00000000060B0000-0x00000000060E2000-memory.dmp

Filesize
200KB

Download
memory/2268-204-0x0000000006DD0000-0x0000000006DEA000-memory.dmp

Filesize
104KB

Download
memory/2268-178-0x000000007FAC0000-0x000000007FAD0000-memory.dmp

Filesize
64KB

Download
memory/2268-151-0x0000000004640000-0x0000000004650000-memory.dmp

Filesize
64KB

Download
memory/2268-177-0x0000000004640000-0x0000000004650000-memory.dmp

Filesize
64KB

Download
memory/2268-193-0x0000000006080000-0x000000000609E000-memory.dmp

Filesize
120KB

Download
memory/2268-180-0x000000006FE10000-0x000000006FE5C000-memory.dmp

Filesize
304KB

Download
memory/2268-150-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/2268-164-0x00000000052B0000-0x0000000005316000-memory.dmp

Filesize
408KB

Download
memory/2268-155-0x0000000004B30000-0x0000000004B52000-memory.dmp

Filesize
136KB

Download
memory/2268-207-0x0000000007000000-0x000000000700E000-memory.dmp

Filesize
56KB

Download
memory/2268-152-0x0000000004640000-0x0000000004650000-memory.dmp

Filesize
64KB

Download