Analysis Overview
SHA256
69dc0e9d1c32e23c27af3da7736bb1dae9018a1f1144ea8f12adeccc5208d915
Threat Level: Known bad
The file Ziraat Bankasi Swift Mesaji.exe was found to be: Known bad.
Malicious Activity Summary
Azorult
Guloader,Cloudeye
Checks QEMU agent file
Loads dropped DLL
Reads local data of messenger clients
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Checks computer location settings
Accesses Microsoft Outlook profiles
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtCreateThreadExHideFromDebugger
Enumerates physical storage devices
Unsigned PE
outlook_win_path
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
outlook_office_path
Suspicious behavior: MapViewOfSection
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-19 16:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-19 16:19
Reported
2023-09-19 16:21
Platform
win7-20230831-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Guloader,Cloudeye
Checks QEMU agent file
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2960 set thread context of 2804 | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe |
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | agencypress.wpengine.com | udp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nso3F44.tmp\BgImage.dll
| MD5 | 744f9c42403e9aabde8fc65d40bccd3e |
| SHA1 | 9ab49924ffa1560e5e3b70b097236a1451945829 |
| SHA256 | 8eb85584031b2e1d74daf372e60a72f767e8861db9d4ca2dc1981511f620e51e |
| SHA512 | 924cacc1d1dd5260b6adf081bf1bfc83edaf51546af7e2f644ab53152e25889552fc99c50ddc45dc1850d7c165877637df11cd35709a49d57e6201b6f4690244 |
\Users\Admin\AppData\Local\Temp\nso3F44.tmp\nsDialogs.dll
| MD5 | 0d45588070cf728359055f776af16ec4 |
| SHA1 | c4375ceb2883dee74632e81addbfa4e8b0c6d84a |
| SHA256 | 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a |
| SHA512 | 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415 |
\Users\Admin\AppData\Local\Temp\nso3F44.tmp\nsDialogs.dll
| MD5 | 0d45588070cf728359055f776af16ec4 |
| SHA1 | c4375ceb2883dee74632e81addbfa4e8b0c6d84a |
| SHA256 | 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a |
| SHA512 | 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415 |
C:\Users\Admin\AppData\Local\Temp\nso3F44.tmp\nsDialogs.dll
| MD5 | 0d45588070cf728359055f776af16ec4 |
| SHA1 | c4375ceb2883dee74632e81addbfa4e8b0c6d84a |
| SHA256 | 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a |
| SHA512 | 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415 |
\Users\Admin\AppData\Local\Temp\nso3F44.tmp\System.dll
| MD5 | a4dd044bcd94e9b3370ccf095b31f896 |
| SHA1 | 17c78201323ab2095bc53184aa8267c9187d5173 |
| SHA256 | 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc |
| SHA512 | 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a |
\Users\Admin\AppData\Local\Temp\nso3F44.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\AppData\Local\Temp\nso3F44.tmp\System.dll
| MD5 | a4dd044bcd94e9b3370ccf095b31f896 |
| SHA1 | 17c78201323ab2095bc53184aa8267c9187d5173 |
| SHA256 | 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc |
| SHA512 | 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a |
\Users\Admin\AppData\Local\Temp\nso3F44.tmp\System.dll
| MD5 | a4dd044bcd94e9b3370ccf095b31f896 |
| SHA1 | 17c78201323ab2095bc53184aa8267c9187d5173 |
| SHA256 | 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc |
| SHA512 | 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a |
C:\Users\Admin\AppData\Local\Temp\nso3F44.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
\Users\Admin\AppData\Local\Temp\nso3F44.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
\Users\Admin\AppData\Local\Temp\nso3F44.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
\Users\Admin\AppData\Local\Temp\nso3F44.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
\Users\Admin\AppData\Local\Temp\nso3F44.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\trykimprgneringerne.ini
| MD5 | c4829906d876f22ae69d5bdf4e401ae9 |
| SHA1 | 4be3cc23f889d83675eb8e412776f425df75ab81 |
| SHA256 | 91543ad310d29d76cf717afcf0fd1db03c798cabd5448940de84516352c5c7cb |
| SHA512 | 7788e3afabb9e85a1e0f71355535f7ef0694d1ab48a2c94e560671730e36703411532964bd490c0abb835a5f10cb7794ab51f4b162461d0428e6de2de4afae60 |
\Users\Admin\AppData\Local\Temp\nso3F44.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
memory/2960-59-0x00000000039C0000-0x0000000005792000-memory.dmp
