Analysis Overview
SHA256
3d8976fe6a79ea716fa15a77f0b6e301e1091fa1143cf1d4f558153ae259ab3f
Threat Level: Known bad
The file Halkbank_Ekstre_20201130_080203_744632.pdf.exe was found to be: Known bad.
Malicious Activity Summary
MassLogger Main Payload
MassLogger
Executes dropped EXE
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
Looks up external IP address via web service
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-11-30 20:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-11-30 20:33
Reported
2020-11-30 20:35
Platform
win7v20201028
Max time kernel
118s
Max time network
128s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Onvfyn_pi.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20201130_080203_744632.pdf.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup.lnk | C:\Users\Admin\AppData\Local\Temp\Onvfyn_pi.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Onvfyn_pi.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20201130_080203_744632.pdf.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20201130_080203_744632.pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20201130_080203_744632.pdf.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20201130_080203_744632.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20201130_080203_744632.pdf.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20201130_080203_744632.pdf.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\Onvfyn_pi.exe'
C:\Users\Admin\AppData\Local\Temp\Onvfyn_pi.exe
"C:\Users\Admin\AppData\Local\Temp\Onvfyn_pi.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 174.129.214.20:80 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | mail.alfaomegaworld.com | udp |
| N/A | 108.179.242.107:587 | mail.alfaomegaworld.com | tcp |
Files
memory/756-2-0x00000000748C0000-0x0000000074FAE000-memory.dmp
memory/756-3-0x00000000009A0000-0x00000000009A1000-memory.dmp
memory/756-5-0x0000000004220000-0x0000000004295000-memory.dmp
memory/756-6-0x0000000004C60000-0x0000000004CF8000-memory.dmp
memory/1140-7-0x0000000000000000-mapping.dmp
memory/1844-8-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 3d36aa7f359a25739328c42fc93c066c |
| SHA1 | 4169a307175422a61c337566088586e655287795 |
| SHA256 | 741218a8cb6da83889acd06702866d2178a2dff18a3d845d87ad04455d721e67 |
| SHA512 | 950fca92ae930cfcc4b5f1ab3d5c1c8e887c284d99c2308134fea2a128dce7bf6d6e933968d95e7e7d8f42614ed5150a78542090562e6feddd870c45bb99053e |
memory/756-13-0x0000000008550000-0x00000000085DD000-memory.dmp
memory/1140-12-0x00000000748C0000-0x0000000074FAE000-memory.dmp
memory/756-9-0x0000000005B30000-0x0000000005B69000-memory.dmp
memory/1844-11-0x00000000748C0000-0x0000000074FAE000-memory.dmp
memory/1844-14-0x0000000001E60000-0x0000000001E61000-memory.dmp
memory/1140-16-0x0000000004970000-0x0000000004971000-memory.dmp
memory/1140-18-0x0000000002540000-0x0000000002541000-memory.dmp
memory/1140-20-0x0000000002780000-0x0000000002781000-memory.dmp
memory/1140-24-0x0000000005670000-0x0000000005671000-memory.dmp
memory/1140-29-0x00000000060E0000-0x00000000060E1000-memory.dmp
memory/1140-30-0x00000000061D0000-0x00000000061D1000-memory.dmp
memory/1140-37-0x0000000006280000-0x0000000006281000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | 5bb9d09571b0a31d7f3bd68ef2cf682e |
| SHA1 | 9eead4f2b9469edfe3abef0685629d86e130c056 |
| SHA256 | 4898300016ca212a2dbdd1ff79ede7855fa1601ac3c76da5b544cd58c8a4e445 |
| SHA512 | d6a60f433427756513efecd69b2df84c6488ea66740fd6175fa1630060c463eebd7e60fd3f05fb297b955f6dd40802622e64ba77178410289b2d8d398eb4cf05 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c356f451-13b2-41fc-8d4c-54a293efa6e1
| MD5 | b6d38f250ccc9003dd70efd3b778117f |
| SHA1 | d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a |
| SHA256 | 4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265 |
| SHA512 | 67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a02197da-f9c8-43e6-9ff1-846e01d2d404
| MD5 | 75a8da7754349b38d64c87c938545b1b |
| SHA1 | 5c28c257d51f1c1587e29164cc03ea880c21b417 |
| SHA256 | bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96 |
| SHA512 | 798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1b0b2f5a-4fa9-4284-9780-9a1da7b14a47
| MD5 | 02ff38ac870de39782aeee04d7b48231 |
| SHA1 | 0390d39fa216c9b0ecdb38238304e518fb2b5095 |
| SHA256 | fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876 |
| SHA512 | 24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_85c7c16f-de6b-4cda-bf8a-ede9c5910d3d
| MD5 | df44874327d79bd75e4264cb8dc01811 |
| SHA1 | 1396b06debed65ea93c24998d244edebd3c0209d |
| SHA256 | 55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181 |
| SHA512 | 95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b771b377-145f-49e9-bf64-45e69646f7b9
| MD5 | 5e3c7184a75d42dda1a83606a45001d8 |
| SHA1 | 94ca15637721d88f30eb4b6220b805c5be0360ed |
| SHA256 | 8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59 |
