2f16279e427a4195d134a8f4eaa2bbdb1187efa912e90947baa157097d89bdf6

General

Target

KTR Bilgisayar Yönetimi/KTR Bilgisayar Yönetimi.exe
Size

11.8MB
MD5

eb7c879f11b54f291ce0126d62dcf341
SHA1

a14c6530b24916eea2bd2237b790a338df6a7bea
SHA256

209f83f34903c8db51f8ea1b54c8f0093b612447d31908bac081372377d89c06
SHA512

c453c588b9f5f522ccc2f42e255f68ff38e984810def9ec4c6ee50b6407ac19df8994698120b3482dd29f3425f0e9d36afe872e0093306c804ee88c4c16ac9ce
SSDEEP

196608:CSQSap4bqiip34pkr2dY/aBcjJOBHOBIQBajMtWvoJiLE1+XgRKz89G/4ZSb0Fu5:wkqiiKpkr2dY/aBcjJOBHOBIQBajMtWb

Score

7^/10

agilenet discovery

Malware Config

Signatures

Loads dropped DLL 8 IoCs

Processes:

KTR Bilgisayar Yönetimi.exe

pid	process
4844	KTR Bilgisayar Yönetimi.exe
4844	KTR Bilgisayar Yönetimi.exe
4844	KTR Bilgisayar Yönetimi.exe
4844	KTR Bilgisayar Yönetimi.exe
4844	KTR Bilgisayar Yönetimi.exe
4844	KTR Bilgisayar Yönetimi.exe
4844	KTR Bilgisayar Yönetimi.exe
4844	KTR Bilgisayar Yönetimi.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/4844-15-0x0000000005AC0000-0x0000000005B26000-memory.dmp	agile_net
behavioral2/memory/4844-27-0x0000000006310000-0x0000000006332000-memory.dmp	agile_net

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

KTR Bilgisayar Yönetimi.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KTR Bilgisayar Yönetimi.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

KTR Bilgisayar Yönetimi.exe

pid process

4844 KTR Bilgisayar Yönetimi.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

KTR Bilgisayar Yönetimi.exe

description pid process

Token: SeDebugPrivilege 4844 KTR Bilgisayar Yönetimi.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

KTR Bilgisayar Yönetimi.exe

pid process

4844 KTR Bilgisayar Yönetimi.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

KTR Bilgisayar Yönetimi.exe

pid process

4844 KTR Bilgisayar Yönetimi.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KTR Bilgisayar Yönetimi.exe

description	pid	process
Token: SeDebugPrivilege	4844	KTR Bilgisayar Yönetimi.exe

C:\Users\Admin\AppData\Local\Temp\KTR Bilgisayar Yönetimi\KTR Bilgisayar Yönetimi.exe
"C:\Users\Admin\AppData\Local\Temp\KTR Bilgisayar Yönetimi\KTR Bilgisayar Yönetimi.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\evbB41F.tmp

Filesize
1KB

MD5
74887ca999f4b8ffffe5cf8332228a97

SHA1
a8ba417a457c8e7c3249c5886d2b557069e6ff83

SHA256
54903acc19ebb20f8baa54f7762321d9fdbdaef33c65810f514f13c83274ad48

SHA512
9d44835d57674f2cac1469b614d8702d215ba08808cc5748d92699a979d9b2135b9211984e90c42ea3c9e40ab4c04181fa7bca81a93b891da1ad634a45decc19

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbB598.tmp

Filesize
1KB

MD5
3484fc718591b1bc922890aa43c55084

SHA1
dbdf7a239f5c41e5fe659e56a6dd42e892d6c1c7

SHA256
6dd23f620a9b78941e5ae2b7cf8de1a83a3cc0367d2dd31d456162522c4f9c89

SHA512
e00ac233dfff6bf17515d1c38d0c3b0f132bebbfa57f8fb74e1903d16239332b43f80bce12b3091ff277be2877669837eeb8f3a6046a471a53e53456947642c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbBAF8.tmp

Filesize
1KB

MD5
e10fba65e25939099efc1a1162417a38

SHA1
6caa91c88d255dd6ea5bb774219e0c162350f0bc

SHA256
634d7e9ba6e90b5fab74ea3e8d05d8b341be5e69c1175c4f62d99a0015e76a8d

SHA512
6a8b3d8bcabb0f505db687e58f9fe19df00a98ebe4b1e49f5e19bbef3ad431e085dfd16e0f56acea5504df5ba606e0d4c3510e0de00ec224d90fb224090cdc7c

Download Submit
memory/4844-30-0x0000000006430000-0x0000000006446000-memory.dmp

Filesize
88KB

Download
memory/4844-3-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

Filesize
4KB

Download
memory/4844-31-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/4844-6-0x00000000059B0000-0x0000000005A42000-memory.dmp

Filesize
584KB

Download
memory/4844-1-0x0000000077BB2000-0x0000000077BB3000-memory.dmp

Filesize
4KB

Download
memory/4844-16-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/4844-15-0x0000000005AC0000-0x0000000005B26000-memory.dmp

Filesize
408KB

Download
memory/4844-17-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/4844-18-0x0000000005BC0000-0x0000000005BCA000-memory.dmp

Filesize
40KB

Download
memory/4844-27-0x0000000006310000-0x0000000006332000-memory.dmp

Filesize
136KB

Download
memory/4844-28-0x00000000062E0000-0x0000000006302000-memory.dmp

Filesize
136KB

Download
memory/4844-40-0x0000000007330000-0x0000000007360000-memory.dmp

Filesize
192KB

Download
memory/4844-29-0x0000000006340000-0x00000000063A6000-memory.dmp

Filesize
408KB

Download
memory/4844-0-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/4844-5-0x0000000005400000-0x00000000059A4000-memory.dmp

Filesize
5.6MB

Download
memory/4844-4-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/4844-2-0x0000000077BB3000-0x0000000077BB4000-memory.dmp

Filesize
4KB

Download
memory/4844-51-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4844-49-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/4844-52-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/4844-50-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4844-53-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

Filesize
4KB

Download
memory/4844-54-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/4844-55-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/4844-56-0x00000000062E0000-0x0000000006302000-memory.dmp

Filesize
136KB

Download
memory/4844-57-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/4844-62-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/4844-63-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4844-64-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing