7e1381c64bd9b22722685486aede77240202f163ff0264196da0940d1554bc93

Resubmissions

07-11-2024 12:50

241107-p3ah3ssfmk 10

07-11-2024 12:47

241107-p1fmbavmfj 8

Analysis

max time kernel
143s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-11-2024 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

=XUTF-8XQXyeni_sipari=C5=9F=2Er00X=.rar
Size

558KB
MD5

027b03cee16500f3c919be5bdbbb23be
SHA1

3e463e6f6675bb13a231706136927ea861299205
SHA256

7e1381c64bd9b22722685486aede77240202f163ff0264196da0940d1554bc93
SHA512

a6e5ce4d677bd58c6d0adca3269077866388a216a5020c0371224af67153da0eff6b98ba4f0235d4f5d728c159332898cb2b49c656d333aa18b79b2e52042de9
SSDEEP

12288:itvk9x/nnGkcyk8RHPj+/CqqCoq1WWQBV5bK9GeiWT4/D6zENA:ykfGkvL+/CqqCoq1RQocPWTeD5NA

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2988	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2896	yeni sipariş.pif

Loads dropped DLL 4 IoCs

pid	Process
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2680	2896	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yeni sipariş.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2896	yeni sipariş.pif
2896	yeni sipariş.pif
2896	yeni sipariş.pif
2896	yeni sipariş.pif
2896	yeni sipariş.pif
2896	yeni sipariş.pif
2988	powershell.exe
2896	yeni sipariş.pif

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2588	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	2588	7zFM.exe
Token: 35	2588	7zFM.exe
Token: SeSecurityPrivilege	2588	7zFM.exe
Token: SeDebugPrivilege	2896	yeni sipariş.pif
Token: SeDebugPrivilege	2988	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2588	7zFM.exe
2588	7zFM.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2988	2896	yeni sipariş.pif	33
PID 2896 wrote to memory of 2988	2896	yeni sipariş.pif	33
PID 2896 wrote to memory of 2988	2896	yeni sipariş.pif	33
PID 2896 wrote to memory of 2988	2896	yeni sipariş.pif	33
PID 2896 wrote to memory of 2176	2896	yeni sipariş.pif	34
PID 2896 wrote to memory of 2176	2896	yeni sipariş.pif	34
PID 2896 wrote to memory of 2176	2896	yeni sipariş.pif	34
PID 2896 wrote to memory of 2176	2896	yeni sipariş.pif	34
PID 2896 wrote to memory of 2680	2896	yeni sipariş.pif	37
PID 2896 wrote to memory of 2680	2896	yeni sipariş.pif	37
PID 2896 wrote to memory of 2680	2896	yeni sipariş.pif	37
PID 2896 wrote to memory of 2680	2896	yeni sipariş.pif	37

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\=XUTF-8XQXyeni_sipari=C5=9F=2Er00X=.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2588

C:\Users\Admin\Desktop\yeni sipariş.pif
"C:\Users\Admin\Desktop\yeni sipariş.pif"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RePUtenbQjvc.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RePUtenbQjvc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5D0E.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2176
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1088
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5D0E.tmp

Filesize
1KB

MD5
0c915d57bf343625f50632a76b82adf2

SHA1
fc6f9afa1d4f7b7d27137d72aa88b4fa37d8f49c

SHA256
14168aa8eaa7ca07ddfb4a2c8ca8b515e9e2f8a05a73c71147efd1d6b3982965

SHA512
4eaa2524aae02168f2bbc174316e06c99432363faa0e3ffa0aa2c0fe32ec2d1f4622934b17ccbd54752ba707a8959e915ca1d734d5cc832e958085c707106487

Download Submit
C:\Users\Admin\Desktop\yeni sipariş.pif

Filesize
603KB

MD5
adf22eb2587ab26a966c2c9673580a73

SHA1
a846d4a58ae7b294c1958cc538b5ed103e7445fb

SHA256
a1777be6284799cc06a9d9072f4f3d2181287fb7770cbd7dbfb5bbd7d031dc30

SHA512
bde338b7d5d338dba1e8aeb0bcd5e5e390025aec48e4fffe518b194a22fe6aee4cd1db0480e682e85d9d4ac20cc2ab1c4da9fb8fc03b57344145d94390a6ff34

Download Submit
memory/2896-4-0x00000000010F0000-0x000000000118C000-memory.dmp

Filesize
624KB

Download
memory/2896-5-0x00000000005E0000-0x00000000005FE000-memory.dmp

Filesize
120KB

Download
memory/2896-6-0x0000000000310000-0x0000000000378000-memory.dmp

Filesize
416KB

Download