Analysis
-
max time kernel
151s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2023 07:48
Static task
static1
Behavioral task
behavioral1
Sample
Para Transferi Bilgilendirmesi-dekont.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Para Transferi Bilgilendirmesi-dekont.exe
Resource
win10v2004-20231127-en
General
-
Target
Para Transferi Bilgilendirmesi-dekont.exe
-
Size
893KB
-
MD5
21d1df1da2e98a9ab9268712b8448e84
-
SHA1
37c3233503068ba139bddcd9569ebaa068265590
-
SHA256
a6aecca7d8f0cf861ae32b0ce54822e1d3c82e94685861b130c842f602b9d7db
-
SHA512
b6eda1358566719b0bd5923caad17d3f678b816eff8bc613a1930ec0f83fe8a4ea65194a15ebf2fb1458b8889b369483e19107eac955e0ea0c380ff3c456bd63
-
SSDEEP
24576:K5xolYQY65XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXA:dYkXXXXXXXXXXXXXXXXXXXXXXXXXXXXQ
Malware Config
Extracted
Protocol: ftp- Host:
ftp.aksumer.com - Port:
21 - Username:
aksumerc - Password:
211116.kS*-
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.aksumer.com - Port:
21 - Username:
aksumerc - Password:
211116.kS*-
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4788-40-0x00000000057B0000-0x00000000057C8000-memory.dmp family_zgrat_v1 -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Executes dropped EXE 7 IoCs
Processes:
para transferi bilgilendirmesi-dekont.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepara transferi bilgilendirmesi-dekont.exepid process 4788 para transferi bilgilendirmesi-dekont.exe 2356 icsys.icn.exe 5060 explorer.exe 4460 spoolsv.exe 3920 svchost.exe 4356 spoolsv.exe 2936 para transferi bilgilendirmesi-dekont.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 49 api.ipify.org 48 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
para transferi bilgilendirmesi-dekont.exedescription pid process target process PID 4788 set thread context of 2936 4788 para transferi bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe -
Drops file in Windows directory 6 IoCs
Processes:
icsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription ioc process File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
icsys.icn.exeexplorer.exesvchost.exepid process 2356 icsys.icn.exe 2356 icsys.icn.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 3920 svchost.exe 5060 explorer.exe 3920 svchost.exe 3920 svchost.exe 3920 svchost.exe 3920 svchost.exe 5060 explorer.exe 3920 svchost.exe 5060 explorer.exe 5060 explorer.exe 5060 explorer.exe 3920 svchost.exe 3920 svchost.exe 5060 explorer.exe 3920 svchost.exe 5060 explorer.exe 3920 svchost.exe 5060 explorer.exe 3920 svchost.exe 5060 explorer.exe 3920 svchost.exe 3920 svchost.exe 5060 explorer.exe 5060 explorer.exe 3920 svchost.exe 3920 svchost.exe 5060 explorer.exe 3920 svchost.exe 5060 explorer.exe 5060 explorer.exe 3920 svchost.exe 5060 explorer.exe 3920 svchost.exe 5060 explorer.exe 5060 explorer.exe 3920 svchost.exe 3920 svchost.exe 5060 explorer.exe 5060 explorer.exe 3920 svchost.exe 3920 svchost.exe 5060 explorer.exe 5060 explorer.exe 3920 svchost.exe 3920 svchost.exe 5060 explorer.exe 5060 explorer.exe 3920 svchost.exe 3920 svchost.exe 5060 explorer.exe 5060 explorer.exe 3920 svchost.exe 3920 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 5060 explorer.exe 3920 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
para transferi bilgilendirmesi-dekont.exedescription pid process Token: SeDebugPrivilege 2936 para transferi bilgilendirmesi-dekont.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