memory/2960-60-0x0000000077480000-0x0000000077629000-memory.dmp
memory/2960-61-0x00000000039C0000-0x0000000005792000-memory.dmp
memory/2960-62-0x0000000077670000-0x0000000077746000-memory.dmp
memory/2960-63-0x0000000002470000-0x0000000002476000-memory.dmp
memory/2804-64-0x0000000000470000-0x0000000002242000-memory.dmp
memory/2804-65-0x0000000077480000-0x0000000077629000-memory.dmp
memory/2804-66-0x0000000000470000-0x0000000002242000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabB1A5.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\TarB215.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
memory/2804-281-0x0000000072A00000-0x0000000073A62000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-19 16:19
Reported
2023-09-19 16:21
Platform
win10v2004-20230915-en
Max time kernel
143s
Max time network
154s
Command Line
Signatures
Azorult
Guloader,Cloudeye
Checks QEMU agent file
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1852 set thread context of 3004 | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "Ziraat Bankasi Swift Mesaji.exe"
C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | agencypress.wpengine.com | udp |
| US | 35.192.134.14:443 | agencypress.wpengine.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.134.192.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hoswell.shop | udp |
| US | 188.114.97.0:80 | hoswell.shop | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 188.114.97.0:80 | hoswell.shop | tcp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.141.123.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsi74D4.tmp\BgImage.dll
| MD5 | 744f9c42403e9aabde8fc65d40bccd3e |
| SHA1 | 9ab49924ffa1560e5e3b70b097236a1451945829 |
| SHA256 | 8eb85584031b2e1d74daf372e60a72f767e8861db9d4ca2dc1981511f620e51e |
| SHA512 | 924cacc1d1dd5260b6adf081bf1bfc83edaf51546af7e2f644ab53152e25889552fc99c50ddc45dc1850d7c165877637df11cd35709a49d57e6201b6f4690244 |
C:\Users\Admin\AppData\Local\Temp\nsi74D4.tmp\nsDialogs.dll
| MD5 | 0d45588070cf728359055f776af16ec4 |
| SHA1 | c4375ceb2883dee74632e81addbfa4e8b0c6d84a |
| SHA256 | 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a |
| SHA512 | 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415 |
C:\Users\Admin\AppData\Local\Temp\nsi74D4.tmp\nsDialogs.dll
| MD5 | 0d45588070cf728359055f776af16ec4 |
| SHA1 | c4375ceb2883dee74632e81addbfa4e8b0c6d84a |
| SHA256 | 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a |
| SHA512 | 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415 |
C:\Users\Admin\AppData\Local\Temp\nsi74D4.tmp\System.dll
| MD5 | a4dd044bcd94e9b3370ccf095b31f896 |
| SHA1 | 17c78201323ab2095bc53184aa8267c9187d5173 |
| SHA256 | 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc |
| SHA512 | 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a |
C:\Users\Admin\AppData\Local\Temp\nsi74D4.tmp\System.dll
| MD5 | a4dd044bcd94e9b3370ccf095b31f896 |
| SHA1 | 17c78201323ab2095bc53184aa8267c9187d5173 |
| SHA256 | 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc |
| SHA512 | 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a |
C:\Users\Admin\AppData\Local\Temp\nsi74D4.tmp\nsDialogs.dll
| MD5 | 0d45588070cf728359055f776af16ec4 |
| SHA1 | c4375ceb2883dee74632e81addbfa4e8b0c6d84a |
| SHA256 | 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a |
| SHA512 | 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415 |
C:\Users\Admin\AppData\Local\Temp\nsi74D4.tmp\nsDialogs.dll
| MD5 | 0d45588070cf728359055f776af16ec4 |
| SHA1 | c4375ceb2883dee74632e81addbfa4e8b0c6d84a |
| SHA256 | 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a |
| SHA512 | 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415 |
C:\Users\Admin\AppData\Local\Temp\nsi74D4.tmp\nsDialogs.dll
| MD5 | 0d45588070cf728359055f776af16ec4 |
| SHA1 | c4375ceb2883dee74632e81addbfa4e8b0c6d84a |
| SHA256 | 067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a |
| SHA512 | 751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415 |
C:\Users\Admin\AppData\Local\Temp\nsi74D4.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\AppData\Local\Temp\nsi74D4.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\AppData\Local\Temp\nsi74D4.tmp\System.dll
| MD5 | a4dd044bcd94e9b3370ccf095b31f896 |
| SHA1 | 17c78201323ab2095bc53184aa8267c9187d5173 |
