52f4e93c52a70db0d77c0fa2c3468aab038f3ca684cabece333b7497d3cf773a

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-10-2024 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ödeme kopyası.pdf.rar
Size

449KB
MD5

1a45c595585575d4449d876545ea00d4
SHA1

a3377beb563e75b32b730e353b825972ec593086
SHA256

db84ecf28cf9c25af8f91b5e442b61ad9499cebb0327fd9b9c7a015c5c15b9e9
SHA512

471a19e46e06e3e7b69af94dab44ff8a0420ec953cf83aca48cdb050c4af1e37cfcdf64fc6720880a56a69bc6b84a16081df9a7e790b480863f0b4178d79d045
SSDEEP

12288:YoNlFNIMvUB4q1Suw9NdELCpXMPbHjfGGnU:YoN7N+H1tegbPPfGGnU

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2628	1672	cmd.exe	29
PID 1672 wrote to memory of 2628	1672	cmd.exe	29
PID 1672 wrote to memory of 2628	1672	cmd.exe	29
PID 2628 wrote to memory of 2736	2628	rundll32.exe	30
PID 2628 wrote to memory of 2736	2628	rundll32.exe	30
PID 2628 wrote to memory of 2736	2628	rundll32.exe	30
PID 2736 wrote to memory of 1532	2736	rundll32.exe	31
PID 2736 wrote to memory of 1532	2736	rundll32.exe	31
PID 2736 wrote to memory of 1532	2736	rundll32.exe	31
PID 1532 wrote to memory of 2620	1532	rundll32.exe	32
PID 1532 wrote to memory of 2620	1532	rundll32.exe	32
PID 1532 wrote to memory of 2620	1532	rundll32.exe	32
PID 2620 wrote to memory of 3004	2620	rundll32.exe	33
PID 2620 wrote to memory of 3004	2620	rundll32.exe	33
PID 2620 wrote to memory of 3004	2620	rundll32.exe	33
PID 3004 wrote to memory of 2756	3004	rundll32.exe	36
PID 3004 wrote to memory of 2756	3004	rundll32.exe	36
PID 3004 wrote to memory of 2756	3004	rundll32.exe	36
PID 2756 wrote to memory of 3012	2756	rundll32.exe	37
PID 2756 wrote to memory of 3012	2756	rundll32.exe	37
PID 2756 wrote to memory of 3012	2756	rundll32.exe	37
PID 3012 wrote to memory of 2560	3012	rundll32.exe	38
PID 3012 wrote to memory of 2560	3012	rundll32.exe	38
PID 3012 wrote to memory of 2560	3012	rundll32.exe	38
PID 2560 wrote to memory of 1868	2560	rundll32.exe	39
PID 2560 wrote to memory of 1868	2560	rundll32.exe	39
PID 2560 wrote to memory of 1868	2560	rundll32.exe	39
PID 1868 wrote to memory of 1748	1868	rundll32.exe	40
PID 1868 wrote to memory of 1748	1868	rundll32.exe	40
PID 1868 wrote to memory of 1748	1868	rundll32.exe	40
PID 1748 wrote to memory of 2684	1748	rundll32.exe	41
PID 1748 wrote to memory of 2684	1748	rundll32.exe	41
PID 1748 wrote to memory of 2684	1748	rundll32.exe	41
PID 2684 wrote to memory of 2008	2684	rundll32.exe	42
PID 2684 wrote to memory of 2008	2684	rundll32.exe	42
PID 2684 wrote to memory of 2008	2684	rundll32.exe	42
PID 2008 wrote to memory of 2484	2008	rundll32.exe	43
PID 2008 wrote to memory of 2484	2008	rundll32.exe	43
PID 2008 wrote to memory of 2484	2008	rundll32.exe	43
PID 2484 wrote to memory of 2400	2484	rundll32.exe	44
PID 2484 wrote to memory of 2400	2484	rundll32.exe	44
PID 2484 wrote to memory of 2400	2484	rundll32.exe	44
PID 2400 wrote to memory of 2932	2400	rundll32.exe	45
PID 2400 wrote to memory of 2932	2400	rundll32.exe	45
PID 2400 wrote to memory of 2932	2400	rundll32.exe	45
PID 2932 wrote to memory of 292	2932	rundll32.exe	46
PID 2932 wrote to memory of 292	2932	rundll32.exe	46
PID 2932 wrote to memory of 292	2932	rundll32.exe	46
PID 292 wrote to memory of 812	292	rundll32.exe	47
PID 292 wrote to memory of 812	292	rundll32.exe	47
PID 292 wrote to memory of 812	292	rundll32.exe	47
PID 812 wrote to memory of 780	812	rundll32.exe	48
PID 812 wrote to memory of 780	812	rundll32.exe	48
PID 812 wrote to memory of 780	812	rundll32.exe	48
PID 780 wrote to memory of 1632	780	rundll32.exe	49
PID 780 wrote to memory of 1632	780	rundll32.exe	49
PID 780 wrote to memory of 1632	780	rundll32.exe	49
PID 1632 wrote to memory of 620	1632	rundll32.exe	50
PID 1632 wrote to memory of 620	1632	rundll32.exe	50
PID 1632 wrote to memory of 620	1632	rundll32.exe	50
PID 620 wrote to memory of 2456	620	rundll32.exe	51
PID 620 wrote to memory of 2456	620	rundll32.exe	51
PID 620 wrote to memory of 2456	620	rundll32.exe	51
PID 2456 wrote to memory of 2980	2456	rundll32.exe	52

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Ödeme kopyası.pdf.rar"
1⤵
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ödeme kopyası.pdf.rar
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ödeme kopyası.pdf.rar
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ödeme kopyası.pdf.rar
      4⤵
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1532
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ödeme kopyası.pdf.rar
        5⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ödeme kopyası.pdf.rar
        6⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ödeme kopyası.pdf.rar
        7⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ödeme kopyası.pdf.rar
        8⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ödeme kopyası.pdf.rar
        9⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ödeme kopyası.pdf.rar
        10⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ödeme kopyası.pdf.rar
        11⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ödeme kopyası.pdf.rar
        12⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ödeme kopyası.pdf.rar
        13⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ödeme kopyası.pdf.rar
        14⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ödeme kopyası.pdf.rar
        15⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ödeme kopyası.pdf.rar
        16⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ödeme kopyası.pdf.rar
        17⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:292
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ödeme kopyası.pdf.rar
        18⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ödeme kopyası.pdf.rar
        19⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ödeme kopyası.pdf.rar
        20⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ödeme kopyası.pdf.rar
        21⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ödeme kopyası.pdf.rar
        22⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ödeme kopyası.pdf.rar
        23⤵
        Modifies registry class
        
        PID:2980
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ödeme kopyası.pdf.rar
        24⤵
        Modifies registry class
        
        PID:1512
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Ödeme kopyası.pdf.rar
        25⤵
        Modifies registry class
        
        PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads