Overview

overview

8

Static

static

1

Ödeme Ona...ı.exe

windows7-x64

8

Ödeme Ona...ı.exe

windows10-2004-x64

8

Artiklen/e...te.com

windows7-x64

Artiklen/e...te.com

windows10-2004-x64

Analysis

  • max time kernel
    146s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/06/2024, 13:03

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Ödeme Onayı Kopyası.exe

  • Size

    921KB

  • MD5

    d2c7ccf7ade1dd9cfe1fdbd518a13f6e

  • SHA1

    d230fd8d0794cd3515c5bc95f1d2fcd16b0e4fb3

  • SHA256

    91688e46b195ea7475b0caedb2b18613342883cbd29886628ef12a76f621e988

  • SHA512

    f145c8426b5c4bf8d43fc20fea6fc481670e0006de84c70b2b2865c5fb83abb2cb0a58a44860c44ef2321778528fe3b9c2e931bc248e3fb4ebc6ec68a2928ce0

  • SSDEEP

    24576:0wIC9jSMMMMMHLMMMMMMMMMMMMMo4H4I96u45SObZoo3c5lESaUnrRbzIWW:hIC9jSMMMMMHLMMMMMMMMMMMMMFsFdbx

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı Kopyası.exe
    "C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı Kopyası.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4144
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Forfear=Get-Content 'C:\Users\Admin\AppData\Roaming\paeony\deputising\Genfremsttelserne\Troostite.Sto';$Befordrende=$Forfear.SubString(52427,3);.$Befordrende($Forfear)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1316
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
        3⤵
          PID:2076
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 2232
          3⤵
          • Program crash
          PID:4536
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1316 -ip 1316
      1⤵
        PID:1804

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wfm0fg34.swe.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Roaming\paeony\deputising\Genfremsttelserne\Troostite.Sto
              Filesize

              51KB

              MD5

              6d0539739ac2c229575a711d1f335aa8

              SHA1

              f851e7c908e948eb23981295cf0103252a4c603e

              SHA256

              86a0e8229fbaa2d7856856d035b91c2629c235f093b779464043ba1d2ac5e6e5

              SHA512

              2f73f409fe6528a629cfb53feecfa41ef090b77bb9ab3cde2310cea6e10d3c3905ead6d50c2ffcc788ad3abd0e2412c07c01cfc47895e436e0bc8ab03b468eeb

              Download Submit

            • memory/1316-22-0x00000000056B0000-0x0000000005A04000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/1316-23-0x0000000005CA0000-0x0000000005CBE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/1316-10-0x0000000004CF0000-0x0000000004D12000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1316-11-0x00000000055D0000-0x0000000005636000-memory.dmp

              Filesize

              408KB

              Download

            • memory/1316-12-0x0000000005640000-0x00000000056A6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/1316-9-0x0000000004EA0000-0x00000000054C8000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/1316-6-0x000000007382E000-0x000000007382F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1316-8-0x0000000073820000-0x0000000073FD0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/1316-24-0x0000000005CD0000-0x0000000005D1C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/1316-25-0x0000000006200000-0x0000000006296000-memory.dmp

              Filesize

              600KB

              Download

            • memory/1316-26-0x00000000061B0000-0x00000000061CA000-memory.dmp

              Filesize

              104KB

              Download

            • memory/1316-27-0x00000000062A0000-0x00000000062C2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1316-28-0x00000000072F0000-0x0000000007894000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/1316-7-0x00000000046D0000-0x0000000004706000-memory.dmp

              Filesize

              216KB

              Download

            • memory/1316-30-0x0000000007F20000-0x000000000859A000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/1316-32-0x0000000073820000-0x0000000073FD0000-memory.dmp

              Filesize

              7.7MB

              Download