modiloader | 9ad05e28fec2e97732380986f8b645298d6cce8c1e4e8ca27d3ddf89cc05426e

Analysis

max time kernel
70s
max time network
72s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ziraat_Bankasi_Swift_Mesaji_DXB04958T.gz
Size

949KB
MD5

e03958d8be1c86d13809017c9df1b774
SHA1

3d064aa9ce1c26f0e0fff1251150467260fe87d8
SHA256

9ad05e28fec2e97732380986f8b645298d6cce8c1e4e8ca27d3ddf89cc05426e
SHA512

a3d8efc3e6b101303ff3eb712ce7222b5d7e42fc408f0f90013f08b72155fdb18a5ad6b896a40680d2eaeb460a0fcd2841bff81c925c611805598ace6bce781d
SSDEEP

24576:x0v1fers4iESTpLQw/REdhakd0NCsoDqT0u5Twb2ZRIiIONNQVhM+h:+9AspLQw0hakdCCqTD5Twb2ZgONNUJ

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 61 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2660-46-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-52-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-110-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-106-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-124-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-121-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-64-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-120-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-63-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-114-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-111-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-62-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-104-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-60-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-97-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-95-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-92-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-58-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-90-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-87-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-83-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-81-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-78-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-76-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-73-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-71-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-69-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-68-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-66-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-128-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-126-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-123-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-122-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-119-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-117-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-115-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-113-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-112-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-107-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-61-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-103-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-101-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-98-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-59-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-93-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-91-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-89-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-88-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-86-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-84-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-82-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-57-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-79-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-56-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-77-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-75-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-51-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-54-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-55-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-50-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2
behavioral1/memory/2660-53-0x0000000003680000-0x0000000004680000-memory.dmp	modiloader_stage2

Executes dropped EXE 24 IoCs

Processes:

alpha.exealpha.exekn.exealpha.exekn.exeAnyDesk.PIFalpha.exealpha.exealpha.exealpha.exekn.exealpha.exekn.exeAnyDesk.PIFalpha.exealpha.exealpha.exealpha.exekn.exealpha.exekn.exeAnyDesk.PIFalpha.exealpha.exe

pid	process
3012	alpha.exe
2820	alpha.exe
2748	kn.exe
2668	alpha.exe
2616	kn.exe
2660	AnyDesk.PIF
2732	alpha.exe
2188	alpha.exe
2580	alpha.exe
824	alpha.exe
960	kn.exe
628	alpha.exe
1676	kn.exe
1332	AnyDesk.PIF
1712	alpha.exe
1284	alpha.exe
2292	alpha.exe
3052	alpha.exe
2428	kn.exe
1068	alpha.exe
2472	kn.exe
2488	AnyDesk.PIF
1784	alpha.exe
2044	alpha.exe

Loads dropped DLL 8 IoCs

Processes:

cmd.exealpha.exeWerFault.exeWerFault.exeWerFault.exe

pid process

2880 cmd.exe
2820 alpha.exe
2528 WerFault.exe
2528 WerFault.exe
2648 WerFault.exe
2648 WerFault.exe
2328 WerFault.exe
2328 WerFault.exe
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2528 2660 WerFault.exe AnyDesk.PIF
2648 1332 WerFault.exe AnyDesk.PIF
2328 2488 WerFault.exe AnyDesk.PIF

pid	process
2880	cmd.exe
2820	alpha.exe
2528	WerFault.exe
2528	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2328	WerFault.exe
2328	WerFault.exe

pid	pid_target	process	target process
2528	2660	WerFault.exe	AnyDesk.PIF
2648	1332	WerFault.exe	AnyDesk.PIF
2328	2488	WerFault.exe	AnyDesk.PIF

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AnyDesk.PIFAnyDesk.PIFAnyDesk.PIF

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.PIF
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.PIF
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.PIF

Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs

Processes:

AnyDesk.PIFAnyDesk.PIFAnyDesk.PIF

pid process

2660 AnyDesk.PIF
1332 AnyDesk.PIF
2488 AnyDesk.PIF
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7zFM.exe

pid process

1192 7zFM.exe
1192 7zFM.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

1192 7zFM.exe

pid	process
2660	AnyDesk.PIF
1332	AnyDesk.PIF
2488	AnyDesk.PIF

pid	process
1192	7zFM.exe
1192	7zFM.exe

pid	process
1192	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

7zFM.exe

description	pid	process
Token: SeRestorePrivilege	1192	7zFM.exe
Token: 35	1192	7zFM.exe
Token: SeSecurityPrivilege	1192	7zFM.exe
Token: SeSecurityPrivilege	1192	7zFM.exe
Token: SeSecurityPrivilege	1192	7zFM.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

7zFM.exe

pid process

1192 7zFM.exe
1192 7zFM.exe
1192 7zFM.exe
1192 7zFM.exe
1192 7zFM.exe
1192 7zFM.exe

pid	process
1192	7zFM.exe
1192	7zFM.exe
1192	7zFM.exe
1192	7zFM.exe
1192	7zFM.exe
1192	7zFM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7zFM.execmd.exealpha.exealpha.exealpha.exeAnyDesk.PIFcmd.exealpha.exealpha.exealpha.exe

