Analysis
-
max time kernel
147s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 05:53
Static task
static1
Behavioral task
behavioral1
Sample
Ziraat Bankasi Swift Mesaji.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Ziraat Bankasi Swift Mesaji.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Nicaean/Gangbrdderne86.doc
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Nicaean/Gangbrdderne86.doc
Resource
win10v2004-20240611-en
General
-
Target
Ziraat Bankasi Swift Mesaji.exe
-
Size
853KB
-
MD5
57dbc2be60ede5140738c720a629781c
-
SHA1
b348e314c3f9be312725b23a0fecf491404caf66
-
SHA256
c7a6d57fc3d397c2b303477d8e1d4fea64fec51f46b0ddfad97a11527771702c
-
SHA512
8932c191f72eb089d346848164c36104e6114e39cdeed19d1e67a7546ce68f01d8fdadec2c6f9ce5a80915e5781631fd37018f9e57c3a1d54d677f2e9c6ae006
-
SSDEEP
24576:N3mYVFbTdL3LgGStF2C/GVOoD5jQZj7/MJhmO:N3mYV9x3SH2C/EOEm7lO
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 2 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exepid process 4072 Ziraat Bankasi Swift Mesaji.exe 4072 Ziraat Bankasi Swift Mesaji.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exepid process 4072 Ziraat Bankasi Swift Mesaji.exe 4492 Ziraat Bankasi Swift Mesaji.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exedescription pid process target process PID 4072 set thread context of 4492 4072 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe -
Drops file in Program Files directory 1 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\hansson.ini Ziraat Bankasi Swift Mesaji.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exepid process 4072 Ziraat Bankasi Swift Mesaji.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Ziraat Bankasi Swift Mesaji.exedescription pid process target process PID 4072 wrote to memory of 4492 4072 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 4072 wrote to memory of 4492 4072 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 4072 wrote to memory of 4492 4072 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 4072 wrote to memory of 4492 4072 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe PID 4072 wrote to memory of 4492 4072 Ziraat Bankasi Swift Mesaji.exe Ziraat Bankasi Swift Mesaji.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Common Files\hansson.iniFilesize
43B
MD57e12fc067ec6fde7156ec11eeaab67b6
SHA1789e752d7f5437c3f0ec58ad19f01f8a70b3ff12
SHA256de7ad71debdcbe152a2f5cbd5aef0774cdc5e81d8aa5f8d708f1621ccb6625ac
SHA51229e5863d536984d7ac250563665eeecec9e3e3d490dc24d82fdaa6b956fa1f328fd49b8e2716d5eebee298d39585afd63dcadd2897793f69076cc362b1f63101
-
C:\Users\Admin\AppData\Local\Temp\nsc322D.tmp\System.dllFilesize
12KB
MD56e55a6e7c3fdbd244042eb15cb1ec739
SHA1070ea80e2192abc42f358d47b276990b5fa285a9
SHA256acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA5122d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35
-
memory/4072-229-0x00000000046F0000-0x0000000007567000-memory.dmpFilesize
46.5MB
-
memory/4072-230-0x00000000779E1000-0x0000000077B01000-memory.dmpFilesize
1.1MB
-
memory/4072-231-0x0000000074845000-0x0000000074846000-memory.dmpFilesize
4KB
-
memory/4072-234-0x00000000046F0000-0x0000000007567000-memory.dmpFilesize
46.5MB
-
memory/4072-241-0x00000000046F0000-0x0000000007567000-memory.dmpFilesize
46.5MB
-
memory/4492-232-0x0000000001AA0000-0x0000000004917000-memory.dmpFilesize
46.5MB
-
memory/4492-233-0x0000000000840000-0x0000000001A94000-memory.dmpFilesize
18.3MB
-
memory/4492-236-0x0000000001AA0000-0x0000000004917000-memory.dmpFilesize
46.5MB