| SHA512 | fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b |
memory/1140-44-0x00000000055D0000-0x00000000055D1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ce569c42-07bf-442e-b377-8e9695c9383c
| MD5 | be4d72095faf84233ac17b94744f7084 |
| SHA1 | cc78ce5b9c57573bd214a8f423ee622b00ebb1ec |
| SHA256 | b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc |
| SHA512 | 43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097 |
memory/1140-60-0x0000000006300000-0x0000000006301000-memory.dmp
memory/1140-61-0x0000000006310000-0x0000000006311000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Onvfyn_pi.exe
| MD5 | 22edf95e75c23cf7ab5205ad218b49d0 |
| SHA1 | de6c5805ae4b05918fb3648a2342e218d5dde391 |
| SHA256 | c850e42dc39148eb85fbd99758a7cf72fa770099a88fd3eecf64172f2a83e658 |
| SHA512 | 02a4273856de3c40947afb3bb26ee7d541916a227698535a36b271bf5b4583a7a047623fc144ea2b772b09d89221e3d7a41cfcbf2bd6efb2777574d98b17f592 |
\Users\Admin\AppData\Local\Temp\Onvfyn_pi.exe
| MD5 | 22edf95e75c23cf7ab5205ad218b49d0 |
| SHA1 | de6c5805ae4b05918fb3648a2342e218d5dde391 |
| SHA256 | c850e42dc39148eb85fbd99758a7cf72fa770099a88fd3eecf64172f2a83e658 |
| SHA512 | 02a4273856de3c40947afb3bb26ee7d541916a227698535a36b271bf5b4583a7a047623fc144ea2b772b09d89221e3d7a41cfcbf2bd6efb2777574d98b17f592 |
memory/956-64-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Onvfyn_pi.exe
| MD5 | 22edf95e75c23cf7ab5205ad218b49d0 |
| SHA1 | de6c5805ae4b05918fb3648a2342e218d5dde391 |
| SHA256 | c850e42dc39148eb85fbd99758a7cf72fa770099a88fd3eecf64172f2a83e658 |
| SHA512 | 02a4273856de3c40947afb3bb26ee7d541916a227698535a36b271bf5b4583a7a047623fc144ea2b772b09d89221e3d7a41cfcbf2bd6efb2777574d98b17f592 |
memory/956-66-0x00000000748C0000-0x0000000074FAE000-memory.dmp
memory/956-67-0x0000000000B10000-0x0000000000B11000-memory.dmp
\Users\Admin\AppData\Local\Temp\Onvfyn_pi.exe
| MD5 | 22edf95e75c23cf7ab5205ad218b49d0 |
| SHA1 | de6c5805ae4b05918fb3648a2342e218d5dde391 |
| SHA256 | c850e42dc39148eb85fbd99758a7cf72fa770099a88fd3eecf64172f2a83e658 |
| SHA512 | 02a4273856de3c40947afb3bb26ee7d541916a227698535a36b271bf5b4583a7a047623fc144ea2b772b09d89221e3d7a41cfcbf2bd6efb2777574d98b17f592 |
Analysis: behavioral2
Detonation Overview
Submitted
2020-11-30 20:33
Reported
2020-11-30 20:35
Platform
win10v20201028
Max time kernel
18s
Max time network
115s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20201130_080203_744632.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20201130_080203_744632.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20201130_080203_744632.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20201130_080203_744632.pdf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20201130_080203_744632.pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4076 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20201130_080203_744632.pdf.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 4076 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20201130_080203_744632.pdf.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 4076 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20201130_080203_744632.pdf.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20201130_080203_744632.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20201130_080203_744632.pdf.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20201130_080203_744632.pdf.exe'
Network
| Country | Destination | Domain | Proto |
| N/A | 52.109.8.21:443 | tcp |
Files
memory/4076-2-0x00000000739A0000-0x000000007408E000-memory.dmp
memory/4076-3-0x00000000009F0000-0x00000000009F1000-memory.dmp
memory/4076-5-0x0000000005890000-0x0000000005891000-memory.dmp
memory/4076-6-0x00000000052C0000-0x00000000052C1000-memory.dmp
memory/4076-7-0x0000000005370000-0x0000000005371000-memory.dmp
memory/4076-8-0x0000000006E00000-0x0000000006E75000-memory.dmp
memory/4076-9-0x0000000007620000-0x00000000076B8000-memory.dmp
memory/4076-10-0x0000000007930000-0x0000000007931000-memory.dmp
memory/2708-11-0x0000000000000000-mapping.dmp
memory/2708-12-0x0000000073A20000-0x000000007410E000-memory.dmp
memory/2708-13-0x0000000006CB0000-0x0000000006CB1000-memory.dmp
memory/2708-14-0x0000000007470000-0x0000000007471000-memory.dmp
memory/2708-15-0x00000000073D0000-0x00000000073D1000-memory.dmp
memory/2708-16-0x0000000007AA0000-0x0000000007AA1000-memory.dmp
memory/2708-18-0x0000000007DD0000-0x0000000007DD1000-memory.dmp
memory/2708-19-0x0000000007D30000-0x0000000007D31000-memory.dmp
memory/2708-20-0x00000000081E0000-0x00000000081E1000-memory.dmp
memory/2708-21-0x0000000008480000-0x0000000008481000-memory.dmp
memory/2708-22-0x0000000009BE0000-0x0000000009BE1000-memory.dmp
memory/2708-23-0x0000000009190000-0x0000000009191000-memory.dmp
memory/2708-24-0x0000000009560000-0x0000000009561000-memory.dmp
memory/2708-25-0x0000000007000000-0x0000000007001000-memory.dmp