Analysis Overview
SHA256
857f9ec55794e1c43321c0054bb3a6cee591fb04a07a62fbdfce2cc20e508a7a
Threat Level: Known bad
The file Halkbank_Ekstre_20210112_162325_384771.exe was found to be: Known bad.
Malicious Activity Summary
MassLogger Main Payload
MassLogger
Suspicious use of SetThreadContext
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2021-01-12 07:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-01-12 07:19
Reported
2021-01-12 07:21
Platform
win7v20201028
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210112_162325_384771.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210112_162325_384771.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210112_162325_384771.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210112_162325_384771.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210112_162325_384771.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210112_162325_384771.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210112_162325_384771.exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210112_162325_384771.exe"
C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210112_162325_384771.exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210112_162325_384771.exe"
C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210112_162325_384771.exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210112_162325_384771.exe"
C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210112_162325_384771.exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210112_162325_384771.exe"
C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210112_162325_384771.exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210112_162325_384771.exe"
C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210112_162325_384771.exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210112_162325_384771.exe"
Network
Files
memory/1748-2-0x00000000740C0000-0x00000000747AE000-memory.dmp
memory/1748-3-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/1748-5-0x00000000002C0000-0x00000000002D2000-memory.dmp
memory/1748-6-0x0000000005890000-0x0000000005967000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-01-12 07:19
Reported
2021-01-12 07:21
Platform
win10v20201028
Max time kernel
128s
Max time network
131s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3988 set thread context of 1288 | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210112_162325_384771.exe | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210112_162325_384771.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210112_162325_384771.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210112_162325_384771.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210112_162325_384771.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210112_162325_384771.exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210112_162325_384771.exe"
C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210112_162325_384771.exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210112_162325_384771.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 948
Network
| Country | Destination | Domain | Proto |
| N/A | 13.107.4.52:80 | www.msftconnecttest.com | tcp |
Files
memory/3988-2-0x00000000738E0000-0x0000000073FCE000-memory.dmp
memory/3988-3-0x0000000000900000-0x0000000000901000-memory.dmp
memory/3988-5-0x00000000052F0000-0x00000000052F1000-memory.dmp
memory/3988-6-0x0000000005890000-0x0000000005891000-memory.dmp
memory/3988-7-0x0000000005390000-0x0000000005391000-memory.dmp
memory/3988-8-0x0000000005270000-0x0000000005271000-memory.dmp
memory/3988-9-0x0000000005550000-0x0000000005551000-memory.dmp
memory/3988-10-0x0000000005280000-0x0000000005292000-memory.dmp
memory/3988-11-0x0000000006320000-0x00000000063F7000-memory.dmp
memory/1288-12-0x0000000000400000-0x000000000049E000-memory.dmp
memory/1288-13-0x000000000049862E-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Halkbank_Ekstre_20210112_162325_384771.exe.log
| MD5 | 90acfd72f14a512712b1a7380c0faf60 |
| SHA1 | 40ba4accb8faa75887e84fb8e38d598dc8cf0f12 |
| SHA256 | 20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86 |
| SHA512 | 29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9 |
memory/1288-15-0x00000000738E0000-0x0000000073FCE000-memory.dmp
memory/1004-18-0x0000000004480000-0x0000000004481000-memory.dmp