Analysis Overview
SHA256
85729ea0b65a0a56b59f3e8ed961d4ce07f34804fb6b466b6d1c32e17cda4d8d
Threat Level: Known bad
The file Halkbank_Ekstre_20210111_074121_054441.pdf.exe was found to be: Known bad.
Malicious Activity Summary
MassLogger
MassLogger Main Payload
Deletes itself
Checks computer location settings
Reads user/profile data of web browsers
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-01-11 08:55
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2021-01-11 08:55
Reported
2021-01-11 08:57
Platform
win10v20201028
Max time kernel
75s
Max time network
110s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1628 set thread context of 204 | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe"
C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe'
Network
Files
memory/1628-2-0x0000000073840000-0x0000000073F2E000-memory.dmp
memory/1628-3-0x0000000000CC0000-0x0000000000CC1000-memory.dmp
memory/1628-5-0x0000000005650000-0x0000000005651000-memory.dmp
memory/1628-6-0x0000000005C50000-0x0000000005C51000-memory.dmp
memory/1628-7-0x0000000005750000-0x0000000005751000-memory.dmp
memory/1628-8-0x00000000055F0000-0x00000000055F1000-memory.dmp
memory/1628-9-0x0000000005930000-0x0000000005931000-memory.dmp
memory/1628-10-0x0000000005910000-0x0000000005922000-memory.dmp
memory/1628-11-0x0000000006640000-0x0000000006700000-memory.dmp
memory/204-12-0x0000000000400000-0x0000000000486000-memory.dmp
memory/204-13-0x0000000000481C1E-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Halkbank_Ekstre_20210111_074121_054441.pdf.exe.log
| MD5 | 90acfd72f14a512712b1a7380c0faf60 |
| SHA1 | 40ba4accb8faa75887e84fb8e38d598dc8cf0f12 |
| SHA256 | 20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86 |
| SHA512 | 29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9 |
memory/204-15-0x0000000073840000-0x0000000073F2E000-memory.dmp
memory/204-20-0x0000000005E00000-0x0000000005E01000-memory.dmp
memory/3996-21-0x0000000000000000-mapping.dmp
memory/3996-22-0x00000000738C0000-0x0000000073FAE000-memory.dmp
memory/3996-23-0x0000000000DD0000-0x0000000000DD1000-memory.dmp
memory/3996-24-0x0000000006DC0000-0x0000000006DC1000-memory.dmp
memory/3996-25-0x0000000006B80000-0x0000000006B81000-memory.dmp
memory/3996-26-0x0000000006D20000-0x0000000006D21000-memory.dmp
memory/3996-28-0x00000000076B0000-0x00000000076B1000-memory.dmp
memory/3996-29-0x00000000074D0000-0x00000000074D1000-memory.dmp
memory/3996-30-0x0000000007F40000-0x0000000007F41000-memory.dmp
memory/3996-31-0x0000000007D30000-0x0000000007D31000-memory.dmp
memory/3996-32-0x0000000009490000-0x0000000009491000-memory.dmp
memory/3996-33-0x0000000008A50000-0x0000000008A51000-memory.dmp
memory/3996-34-0x0000000008E10000-0x0000000008E11000-memory.dmp
memory/3996-35-0x00000000068D0000-0x00000000068D1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2021-01-11 08:55
Reported
2021-01-11 08:57
Platform
win7v20201028
Max time kernel
73s
Max time network
131s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1756 set thread context of 1628 | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe"
C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210111_074121_054441.pdf.exe'
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.225.66.103:80 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | mail.turkaykalibrasyon.com | udp |
| N/A | 95.173.177.131:587 | mail.turkaykalibrasyon.com | tcp |
Files
memory/1756-2-0x00000000749D0000-0x00000000750BE000-memory.dmp
memory/1756-3-0x00000000010D0000-0x00000000010D1000-memory.dmp
memory/1756-5-0x00000000005B0000-0x00000000005C2000-memory.dmp
memory/1756-6-0x0000000005770000-0x0000000005830000-memory.dmp
memory/1628-7-0x0000000000400000-0x0000000000486000-memory.dmp
memory/1628-8-0x0000000000481C1E-mapping.dmp
memory/1628-9-0x0000000000400000-0x0000000000486000-memory.dmp
memory/1628-10-0x0000000000400000-0x0000000000486000-memory.dmp
memory/1628-11-0x00000000749D0000-0x00000000750BE000-memory.dmp
memory/640-14-0x0000000000000000-mapping.dmp
memory/640-15-0x00000000749D0000-0x00000000750BE000-memory.dmp
memory/640-16-0x00000000004F0000-0x00000000004F1000-memory.dmp
memory/1628-18-0x0000000005EE0000-0x0000000005F6D000-memory.dmp
memory/1628-17-0x0000000005AC0000-0x0000000005AF9000-memory.dmp
memory/640-19-0x0000000004810000-0x0000000004811000-memory.dmp
memory/640-20-0x0000000002490000-0x0000000002491000-memory.dmp
memory/640-21-0x0000000005240000-0x0000000005241000-memory.dmp
memory/640-24-0x0000000006040000-0x0000000006041000-memory.dmp
memory/640-29-0x0000000006080000-0x0000000006081000-memory.dmp
memory/640-30-0x0000000006140000-0x0000000006141000-memory.dmp
memory/640-37-0x0000000006290000-0x0000000006291000-memory.dmp
memory/640-38-0x0000000005FA0000-0x0000000005FA1000-memory.dmp
memory/640-52-0x0000000006300000-0x0000000006301000-memory.dmp
memory/640-53-0x0000000006310000-0x0000000006311000-memory.dmp