Analysis
-
max time kernel
36s -
max time network
57s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
15/02/2024, 06:53
Static task
static1
Behavioral task
behavioral1
Sample
AKBANK 002'den oluşturulan fatura ödemesiMerkantiliserendes.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
AKBANK 002'den oluşturulan fatura ödemesiMerkantiliserendes.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231222-en
General
-
Target
AKBANK 002'den oluşturulan fatura ödemesiMerkantiliserendes.exe
-
Size
894KB
-
MD5
10d0b99ee5922390bd2bbe07e71a0a75
-
SHA1
a6e89c9d5007811038fc2d3fd05ed6b01e7fd93a
-
SHA256
05e0f79a1c435ee4d5f914b576b8d9c4a766895aad1da9186ac5a49cc98b3657
-
SHA512
d97f9dfe0ec1c9803fb4f9e74e1ff0892b1068961cf7cd0d8fb1ac3d2b19b3c7d0852a4399b22259518c72b72b8d5d43434b510e904d27ddb9fd38652472828b
-
SSDEEP
24576:GbgG0BHv4m+8zFkv0DLfyfPRBad/XpD7Ao+v:8gL+QFQ6Lf0A17Gv
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 3852 AKBANK 002'den oluşturulan fatura ödemesiMerkantiliserendes.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\concentus = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkstregningerne\\Euphuists.exe" wab.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\jumpsuit.lnk AKBANK 002'den oluşturulan fatura ödemesiMerkantiliserendes.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 872 wab.exe 872 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3852 AKBANK 002'den oluşturulan fatura ödemesiMerkantiliserendes.exe 872 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3852 set thread context of 872 3852 AKBANK 002'den oluşturulan fatura ödemesiMerkantiliserendes.exe 93 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\resources\0409\Halvlangt.lre AKBANK 002'den oluşturulan fatura ödemesiMerkantiliserendes.exe File opened for modification C:\Windows\Voksaftryk.Unw244 AKBANK 002'den oluşturulan fatura ödemesiMerkantiliserendes.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3852 AKBANK 002'den oluşturulan fatura ödemesiMerkantiliserendes.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 872 wab.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3852 wrote to memory of 872 3852 AKBANK 002'den oluşturulan fatura ödemesiMerkantiliserendes.exe 93 PID 3852 wrote to memory of 872 3852 AKBANK 002'den oluşturulan fatura ödemesiMerkantiliserendes.exe 93 PID 3852 wrote to memory of 872 3852 AKBANK 002'den oluşturulan fatura ödemesiMerkantiliserendes.exe 93 PID 3852 wrote to memory of 872 3852 AKBANK 002'den oluşturulan fatura ödemesiMerkantiliserendes.exe 93 PID 3852 wrote to memory of 872 3852 AKBANK 002'den oluşturulan fatura ödemesiMerkantiliserendes.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\AKBANK 002'den oluşturulan fatura ödemesiMerkantiliserendes.exe"C:\Users\Admin\AppData\Local\Temp\AKBANK 002'den oluşturulan fatura ödemesiMerkantiliserendes.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Users\Admin\AppData\Local\Temp\AKBANK 002'den oluşturulan fatura ödemesiMerkantiliserendes.exe"2⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:872
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88