1ad40de0cf81fa29f3e4f56b6ee0538f36a4ba922e7da921e9df2989c7fed54a

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/06/2024, 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TEKLİF TALEP VE FİYAT TEKLİFİ_xlxs.exe
Size

3.2MB
MD5

588bd53ea30b397edb99b24c063ceff3
SHA1

43334ad8531990a4598e7f1421bb4c306645609a
SHA256

4f0fd95f22cefb18accffece2e7f28a51fc3a7987e03ae2896e3f2edde472bf7
SHA512

ba85538b758cd0fb73a5f682c62c30dab2abe765dee66cb2756acf93cf519b92b009b8ba8e92fd9ed4ad8f50514a5ff8f6387d1aa2cd90917b26395d3e9695bc
SSDEEP

49152:hVs5urLO7ffMKkU+efWBH7DSTEfdebYazpOgFvyjaZCCy2U:hrnHeNRwCyL

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TEKLİF TALEP VE FİYAT TEKLİFİ_xlxs = "C:\\Users\\Admin\\TEKLİF TALEP VE FİYAT TEKLİFİ_xlxs.exe"	TEKLİF TALEP VE FİYAT TEKLİFİ_xlxs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2012	TEKLİF TALEP VE FİYAT TEKLİFİ_xlxs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1740	cmstp.exe
Token: SeTakeOwnershipPrivilege	1740	cmstp.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1740	2012	TEKLİF TALEP VE FİYAT TEKLİFİ_xlxs.exe	29
PID 2012 wrote to memory of 1740	2012	TEKLİF TALEP VE FİYAT TEKLİFİ_xlxs.exe	29
PID 2012 wrote to memory of 1740	2012	TEKLİF TALEP VE FİYAT TEKLİFİ_xlxs.exe	29

C:\Users\Admin\AppData\Local\Temp\TEKLİF TALEP VE FİYAT TEKLİFİ_xlxs.exe
"C:\Users\Admin\AppData\Local\Temp\TEKLİF TALEP VE FİYAT TEKLİFİ_xlxs.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2012
- \??\c:\windows\system32\cmstp.exe
  c:\windows\system32\cmstp.exe /au C:\windows\temp\1317605824.inf
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\windows\temp\1317605824.inf

Filesize
555B

MD5
55bafbd0c6b199870e08807f1d7bce37

SHA1
7adba5787b395f5caf413025fd9fb7bbf44dd794

SHA256
4853a3170b20ac3b8cb08e8700a58afc5a83a1bfd92a6a1dba6f5f6e5827d6cf

SHA512
efc9d9c3afd1d63f55e9577a541cae91829576706669faf38b046b0c9221a057cf19594025a3bea2a7978d789a086ce9c7849c154a979afd5b166d68007803e2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads