4ec1ead75385f684740372f0ba6b5ca891cd89fb17b92904b9b3592f34939ae0

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Yeni siparis eklendi.exe
Size

717KB
MD5

be581b483cc7452d59e1f246615911a3
SHA1

8fa2767e25635a8225f422d6fb54dde7bf80186f
SHA256

4ec1ead75385f684740372f0ba6b5ca891cd89fb17b92904b9b3592f34939ae0
SHA512

2ae5b3aab82c99968bef64f8226a018f418c58a3994a8f1f1925346ca5a896207c95f588e7821005f94fa25dbea0c40332d5de699097afb49a3dd62575a5445d
SSDEEP

12288:aQp+Uw9MMMDMMMrhjsOsAvExgOI4br9rAHWKd3RXPWy25ttyYVQCU:EMMMDMMMrZsfTxgANraFXPr25ttyCQC

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\International\Geo\Nation	Yeni siparis eklendi.exe

Loads dropped DLL 1 IoCs

pid	Process
2908	netsh.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2124 set thread context of 2596	2124	Yeni siparis eklendi.exe	30
PID 2596 set thread context of 1264	2596	Yeni siparis eklendi.exe	16
PID 2596 set thread context of 2908	2596	Yeni siparis eklendi.exe	34
PID 2908 set thread context of 1264	2908	netsh.exe	16

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2684	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3849525425-30183055-657688904-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	netsh.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2124	Yeni siparis eklendi.exe
2596	Yeni siparis eklendi.exe
2596	Yeni siparis eklendi.exe
2596	Yeni siparis eklendi.exe
2596	Yeni siparis eklendi.exe
2596	Yeni siparis eklendi.exe
2596	Yeni siparis eklendi.exe
2596	Yeni siparis eklendi.exe
2596	Yeni siparis eklendi.exe
2908	netsh.exe
2908	netsh.exe
2908	netsh.exe
2908	netsh.exe
2908	netsh.exe
2908	netsh.exe
2908	netsh.exe
2908	netsh.exe
2908	netsh.exe
2908	netsh.exe
2908	netsh.exe
2908	netsh.exe
2908	netsh.exe
2908	netsh.exe
2908	netsh.exe
2908	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1264	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
2596	Yeni siparis eklendi.exe
1264	Explorer.EXE
1264	Explorer.EXE
2908	netsh.exe
2908	netsh.exe
2908	netsh.exe
2908	netsh.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	Yeni siparis eklendi.exe
Token: SeDebugPrivilege	2596	Yeni siparis eklendi.exe
Token: SeDebugPrivilege	2908	netsh.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2684	2124	Yeni siparis eklendi.exe	28
PID 2124 wrote to memory of 2684	2124	Yeni siparis eklendi.exe	28
PID 2124 wrote to memory of 2684	2124	Yeni siparis eklendi.exe	28
PID 2124 wrote to memory of 2684	2124	Yeni siparis eklendi.exe	28
PID 2124 wrote to memory of 2596	2124	Yeni siparis eklendi.exe	30
PID 2124 wrote to memory of 2596	2124	Yeni siparis eklendi.exe	30
PID 2124 wrote to memory of 2596	2124	Yeni siparis eklendi.exe	30
PID 2124 wrote to memory of 2596	2124	Yeni siparis eklendi.exe	30
PID 2124 wrote to memory of 2596	2124	Yeni siparis eklendi.exe	30
PID 2124 wrote to memory of 2596	2124	Yeni siparis eklendi.exe	30
PID 2124 wrote to memory of 2596	2124	Yeni siparis eklendi.exe	30
PID 1264 wrote to memory of 2908	1264	Explorer.EXE	34
PID 1264 wrote to memory of 2908	1264	Explorer.EXE	34
PID 1264 wrote to memory of 2908	1264	Explorer.EXE	34
PID 1264 wrote to memory of 2908	1264	Explorer.EXE	34
PID 2908 wrote to memory of 1192	2908	netsh.exe	37
PID 2908 wrote to memory of 1192	2908	netsh.exe	37
PID 2908 wrote to memory of 1192	2908	netsh.exe	37
PID 2908 wrote to memory of 1192	2908	netsh.exe	37
PID 2908 wrote to memory of 1192	2908	netsh.exe	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Local\Temp\Yeni siparis eklendi.exe
  "C:\Users\Admin\AppData\Local\Temp\Yeni siparis eklendi.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tWnvdiFNXsgHZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC2E2.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:2684
- - C:\Users\Admin\AppData\Local\Temp\Yeni siparis eklendi.exe
    "{path}"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2912
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kvrth.zip

