af3c7e6a0a3a7820032073ec956416dd3f8c9248a485753403b95adf43a31c2e

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/12/2024, 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ziraat Bankası Swift Mesajı.exe
Size

213KB
MD5

f2709d58d0876f2f996e3ed7f80e8a35
SHA1

4c86929c776b27a80de42113963e8ba309e67bb7
SHA256

66a3bd7fa8f6c6f0fbeb6afa6f5b13ae1c2e09600d17e49d94556f680f5a277b
SHA512

46aebb672626ea7924ab256782ce7a1c0de9b5ebf9da794e8edb886a187b47a719f79886f60849df46b37f5cff39250d208703339ce0c4e44f4fb6c40cabd9a7
SSDEEP

6144:HNeZmx8VObAOHDOScqKwgSTwB95PnbjbvLAZSOgAurZAm/qY:HNly4bfySXK5n5PbjbHRhZABY

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2832	aqfvej.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4604	2832	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ziraat Bankası Swift Mesajı.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqfvej.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2832	1948	Ziraat Bankası Swift Mesajı.exe	82
PID 1948 wrote to memory of 2832	1948	Ziraat Bankası Swift Mesajı.exe	82
PID 1948 wrote to memory of 2832	1948	Ziraat Bankası Swift Mesajı.exe	82
PID 2832 wrote to memory of 2584	2832	aqfvej.exe	83
PID 2832 wrote to memory of 2584	2832	aqfvej.exe	83
PID 2832 wrote to memory of 2584	2832	aqfvej.exe	83

C:\Users\Admin\AppData\Local\Temp\Ziraat Bankası Swift Mesajı.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankası Swift Mesajı.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\aqfvej.exe
  C:\Users\Admin\AppData\Local\Temp\aqfvej.exe C:\Users\Admin\AppData\Local\Temp\fjcyjuzs
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Users\Admin\AppData\Local\Temp\aqfvej.exe
    C:\Users\Admin\AppData\Local\Temp\aqfvej.exe C:\Users\Admin\AppData\Local\Temp\fjcyjuzs
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 524
    3⤵
    - Program crash
    PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2832 -ip 2832
1⤵
PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aqfvej.exe

Filesize
3KB

MD5
8762d96314aa376a765ea0ab07cb9637

SHA1
8e91d715bc8a617d2b2fe81dc0b6ffce1e3bafb5

SHA256
428ffb3962cd0c5758cf842792b131bcecb57a8014b42af2820395277b6a5574

SHA512
a366b2d2506852eb589aa2a1a3360413d48d6b081a23e131f4c6c12f9b65afa0db87d3d533da6d299c5a6f8903a76be1bc59a7235088ebe7b257daef67866b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\beld7guq4ljzd9cpcvnj

Filesize
185KB

MD5
0541e62058a30181328daabaa1dc5461

SHA1
3c33fba4f239b8ad2548bd28148c2115f3f96b6d

SHA256
4baf91256d2914b4025793c75b289506e4d55cc7e43950cb36ab38ba0fa20cbb

SHA512
86e741ea296a82ffee6f9eff9f839562193dbe98c27c02b4e994436921d01a655eb6e62ebad0de6fcfb2e1f523a46eea158829bb42be4265a89a523953b9e4e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjcyjuzs

Filesize
5KB

MD5
ea2566be86b911ef935da116381a18fd

SHA1
6354439aa86fedec7b189b20d57aa5855b4e29cb

SHA256
b1729caa538284e20ce3b45f7c8cf05706530933048ad10246bbdb303d3249a2

SHA512
d5b503bca1285c0a557f6d0384577352437d274be28f0796543056b8f60771b11535806be51bbb1d2efb3ebc29fb0392e65ad5e70cc6f65d0f2f1f049673a758

Download Submit
memory/2832-8-0x0000000002170000-0x0000000002172000-memory.dmp

Filesize
8KB

Download