description	pid	process	target process
PID 1192 wrote to memory of 2880	1192	7zFM.exe	cmd.exe
PID 1192 wrote to memory of 2880	1192	7zFM.exe	cmd.exe
PID 1192 wrote to memory of 2880	1192	7zFM.exe	cmd.exe
PID 2880 wrote to memory of 2620	2880	cmd.exe	extrac32.exe
PID 2880 wrote to memory of 2620	2880	cmd.exe	extrac32.exe
PID 2880 wrote to memory of 2620	2880	cmd.exe	extrac32.exe
PID 2880 wrote to memory of 3012	2880	cmd.exe	alpha.exe
PID 2880 wrote to memory of 3012	2880	cmd.exe	alpha.exe
PID 2880 wrote to memory of 3012	2880	cmd.exe	alpha.exe
PID 3012 wrote to memory of 2252	3012	alpha.exe	extrac32.exe
PID 3012 wrote to memory of 2252	3012	alpha.exe	extrac32.exe
PID 3012 wrote to memory of 2252	3012	alpha.exe	extrac32.exe
PID 2880 wrote to memory of 2820	2880	cmd.exe	alpha.exe
PID 2880 wrote to memory of 2820	2880	cmd.exe	alpha.exe
PID 2880 wrote to memory of 2820	2880	cmd.exe	alpha.exe
PID 2820 wrote to memory of 2748	2820	alpha.exe	kn.exe
PID 2820 wrote to memory of 2748	2820	alpha.exe	kn.exe
PID 2820 wrote to memory of 2748	2820	alpha.exe	kn.exe
PID 2880 wrote to memory of 2668	2880	cmd.exe	alpha.exe
PID 2880 wrote to memory of 2668	2880	cmd.exe	alpha.exe
PID 2880 wrote to memory of 2668	2880	cmd.exe	alpha.exe
PID 2668 wrote to memory of 2616	2668	alpha.exe	kn.exe
PID 2668 wrote to memory of 2616	2668	alpha.exe	kn.exe
PID 2668 wrote to memory of 2616	2668	alpha.exe	kn.exe
PID 2880 wrote to memory of 2660	2880	cmd.exe	AnyDesk.PIF
PID 2880 wrote to memory of 2660	2880	cmd.exe	AnyDesk.PIF
PID 2880 wrote to memory of 2660	2880	cmd.exe	AnyDesk.PIF
PID 2880 wrote to memory of 2660	2880	cmd.exe	AnyDesk.PIF
PID 2880 wrote to memory of 2732	2880	cmd.exe	alpha.exe
PID 2880 wrote to memory of 2732	2880	cmd.exe	alpha.exe
PID 2880 wrote to memory of 2732	2880	cmd.exe	alpha.exe
PID 2880 wrote to memory of 2188	2880	cmd.exe	alpha.exe
PID 2880 wrote to memory of 2188	2880	cmd.exe	alpha.exe
PID 2880 wrote to memory of 2188	2880	cmd.exe	alpha.exe
PID 2660 wrote to memory of 2528	2660	AnyDesk.PIF	WerFault.exe
PID 2660 wrote to memory of 2528	2660	AnyDesk.PIF	WerFault.exe
PID 2660 wrote to memory of 2528	2660	AnyDesk.PIF	WerFault.exe
PID 2660 wrote to memory of 2528	2660	AnyDesk.PIF	WerFault.exe
PID 2236 wrote to memory of 448	2236	cmd.exe	extrac32.exe
PID 2236 wrote to memory of 448	2236	cmd.exe	extrac32.exe
PID 2236 wrote to memory of 448	2236	cmd.exe	extrac32.exe
PID 2236 wrote to memory of 2580	2236	cmd.exe	alpha.exe
PID 2236 wrote to memory of 2580	2236	cmd.exe	alpha.exe
PID 2236 wrote to memory of 2580	2236	cmd.exe	alpha.exe
PID 2580 wrote to memory of 2272	2580	alpha.exe	extrac32.exe
PID 2580 wrote to memory of 2272	2580	alpha.exe	extrac32.exe
PID 2580 wrote to memory of 2272	2580	alpha.exe	extrac32.exe
PID 2236 wrote to memory of 824	2236	cmd.exe	alpha.exe
PID 2236 wrote to memory of 824	2236	cmd.exe	alpha.exe
PID 2236 wrote to memory of 824	2236	cmd.exe	alpha.exe
PID 824 wrote to memory of 960	824	alpha.exe	kn.exe
PID 824 wrote to memory of 960	824	alpha.exe	kn.exe
PID 824 wrote to memory of 960	824	alpha.exe	kn.exe
PID 2236 wrote to memory of 628	2236	cmd.exe	alpha.exe
PID 2236 wrote to memory of 628	2236	cmd.exe	alpha.exe
PID 2236 wrote to memory of 628	2236	cmd.exe	alpha.exe
PID 628 wrote to memory of 1676	628	alpha.exe	kn.exe
PID 628 wrote to memory of 1676	628	alpha.exe	kn.exe
PID 628 wrote to memory of 1676	628	alpha.exe	kn.exe
PID 2236 wrote to memory of 1332	2236	cmd.exe	AnyDesk.PIF
PID 2236 wrote to memory of 1332	2236	cmd.exe	AnyDesk.PIF
PID 2236 wrote to memory of 1332	2236	cmd.exe	AnyDesk.PIF
PID 2236 wrote to memory of 1332	2236	cmd.exe	AnyDesk.PIF
PID 2236 wrote to memory of 1712	2236	cmd.exe	alpha.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.gz"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zO8A44C2F6\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\System32\extrac32.exe
    C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
    3⤵
    PID:2620
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\system32\extrac32.exe
      extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
      4⤵
      PID:2252
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\7zO8A44C2F6\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 9
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Users\Public\kn.exe
      C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\7zO8A44C2F6\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 9
      4⤵
      Executes dropped EXE
      PID:2748
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Users\Public\kn.exe
      C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12
      4⤵
      Executes dropped EXE
      PID:2616
- - C:\Users\Public\Libraries\AnyDesk.PIF
    C:\Users\Public\Libraries\AnyDesk.PIF
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 696
      4⤵
      Loads dropped DLL
      Program crash
      PID:2528
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
    3⤵
    - Executes dropped EXE
    PID:2732
- - C:\Users\Public\alpha.exe
    C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.jpeg" / A / F / Q / S
    3⤵
    - Executes dropped EXE
    PID:2188