Filesize
429KB

MD5
16f94aee2d9a53bf8e58722679063051

SHA1
b1495ea7c4b2cad58404e051c144ac49323f95ee

SHA256
43a12cc1c155d0bb9686a1fcbc90babc9e99dbec475bddc2acacf31bd2b159e8

SHA512
9eaa6f61ecbadccdec565e32d5559e795365adacdbc0ff7362612b4d623117ce821817c7b7ac41538e765e7e0887b0ff2512f860a80662322a22524d4da13b36

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC2E2.tmp

Filesize
1KB

MD5
3dae271b1ea8a75ad3b38625192c1c6f

SHA1
b0ffaeb3bb1c980dd3d788602ce53cfd30e8ce67

SHA256
ac9b11de78db012dc73a6cf8ce70868b480c43ef2ba44dd25a6b050d32fcf7fd

SHA512
78938669026f64c73c27a8c28989a06994f28319806c303d10d2a83a322b1c9546d32dcf29b59ac9f6772ccda86ab25fe83305b0b5704df5d8ecbdf688c8292c

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
819KB

MD5
eda40ea55ff2eb2a2e5aca836bb1cc26

SHA1
6de11b4b121bc8b9b87b05ddbdd6eda4e9442c37

SHA256
330b88eacb778b86dff1a90189121e8b3280723be9fbf4e55174ede2bbf74af0

SHA512
caf63f50931f76ec919528dedfb8b6ee14590f5aa33f91a6b9c24f63c0f3851cffdc16eab976ee7d6140f383050050d26f3547743b5ae772001b8f6199f0a4fc

Download Submit
memory/1264-41-0x0000000004E70000-0x0000000004F37000-memory.dmp

Filesize
796KB

Download
memory/1264-38-0x0000000004E70000-0x0000000004F37000-memory.dmp

Filesize
796KB

Download
memory/1264-37-0x0000000004E70000-0x0000000004F37000-memory.dmp

Filesize
796KB

Download
memory/1264-35-0x0000000008D20000-0x000000000B154000-memory.dmp

Filesize
36.2MB

Download
memory/1264-28-0x0000000008D20000-0x000000000B154000-memory.dmp

Filesize
36.2MB

Download
memory/2124-10-0x0000000008050000-0x00000000080E8000-memory.dmp

Filesize
608KB

Download
memory/2124-6-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/2124-0-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/2124-11-0x0000000000CB0000-0x0000000000CF0000-memory.dmp

Filesize
256KB

Download
memory/2124-8-0x000000007EF40000-0x000000007EF50000-memory.dmp

Filesize
64KB

Download
memory/2124-1-0x0000000001140000-0x00000000011FA000-memory.dmp

Filesize
744KB

Download
memory/2124-2-0x0000000004800000-0x0000000004840000-memory.dmp

Filesize
256KB

Download
memory/2124-3-0x000000007EF40000-0x000000007EF50000-memory.dmp

Filesize
64KB

Download
memory/2124-4-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2124-22-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/2124-5-0x0000000004800000-0x0000000004840000-memory.dmp

Filesize
256KB

Download
memory/2124-9-0x0000000004800000-0x0000000004840000-memory.dmp

Filesize
256KB

Download
memory/2124-7-0x0000000004800000-0x0000000004840000-memory.dmp

Filesize
256KB

Download
memory/2596-23-0x00000000008E0000-0x0000000000BE3000-memory.dmp

Filesize
3.0MB

Download
memory/2596-25-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2596-26-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2596-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2596-27-0x0000000000360000-0x0000000000382000-memory.dmp

Filesize
136KB

Download
memory/2596-31-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2596-32-0x0000000000360000-0x0000000000382000-memory.dmp

Filesize
136KB

Download
memory/2596-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2596-21-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2596-24-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2596-17-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2908-30-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/2908-36-0x0000000000A40000-0x0000000000AE1000-memory.dmp

Filesize
644KB

Download
memory/2908-39-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/2908-40-0x0000000000A40000-0x0000000000AE1000-memory.dmp

Filesize
644KB

Download
memory/2908-34-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/2908-33-0x0000000002210000-0x0000000002513000-memory.dmp

Filesize
3.0MB

Download
memory/2908-29-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/2908-82-0x0000000061E00000-0x0000000061EBA000-memory.dmp

Filesize
744KB

Download