| SHA256 | 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc |
| SHA512 | 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a |
C:\Users\Admin\AppData\Local\Temp\nsi74D4.tmp\System.dll
| MD5 | a4dd044bcd94e9b3370ccf095b31f896 |
| SHA1 | 17c78201323ab2095bc53184aa8267c9187d5173 |
| SHA256 | 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc |
| SHA512 | 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a |
C:\Users\Admin\AppData\Local\Temp\nsi74D4.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\AppData\Local\Temp\nsi74D4.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\AppData\Local\Temp\nsi74D4.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\AppData\Local\Temp\nsi74D4.tmp\System.dll
| MD5 | a4dd044bcd94e9b3370ccf095b31f896 |
| SHA1 | 17c78201323ab2095bc53184aa8267c9187d5173 |
| SHA256 | 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc |
| SHA512 | 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a |
C:\Users\Admin\AppData\Local\Temp\nsi74D4.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\AppData\Local\Temp\nsi74D4.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\AppData\Local\Temp\nsi74D4.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\AppData\Local\Temp\nsi74D4.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\AppData\Local\Temp\nsi74D4.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\AppData\Local\Temp\nsi74D4.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\trykimprgneringerne.ini
| MD5 | c4829906d876f22ae69d5bdf4e401ae9 |
| SHA1 | 4be3cc23f889d83675eb8e412776f425df75ab81 |
| SHA256 | 91543ad310d29d76cf717afcf0fd1db03c798cabd5448940de84516352c5c7cb |
| SHA512 | 7788e3afabb9e85a1e0f71355535f7ef0694d1ab48a2c94e560671730e36703411532964bd490c0abb835a5f10cb7794ab51f4b162461d0428e6de2de4afae60 |
C:\Users\Admin\AppData\Local\Temp\nsi74D4.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
C:\Users\Admin\AppData\Local\Temp\nsi74D4.tmp\nsExec.dll
| MD5 | c5b9fe538654a5a259cf64c2455c5426 |
| SHA1 | db45505fa041af025de53a0580758f3694b9444a |
| SHA256 | 7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7 |
| SHA512 | f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa |
memory/1852-68-0x0000000004A20000-0x00000000067F2000-memory.dmp
memory/1852-69-0x0000000004A20000-0x00000000067F2000-memory.dmp
memory/1852-70-0x0000000077DA1000-0x0000000077EC1000-memory.dmp
memory/1852-71-0x0000000077DA1000-0x0000000077EC1000-memory.dmp
memory/1852-72-0x0000000002360000-0x0000000002366000-memory.dmp
memory/3004-73-0x0000000000470000-0x0000000002242000-memory.dmp
memory/3004-74-0x0000000000470000-0x0000000002242000-memory.dmp
memory/3004-75-0x0000000077E28000-0x0000000077E29000-memory.dmp
memory/3004-76-0x0000000077E45000-0x0000000077E46000-memory.dmp
memory/3004-80-0x00000000736E0000-0x0000000074934000-memory.dmp
memory/3004-81-0x0000000000470000-0x0000000002242000-memory.dmp
memory/3004-82-0x00000000326E0000-0x0000000032707000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C8D39ECD\nss3.dll
| MD5 | 556ea09421a0f74d31c4c0a89a70dc23 |
| SHA1 | f739ba9b548ee64b13eb434a3130406d23f836e3 |
| SHA256 | f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb |
| SHA512 | 2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2 |
C:\Users\Admin\AppData\Local\Temp\C8D39ECD\vcruntime140.dll
| MD5 | 7587bf9cb4147022cd5681b015183046 |
| SHA1 | f2106306a8f6f0da5afb7fc765cfa0757ad5a628 |
| SHA256 | c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d |
| SHA512 | 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f |
C:\Users\Admin\AppData\Local\Temp\C8D39ECD\mozglue.dll
| MD5 | 9e682f1eb98a9d41468fc3e50f907635 |
| SHA1 | 85e0ceca36f657ddf6547aa0744f0855a27527ee |
| SHA256 | 830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d |
| SHA512 | 230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed |
C:\Users\Admin\AppData\Local\Temp\C8D39ECD\msvcp140.dll
| MD5 | 109f0f02fd37c84bfc7508d4227d7ed5 |
| SHA1 | ef7420141bb15ac334d3964082361a460bfdb975 |
| SHA256 | 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4 |
| SHA512 | 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39 |
memory/3004-142-0x00000000736E0000-0x0000000074934000-memory.dmp
memory/3004-143-0x0000000077DA1000-0x0000000077EC1000-memory.dmp
memory/3004-194-0x0000000000470000-0x0000000002242000-memory.dmp
memory/3004-195-0x00000000736E0000-0x0000000074934000-memory.dmp