db83be38acf27d84834da055d570805c8710fbef271e827ca8a645b989c70be8

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ziraat Bankası Swift Mesaji2.bat.exe
Size

1.1MB
MD5

e4df9a487d5c234c9bf5d406596404bf
SHA1

8111cc21c3fcd1ea98e398e92f190ce98769f3e5
SHA256

db83be38acf27d84834da055d570805c8710fbef271e827ca8a645b989c70be8
SHA512

379e55976e6e5d9ddc1bdeb30dda8b04f75a827862af26f3670dd53039a0aac11e79e76517ff4281b17a1e7be0832e5be8120088729cb67036e388517fcb7c65
SSDEEP

24576:sfPjKr5BNDRLpxLMD/wc2IUbvYuWtu0uSJ6fd9tOF3kF:uk5BN9TLlLIx5truxf5IUF

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2968	2748	WerFault.exe	27

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2748	Ziraat Bankası Swift Mesaji2.bat.exe
2748	Ziraat Bankası Swift Mesaji2.bat.exe
2872	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	Ziraat Bankası Swift Mesaji2.bat.exe
Token: SeDebugPrivilege	2872	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2872	2748	Ziraat Bankası Swift Mesaji2.bat.exe	28
PID 2748 wrote to memory of 2872	2748	Ziraat Bankası Swift Mesaji2.bat.exe	28
PID 2748 wrote to memory of 2872	2748	Ziraat Bankası Swift Mesaji2.bat.exe	28
PID 2748 wrote to memory of 2872	2748	Ziraat Bankası Swift Mesaji2.bat.exe	28
PID 2748 wrote to memory of 2860	2748	Ziraat Bankası Swift Mesaji2.bat.exe	30
PID 2748 wrote to memory of 2860	2748	Ziraat Bankası Swift Mesaji2.bat.exe	30
PID 2748 wrote to memory of 2860	2748	Ziraat Bankası Swift Mesaji2.bat.exe	30
PID 2748 wrote to memory of 2860	2748	Ziraat Bankası Swift Mesaji2.bat.exe	30
PID 2748 wrote to memory of 2968	2748	Ziraat Bankası Swift Mesaji2.bat.exe	32
PID 2748 wrote to memory of 2968	2748	Ziraat Bankası Swift Mesaji2.bat.exe	32
PID 2748 wrote to memory of 2968	2748	Ziraat Bankası Swift Mesaji2.bat.exe	32
PID 2748 wrote to memory of 2968	2748	Ziraat Bankası Swift Mesaji2.bat.exe	32

C:\Users\Admin\AppData\Local\Temp\Ziraat Bankası Swift Mesaji2.bat.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankası Swift Mesaji2.bat.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TGSbzeKpGKpZ.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TGSbzeKpGKpZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4C5C.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 1016
  2⤵
  - Program crash
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4C5C.tmp

Filesize
1KB

MD5
9a7a95f951f8a23e118828aaa9e6c593

SHA1
1631d19a33a3a847d7622b1b18918ff0c3c9024d

SHA256
ed542e43dbfa14adf6e044a84fe1f008ca4890dd13248604de79c291d97ee6d3

SHA512
a9f7498e9f15b212a0847d26be709472ff1e035696909535b994d54c8615a0c52b14da790964009416172f5d1a1bbff51ce6543cc62c387e43aa70239b9bcbc4

Download Submit
memory/2748-0-0x0000000000250000-0x0000000000364000-memory.dmp

Filesize
1.1MB

Download
memory/2748-1-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/2748-2-0x0000000004870000-0x00000000048B0000-memory.dmp

Filesize
256KB

Download
memory/2748-3-0x0000000000430000-0x0000000000450000-memory.dmp

Filesize
128KB

Download
memory/2748-4-0x0000000000460000-0x0000000000474000-memory.dmp

Filesize
80KB

Download
memory/2748-5-0x0000000005080000-0x0000000005140000-memory.dmp

Filesize
768KB

Download
memory/2748-13-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/2748-14-0x0000000004870000-0x00000000048B0000-memory.dmp

Filesize
256KB

Download