Para Transferi Bilgilendirmesi-dekont.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepara transferi bilgilendirmesi-dekont.exepid process 1788 Para Transferi Bilgilendirmesi-dekont.exe 1788 Para Transferi Bilgilendirmesi-dekont.exe 2356 icsys.icn.exe 2356 icsys.icn.exe 5060 explorer.exe 5060 explorer.exe 4460 spoolsv.exe 4460 spoolsv.exe 3920 svchost.exe 3920 svchost.exe 4356 spoolsv.exe 4356 spoolsv.exe 5060 explorer.exe 5060 explorer.exe 2936 para transferi bilgilendirmesi-dekont.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
Para Transferi Bilgilendirmesi-dekont.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exepara transferi bilgilendirmesi-dekont.exedescription pid process target process PID 1788 wrote to memory of 4788 1788 Para Transferi Bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe PID 1788 wrote to memory of 4788 1788 Para Transferi Bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe PID 1788 wrote to memory of 4788 1788 Para Transferi Bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe PID 1788 wrote to memory of 2356 1788 Para Transferi Bilgilendirmesi-dekont.exe icsys.icn.exe PID 1788 wrote to memory of 2356 1788 Para Transferi Bilgilendirmesi-dekont.exe icsys.icn.exe PID 1788 wrote to memory of 2356 1788 Para Transferi Bilgilendirmesi-dekont.exe icsys.icn.exe PID 2356 wrote to memory of 5060 2356 icsys.icn.exe explorer.exe PID 2356 wrote to memory of 5060 2356 icsys.icn.exe explorer.exe PID 2356 wrote to memory of 5060 2356 icsys.icn.exe explorer.exe PID 5060 wrote to memory of 4460 5060 explorer.exe spoolsv.exe PID 5060 wrote to memory of 4460 5060 explorer.exe spoolsv.exe PID 5060 wrote to memory of 4460 5060 explorer.exe spoolsv.exe PID 4460 wrote to memory of 3920 4460 spoolsv.exe svchost.exe PID 4460 wrote to memory of 3920 4460 spoolsv.exe svchost.exe PID 4460 wrote to memory of 3920 4460 spoolsv.exe svchost.exe PID 3920 wrote to memory of 4356 3920 svchost.exe spoolsv.exe PID 3920 wrote to memory of 4356 3920 svchost.exe spoolsv.exe PID 3920 wrote to memory of 4356 3920 svchost.exe spoolsv.exe PID 3920 wrote to memory of 960 3920 svchost.exe at.exe PID 3920 wrote to memory of 960 3920 svchost.exe at.exe PID 3920 wrote to memory of 960 3920 svchost.exe at.exe PID 4788 wrote to memory of 2936 4788 para transferi bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe PID 4788 wrote to memory of 2936 4788 para transferi bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe PID 4788 wrote to memory of 2936 4788 para transferi bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe PID 4788 wrote to memory of 2936 4788 para transferi bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe PID 4788 wrote to memory of 2936 4788 para transferi bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe PID 4788 wrote to memory of 2936 4788 para transferi bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe PID 4788 wrote to memory of 2936 4788 para transferi bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe PID 4788 wrote to memory of 2936 4788 para transferi bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe PID 3920 wrote to memory of 1264 3920 svchost.exe at.exe PID 3920 wrote to memory of 1264 3920 svchost.exe at.exe PID 3920 wrote to memory of 1264 3920 svchost.exe at.exe PID 3920 wrote to memory of 1260 3920 svchost.exe at.exe PID 3920 wrote to memory of 1260 3920 svchost.exe at.exe PID 3920 wrote to memory of 1260 3920 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Para Transferi Bilgilendirmesi-dekont.exe"C:\Users\Admin\AppData\Local\Temp\Para Transferi Bilgilendirmesi-dekont.