f96bc306a0e3bc63092a04475dd4a1bac75224df242fa9fca36388a1978ce048

General

Target

f96bc306a0e3bc63092a04475dd4a1bac75224df242fa9fca36388a1978ce048.exe
Size

18.7MB
MD5

a774e1965dea429e097e4a3e1bef0943
SHA1

9895a3def0ccefd717ee85befb7c3b314191b0bf
SHA256

f96bc306a0e3bc63092a04475dd4a1bac75224df242fa9fca36388a1978ce048
SHA512

797523f8041d4ffe0c4fdf52f78f76a384f7c035de7033729bad662a4a040fec53708aef195d59a89a4f3e62e74dfeb1ef31337f56b6d6403d9f0d0057cbf69a
SSDEEP

393216:bEiSqiDF6iKc6WPdi6G4Z79eT19l52n+GtHfVoVStC7G8gOgAibGUBAF:4iUDFsDWdPZQT1I+GwXGVVyRF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2600	şirket-ruhsat.pdf.exe
820	şirket-ruhsat.pdf.exe

Loads dropped DLL 1 IoCs

pid	Process
820	şirket-ruhsat.pdf.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001c857-173.dat	upx
behavioral1/files/0x000500000001c857-174.dat	upx
behavioral1/memory/820-175-0x000007FEF6080000-0x000007FEF6668000-memory.dmp	upx

Detects Pyinstaller 4 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0009000000012023-62.dat	pyinstaller
behavioral1/files/0x0009000000012023-60.dat	pyinstaller
behavioral1/files/0x0009000000012023-61.dat	pyinstaller
behavioral1/files/0x0009000000012023-172.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2160	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2160	AcroRd32.exe
2160	AcroRd32.exe
2160	AcroRd32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2160	2460	f96bc306a0e3bc63092a04475dd4a1bac75224df242fa9fca36388a1978ce048.exe	28
PID 2460 wrote to memory of 2160	2460	f96bc306a0e3bc63092a04475dd4a1bac75224df242fa9fca36388a1978ce048.exe	28
PID 2460 wrote to memory of 2160	2460	f96bc306a0e3bc63092a04475dd4a1bac75224df242fa9fca36388a1978ce048.exe	28
PID 2460 wrote to memory of 2160	2460	f96bc306a0e3bc63092a04475dd4a1bac75224df242fa9fca36388a1978ce048.exe	28
PID 2460 wrote to memory of 2600	2460	f96bc306a0e3bc63092a04475dd4a1bac75224df242fa9fca36388a1978ce048.exe	29
PID 2460 wrote to memory of 2600	2460	f96bc306a0e3bc63092a04475dd4a1bac75224df242fa9fca36388a1978ce048.exe	29
PID 2460 wrote to memory of 2600	2460	f96bc306a0e3bc63092a04475dd4a1bac75224df242fa9fca36388a1978ce048.exe	29
PID 2460 wrote to memory of 2600	2460	f96bc306a0e3bc63092a04475dd4a1bac75224df242fa9fca36388a1978ce048.exe	29
PID 2600 wrote to memory of 820	2600	şirket-ruhsat.pdf.exe	30
PID 2600 wrote to memory of 820	2600	şirket-ruhsat.pdf.exe	30
PID 2600 wrote to memory of 820	2600	şirket-ruhsat.pdf.exe	30

C:\Users\Admin\AppData\Local\Temp\f96bc306a0e3bc63092a04475dd4a1bac75224df242fa9fca36388a1978ce048.exe
"C:\Users\Admin\AppData\Local\Temp\f96bc306a0e3bc63092a04475dd4a1bac75224df242fa9fca36388a1978ce048.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\BNG 824 ruhsat.pdf"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2160
- C:\şirket-ruhsat.pdf.exe
  "C:\şirket-ruhsat.pdf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\şirket-ruhsat.pdf.exe
    "C:\şirket-ruhsat.pdf.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BNG 824 ruhsat.pdf

Filesize
176KB

MD5
0758c56672f29aa493d955ced3682239

SHA1
3419c3731df1df2bef00e997e7ac398324b14a4a

SHA256
5aff2c5e65d8e4e7fa0b0c310fbaef1e1da351de34fa5f1b83bfe17eeabac7ef

SHA512
3f41b4fddc9ca5866d8707e0711d6b14a6eebb71d6bd0758e7a2ec6c930a868aee349ae569b137a89f3df7e7c2984f0674be0b66e37261c00e547ca9793b0f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
f63f538cc0c3fab2a33325ffc726a390

SHA1
6c0e8df6a5ec4e512319b62756ff375352ab9de1

SHA256
6c6fd184d782ca9bf7e6a3009d91d3bef616c95465ccf3d9c54100b243d4de64

SHA512
14f018e78ab7ca6bdbc6abcd96e03dcbf92b1d34d6c966406ebefe18041be6bf8e457d6edbfe4be44d45f419369fa6f12e66155bab734a67e67498f7f95f1f63

Download Submit
C:\şirket-ruhsat.pdf.exe

Filesize
18.5MB

MD5
5429328937ed51076df9f8c4e5edc93a

SHA1
d5cca10a28fd3be2093e6c3a260515cb085f5e10

SHA256
95d860570b2777d7af213f9b48747d528251facada54842d7a07a5798fcbfe51

SHA512
f5bac56af429b770a79948a537bc3448a2f9e7c2bc91dafdf30ec003e29d1d7f6c68bb870c08cb06544d636f39d3fcb257637e3edf04b662b3410554f34a6e2f

Download Submit
C:\şirket-ruhsat.pdf.exe

Filesize
18.5MB

MD5
5429328937ed51076df9f8c4e5edc93a

SHA1
d5cca10a28fd3be2093e6c3a260515cb085f5e10

SHA256
95d860570b2777d7af213f9b48747d528251facada54842d7a07a5798fcbfe51

SHA512
f5bac56af429b770a79948a537bc3448a2f9e7c2bc91dafdf30ec003e29d1d7f6c68bb870c08cb06544d636f39d3fcb257637e3edf04b662b3410554f34a6e2f

Download Submit
C:\şirket-ruhsat.pdf.exe

Filesize
18.5MB

MD5
5429328937ed51076df9f8c4e5edc93a

SHA1
d5cca10a28fd3be2093e6c3a260515cb085f5e10

SHA256
95d860570b2777d7af213f9b48747d528251facada54842d7a07a5798fcbfe51

SHA512
f5bac56af429b770a79948a537bc3448a2f9e7c2bc91dafdf30ec003e29d1d7f6c68bb870c08cb06544d636f39d3fcb257637e3edf04b662b3410554f34a6e2f

Download Submit
C:\şirket-ruhsat.pdf.exe

Filesize
18.5MB

MD5
5429328937ed51076df9f8c4e5edc93a

SHA1
d5cca10a28fd3be2093e6c3a260515cb085f5e10

SHA256
95d860570b2777d7af213f9b48747d528251facada54842d7a07a5798fcbfe51

SHA512
f5bac56af429b770a79948a537bc3448a2f9e7c2bc91dafdf30ec003e29d1d7f6c68bb870c08cb06544d636f39d3fcb257637e3edf04b662b3410554f34a6e2f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI26002\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
memory/820-175-0x000007FEF6080000-0x000007FEF6668000-memory.dmp

Filesize
5.9MB

Download

Analysis

Sharing