Overview

overview

8

Static

static

3

MP4_Vaka -...p4.exe

windows7-x64

8

MP4_Vaka -...p4.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    13/05/2024, 12:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MP4_Vaka -Şirketinizin Araç Numarası.mp4.exe

  • Size

    713KB

  • MD5

    537f40012f50b489ff7ce3596ce9d1dc

  • SHA1

    04ab32d9cea4cd1cf2186a6b0e7bdff324d0df14

  • SHA256

    975ad7e67c3a5cf1b392277b0ee8ab4d04975437c1ecf49829bcacaa31ec609d

  • SHA512

    a0111b5569da9ae0e6d0ca55d18e3b8800d85c7205f05f653cfd70d5fa8cec813a185c77bf3aa21f8f3b6655ab5c3830c17bf1d672869d7bbe6669a854c0e9f3

  • SSDEEP

    12288:6fTeH81jJUoGqQte9X0nbOOYzaiKpca+O6h38+o4OPSD/LUZSqjeQ:D8MoG1s1aY9a+O6hsGOP9y

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MP4_Vaka -Şirketinizin Araç Numarası.mp4.exe
    "C:\Users\Admin\AppData\Local\Temp\MP4_Vaka -Şirketinizin Araç Numarası.mp4.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MP4_Vaka -Şirketinizin Araç Numarası.mp4.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2764
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ntCuVbDmy.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2700
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ntCuVbDmy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp36BA.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2632
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 1036
      2⤵
      • Program crash
      PID:2652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp36BA.tmp
    Filesize

    1KB

    MD5

    5e980e89f7e5831eb3cb036ff20254d4

    SHA1

    70831ecd3468ae592eea98f2b954bc533275ee12

    SHA256

    67c97ab3788eaae8dbf1241b9dcf2b515cb78c7953b458b49619c3e286f3d9ed

    SHA512

    c239334a74c9c67d785a3897a8b584df470f3bcf9c204c660b2d8be4fb0e3341e8646529969e95e4a57719d3e921b9073bd7a8ec57a4c7d166f3777a8336be08

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    72ab7548849bb21c328621ebcfc8593f

    SHA1

    4b98896f4240cfff7e87cd692e7bdba866bc17e1

    SHA256

    a82018a2faf42b1f2c2f25dbb51e9e41ff7ca59a6a92fc00546a12fa4088aded

    SHA512

    3e9679bc05d4caede597d94d26361425724255a6f40d7b1a7b62813677f3589081052f058996e496948cc91b591a943fd5b3e808faf9efea09dbf050a8e93b5f

    Download Submit

  • memory/2848-0-0x00000000747AE000-0x00000000747AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2848-1-0x00000000010A0000-0x0000000001158000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2848-2-0x00000000747A0000-0x0000000074E8E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2848-3-0x0000000000340000-0x0000000000360000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2848-4-0x0000000000530000-0x0000000000540000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2848-5-0x0000000000540000-0x0000000000556000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2848-6-0x0000000005300000-0x0000000005384000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2848-19-0x00000000747AE000-0x00000000747AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2848-20-0x00000000747A0000-0x0000000074E8E000-memory.dmp

    Filesize

    6.9MB

    Download