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\users\admin\appdata\local\temp\para transferi bilgilendirmesi-dekont.exe"c:\users\admin\appdata\local\temp\para transferi bilgilendirmesi-dekont.exe "2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\users\admin\appdata\local\temp\para transferi bilgilendirmesi-dekont.exe"c:\users\admin\appdata\local\temp\para transferi bilgilendirmesi-dekont.exe "3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2936 -
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4356 -
C:\Windows\SysWOW64\at.exeat 07:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:960
-
C:\Windows\SysWOW64\at.exeat 07:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:1264
-
C:\Windows\SysWOW64\at.exeat 07:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:1260
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\para transferi bilgilendirmesi-dekont.exe .log
Filesize1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
619KB
MD54783d50da091b2f50da381fd4a7b8e2d
SHA1f9504f9cd2695f0ac818596f250a4fe1ef7ca866
SHA25635eee52488a800617b5ba6e6b01f3de68cd89a248c078fcc8126fdb7e7849dfd
SHA512396c4d55da768d43d238607b7e3ad46ce325ed906843245b03f56503498c451509d495c65672bde0d42833a45a77df762a715f15151937d5aa88ad3c78ad84f0
-
Filesize
274KB
MD514b830b4552f61582f4440b712ee9af2
SHA174b5d677e14341d51af472a8673415fc1080896d
SHA2565291cc6ac0d6d64f6f93bfd1bf9e6a13ab9f343e343a599e1bcd718dc8549d3f
SHA512224ea6ea3a34f67646ed4aa6e515f6baefe26df371db94cbde2df1988987d7300638f22b9e898cec93466b40060b148f6b149fe75081e38fd001bf0f3334e86b
-
Filesize
274KB
MD5571e262c0f061adf75cb08905f57c5b1
SHA1f687bf2b321f06be9f8618be6bcfa6ce7ec664a5
SHA256826e778bb7db15dfdb2951c861c29570b870005103f06f938027cdc7c6dbc5ff
SHA512b19cb0be660696dc9854f4d7c2329b91e2f199a9927ea783224d53f8a6d2e5fccb19d263183609f9b0e91cd2cbc338133c95d73678083f2d4c97f3b7ba6b2686
-
Filesize
274KB
MD536939ebe2ab290fb1113efa91d7e12a9
SHA1fcf398eabe48e1f7d5ec1e45eea8eb2b0c1b3fb8
SHA256de85cc6722dae3f055fed01c891428dfb163cf879d0b809d84a9a850befdfc43
SHA5127dc145045e51b1ba8d6db237dbdedd4fba2cb4c9c6371bcd1fee742e9e79f373e0bbbd90668af219351f4741bd754337c33c04c896c0a0c02704bfde8d20ed7b
-
Filesize
274KB
MD5d17136b20f2fd6b1d5973785eca19932
SHA1a4a43d091ab31382bf89b077f54e0d35a699480e
SHA25673cd164640846fc3e14001ee1d36985ff952321002c0e4cb94475f5d13dfc1b2
SHA5124b603daaded7c6c3a0b1bf6ee10a89b7de580624b6663cc6c888964f982fb724d531cde7d9638e13f091f33c983adbe0616e6097647570cb0e0a9c58d963101e
-
Filesize
274KB
MD502e27c3b8971975870ec9928cec4d179
SHA1d14e26f7ef831b7695e21294d876fa022874c0ec
SHA2568d25e0a11eb90273186a02f5bb6f5da4c839721737b55ac77e2e89c987f48145
SHA512407b3a10fd7da972ab41f07ddb079aaea8c47049f8fa29c9f879a430c89d9b710aabc0c09a4ff4580cb6b75732cb286a176fad8cdf4a80c7bc6905cbd70ef7e2
-
Filesize
246KB
MD5141ffbf4d261af2194fa9f2cd5f3f683
SHA1779f1c84b42e91d0f6b9abc8702a08836a9f33af
SHA256918af9c81e3bba0ae2da2797bb693cdd7c4b595fe7c3ff5cc48d824bab247e09
SHA5123f91a236b2375ce3c078e1a9387ded0f5f6eb5469db02d5e52c59a0da215147811952f625b2b70b62e0651895ed48e9bbc63211e63253ba0e62ebcf3d44c2cd1