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\System32\extrac32.exe
  C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
  2⤵
  PID:448
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
    3⤵
    PID:2272
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\Desktop\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 9
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\Desktop\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 9
    3⤵
    - Executes dropped EXE
    PID:960
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12
    3⤵
    - Executes dropped EXE
    PID:1676
- C:\Users\Public\Libraries\AnyDesk.PIF
  C:\Users\Public\Libraries\AnyDesk.PIF
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1332
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 684
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2648
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.jpeg" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:1284

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd" "
1⤵
PID:1540
- C:\Windows\System32\extrac32.exe
  C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
  2⤵
  PID:956
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
    3⤵
    PID:2440
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\Desktop\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 9
  2⤵
  - Executes dropped EXE
  PID:3052
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\Desktop\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 9
    3⤵
    - Executes dropped EXE
    PID:2428
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12
  2⤵
  - Executes dropped EXE
  PID:1068
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12
    3⤵
    - Executes dropped EXE
    PID:2472
- C:\Users\Public\Libraries\AnyDesk.PIF
  C:\Users\Public\Libraries\AnyDesk.PIF
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 696
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2328
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:1784
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.jpeg" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO8A44C2F6\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd

Filesize
3.2MB

MD5
5f351f07b94613764a8bc09970bbcd58

SHA1
47fcfcac926a0007010b7afb776671d2276b8b81

SHA256
2a81c419a9fcd1eb9f778dba6911c366586b0ae9a5cf2cd25155413bfbff9eea

SHA512
49ddfcc8f58117ec824e35b1a2bf6928cf580e4337a8f9aa1d7d4dc62a6e93bb811702d0ed2c970f1f0a08b013ffc5ba6dcc6951c6d59f9a0d7915c3b9f3baae

Download Submit
C:\Users\Public\AnyDesk.jpeg

Filesize
2.3MB

MD5
04ad7e38aa2f399b5862e6267697632a

SHA1
a30e9c94bb215f0b96a651432f8f74f4a06284de

SHA256
da4101eba193661f3016d2b4b6328cf8d0cb16ac58c1470683bc07d8baf34ebe

SHA512
b7cacc98c0d5c7b3f03cde8b294cb6534be25c560e78c6cf5304285774b56493e98346152a587162d1347eddc7f751bd164a78dd257383b0b59b37d89d6ba5a8

Download Submit
C:\Users\Public\Libraries\AnyDesk.PIF

Filesize
1.2MB

MD5
2ef70d96354cc04d9168e8f69e7b17a0

SHA1
92eee1bb5de4f4d50805101b83e4a3a1a602856b

SHA256
5842b3e5271efed831bf21f4821431bb1a7dcc94bafab135b62d34bfdb32f503

SHA512
3c46f059b5e2c806efdfea71dad8bcc236bfc753dc3b15e637d6697231313b68232d0f4bc6921b41ed76f2471891718678ec7b6c6dda0a5d7c9f7ae8a57580b3

Download Submit
\Users\Public\alpha.exe

Filesize
337KB

MD5
5746bd7e255dd6a8afa06f7c42c1ba41

SHA1
0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

SHA256
db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

SHA512
3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

Download Submit
\Users\Public\kn.exe

Filesize
1.1MB

MD5
ec1fd3050dbc40ec7e87ab99c7ca0b03

SHA1
ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

SHA256
1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

SHA512
4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

Download Submit
memory/2660-46-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-45-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-48-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/2660-52-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-110-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-106-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-124-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-121-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-64-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-120-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-63-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-114-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-111-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-62-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-104-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-60-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-97-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-95-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-92-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-58-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-90-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-87-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-83-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-81-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-78-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-76-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-73-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-71-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-69-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-68-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-66-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-128-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-126-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-123-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-122-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-119-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-117-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-115-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-113-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-112-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-107-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-61-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-103-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-101-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-98-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-59-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-93-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-91-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-89-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-88-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-86-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-84-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-82-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-57-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-79-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-56-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-77-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-75-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-51-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-54-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-55-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-50-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download
memory/2660-53-0x0000000003680000-0x0000000004680000-memory.dmp

Filesize
16.0MB

Download