Analysis
-
max time kernel
139s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2024 00:29
Static task
static1
Behavioral task
behavioral1
Sample
Hesap Hareketleri 16-01-2024.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Hesap Hareketleri 16-01-2024.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231222-en
General
-
Target
Hesap Hareketleri 16-01-2024.exe
-
Size
466KB
-
MD5
12484fec86ba7a89160b91d9c29ca150
-
SHA1
dcc43a2f4045ccb3b948b7711024751ec15d78e5
-
SHA256
6aa41172a558c2a793b6665bdbaac4512a09fd80fe39c997edd0b41b804698b8
-
SHA512
aadb77274ba355db2c20d0c012c86c08a65b3341c6b842c532bbe3c6cbbc0c3a876cf046fcd271b362cbe4e20d935b6020ceb93933224ca3d79e1b443f0f1bf2
-
SSDEEP
12288:74u5/pr3QMEgNLqAkZQ+uwypDxfXikgqKeSQ:74UpBNjg7XYDlykgeL
Malware Config
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 1 IoCs
Processes:
Hesap Hareketleri 16-01-2024.exepid process 1732 Hesap Hareketleri 16-01-2024.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
Hesap Hareketleri 16-01-2024.exepid process 1540 Hesap Hareketleri 16-01-2024.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Hesap Hareketleri 16-01-2024.exeHesap Hareketleri 16-01-2024.exepid process 1732 Hesap Hareketleri 16-01-2024.exe 1540 Hesap Hareketleri 16-01-2024.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Hesap Hareketleri 16-01-2024.exedescription pid process target process PID 1732 set thread context of 1540 1732 Hesap Hareketleri 16-01-2024.exe Hesap Hareketleri 16-01-2024.exe -
Drops file in Program Files directory 1 IoCs
Processes:
Hesap Hareketleri 16-01-2024.exedescription ioc process File opened for modification C:\Program Files (x86)\Hoffmann.ini Hesap Hareketleri 16-01-2024.exe -
Drops file in Windows directory 1 IoCs
Processes:
Hesap Hareketleri 16-01-2024.exedescription ioc process File opened for modification C:\Windows\resources\0409\electronarcosis.beg Hesap Hareketleri 16-01-2024.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Hesap Hareketleri 16-01-2024.exepid process 1732 Hesap Hareketleri 16-01-2024.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Hesap Hareketleri 16-01-2024.exedescription pid process target process PID 1732 wrote to memory of 1540 1732 Hesap Hareketleri 16-01-2024.exe Hesap Hareketleri 16-01-2024.exe PID 1732 wrote to memory of 1540 1732 Hesap Hareketleri 16-01-2024.exe Hesap Hareketleri 16-01-2024.exe PID 1732 wrote to memory of 1540 1732 Hesap Hareketleri 16-01-2024.exe Hesap Hareketleri 16-01-2024.exe PID 1732 wrote to memory of 1540 1732 Hesap Hareketleri 16-01-2024.exe Hesap Hareketleri 16-01-2024.exe PID 1732 wrote to memory of 1540 1732 Hesap Hareketleri 16-01-2024.exe Hesap Hareketleri 16-01-2024.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Hesap Hareketleri 16-01-2024.exe"C:\Users\Admin\AppData\Local\Temp\Hesap Hareketleri 16-01-2024.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\Hesap Hareketleri 16-01-2024.exe"C:\Users\Admin\AppData\Local\Temp\Hesap Hareketleri 16-01-2024.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1540
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD53f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1fe582246792774c2c9dd15639ffa0aca90d6fd0b
SHA256fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
SHA5120a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6