Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/03/2024, 17:58
Static task
static1
Behavioral task
behavioral1
Sample
dekont_06.03.2024 MaximumİşyerimİşlemÖzetiniz.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dekont_06.03.2024 MaximumİşyerimİşlemÖzetiniz.exe
Resource
win10v2004-20240226-en
General
-
Target
dekont_06.03.2024 MaximumİşyerimİşlemÖzetiniz.exe
-
Size
710KB
-
MD5
96ac4013d30d6dea4a0eb3ea2b4a3e22
-
SHA1
c539ae8ab18d240b7b761baa2840076b191a7e4e
-
SHA256
f164ce16a674a43c3b7d06100e60136389aa00502051103abdd88f741ca58ba8
-
SHA512
0f45309f44c7e8f451ac6f34587a90a515eeec6cff2e6f1a856108677111b0e7875e5e05ff8e43858e2c0ed0c619e9a8a87fcc495edeb53c4df51c435c045e13
-
SSDEEP
12288:QBtsy/j21yyxK+TgFA2huBs3oV6npo8wOZK0oBGrjAF0etpkjysdOD:Zy/j2cyY+Y0i3odJCyBfj/kjylD
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2632 1440 WerFault.exe 27 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1440 dekont_06.03.2024 MaximumİşyerimİşlemÖzetiniz.exe 1440 dekont_06.03.2024 MaximumİşyerimİşlemÖzetiniz.exe 2564 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1440 dekont_06.03.2024 MaximumİşyerimİşlemÖzetiniz.exe Token: SeDebugPrivilege 2564 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1440 wrote to memory of 2564 1440 dekont_06.03.2024 MaximumİşyerimİşlemÖzetiniz.exe 28 PID 1440 wrote to memory of 2564 1440 dekont_06.03.2024 MaximumİşyerimİşlemÖzetiniz.exe 28 PID 1440 wrote to memory of 2564 1440 dekont_06.03.2024 MaximumİşyerimİşlemÖzetiniz.exe 28 PID 1440 wrote to memory of 2564 1440 dekont_06.03.2024 MaximumİşyerimİşlemÖzetiniz.exe 28 PID 1440 wrote to memory of 2632 1440 dekont_06.03.2024 MaximumİşyerimİşlemÖzetiniz.exe 30 PID 1440 wrote to memory of 2632 1440 dekont_06.03.2024 MaximumİşyerimİşlemÖzetiniz.exe 30 PID 1440 wrote to memory of 2632 1440 dekont_06.03.2024 MaximumİşyerimİşlemÖzetiniz.exe 30 PID 1440 wrote to memory of 2632 1440 dekont_06.03.2024 MaximumİşyerimİşlemÖzetiniz.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\dekont_06.03.2024 MaximumİşyerimİşlemÖzetiniz.exe"C:\Users\Admin\AppData\Local\Temp\dekont_06.03.2024 MaximumİşyerimİşlemÖzetiniz.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\dekont_06.03.2024 MaximumİşyerimİşlemÖzetiniz.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 9242⤵
- Program crash
PID:2632
-