Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
21-10-2021 15:18
Static task
static1
Behavioral task
behavioral1
Sample
Halkbank_Ekstre_20211020_101606_507653.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Halkbank_Ekstre_20211020_101606_507653.exe
Resource
win10-en-20211014
General
-
Target
Halkbank_Ekstre_20211020_101606_507653.exe
-
Size
48KB
-
MD5
1b21040231567a32423b79ea6e4765ca
-
SHA1
b2b30b5a57e6f8f1f36a385b691bd1f0e4bd57b3
-
SHA256
36b46699b20b4ce357b902c256b8bd938898c79fd0894741173dc67843ec1700
-
SHA512
2449041403ee540c4fb8007fdfbc40ab742f5698be391ad75a1f7aa3ae6756676457e8b1d0f582e25c6afa33b8449f65c2aab5069bcbd10f4907b8355ae4d27e
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.vivaldi.net - Port:
587 - Username:
instigator@vivaldi.net - Password:
Davidchukwuka2016
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/948-89-0x0000000001120000-0x0000000001156000-memory.dmp family_agenttesla behavioral1/memory/556-91-0x00000000023E0000-0x000000000302A000-memory.dmp family_agenttesla -
Nirsoft 7 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\d3f41ba3-a411-4c04-8d2d-a265de6abcfa\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\d3f41ba3-a411-4c04-8d2d-a265de6abcfa\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\d3f41ba3-a411-4c04-8d2d-a265de6abcfa\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\d3f41ba3-a411-4c04-8d2d-a265de6abcfa\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\d3f41ba3-a411-4c04-8d2d-a265de6abcfa\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\d3f41ba3-a411-4c04-8d2d-a265de6abcfa\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\d3f41ba3-a411-4c04-8d2d-a265de6abcfa\AdvancedRun.exe Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepid process 1320 AdvancedRun.exe 1604 AdvancedRun.exe -
Loads dropped DLL 4 IoCs
Processes:
Halkbank_Ekstre_20211020_101606_507653.exeAdvancedRun.exepid process 948 Halkbank_Ekstre_20211020_101606_507653.exe 948 Halkbank_Ekstre_20211020_101606_507653.exe 1320 AdvancedRun.exe 1320 AdvancedRun.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
Halkbank_Ekstre_20211020_101606_507653.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" Halkbank_Ekstre_20211020_101606_507653.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features Halkbank_Ekstre_20211020_101606_507653.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20211020_101606_507653.exe = "0" Halkbank_Ekstre_20211020_101606_507653.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions Halkbank_Ekstre_20211020_101606_507653.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\뽉뽫뽇뽎뾄뽺뽐뽯뽽뽐뽋뽍뽈뽉뽐\svchost.exe = "0" Halkbank_Ekstre_20211020_101606_507653.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection Halkbank_Ekstre_20211020_101606_507653.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" Halkbank_Ekstre_20211020_101606_507653.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" Halkbank_Ekstre_20211020_101606_507653.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths Halkbank_Ekstre_20211020_101606_507653.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Halkbank_Ekstre_20211020_101606_507653.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Halkbank_Ekstre_20211020_101606_507653.exe Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Halkbank_Ekstre_20211020_101606_507653.exe Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Halkbank_Ekstre_20211020_101606_507653.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Halkbank_Ekstre_20211020_101606_507653.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\驲驳驅驉驅驸驳驅驚驄驄驃驇驄驊 = "C:\\Windows\\Cursors\\뽉뽫뽇뽎뾄뽺뽐뽯뽽뽐뽋뽍뽈뽉뽐\\svchost.exe" Halkbank_Ekstre_20211020_101606_507653.exe -
Drops file in Windows directory 2 IoCs
Processes:
Halkbank_Ekstre_20211020_101606_507653.exedescription ioc process File created C:\Windows\Cursors\뽉뽫뽇뽎뾄뽺뽐뽯뽽뽐뽋뽍뽈뽉뽐\svchost.exe Halkbank_Ekstre_20211020_101606_507653.exe File opened for modification C:\Windows\Cursors\뽉뽫뽇뽎뾄뽺뽐뽯뽽뽐뽋뽍뽈뽉뽐\svchost.exe Halkbank_Ekstre_20211020_101606_507653.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exeHalkbank_Ekstre_20211020_101606_507653.exepid process 1320 AdvancedRun.exe 1320 AdvancedRun.exe 1604 AdvancedRun.exe 1604 AdvancedRun.exe 1540 powershell.exe 960 powershell.exe 1824 powershell.exe 556 powershell.exe 948 Halkbank_Ekstre_20211020_101606_507653.exe 948 Halkbank_Ekstre_20211020_101606_507653.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
Halkbank_Ekstre_20211020_101606_507653.exeAdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 948 Halkbank_Ekstre_20211020_101606_507653.exe Token: SeDebugPrivilege 1320 AdvancedRun.exe Token: SeImpersonatePrivilege 1320 AdvancedRun.exe Token: SeDebugPrivilege 1604 AdvancedRun.exe Token: SeImpersonatePrivilege 1604 AdvancedRun.exe Token: SeDebugPrivilege 1540 powershell.exe Token: SeDebugPrivilege 960 powershell.exe Token: SeDebugPrivilege 1824 powershell.exe Token: SeDebugPrivilege 556 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Halkbank_Ekstre_20211020_101606_507653.exeAdvancedRun.exedescription pid process target process PID 948 wrote to memory of 1824 948 Halkbank_Ekstre_20211020_101606_507653.exe powershell.exe PID 948 wrote to memory of 1824 948 Halkbank_Ekstre_20211020_101606_507653.exe powershell.exe PID 948 wrote to memory of 1824 948 Halkbank_Ekstre_20211020_101606_507653.exe powershell.exe PID 948 wrote to memory of 1824 948 Halkbank_Ekstre_20211020_101606_507653.exe powershell.exe PID 948 wrote to memory of 1540 948 Halkbank_Ekstre_20211020_101606_507653.exe powershell.exe PID 948 wrote to memory of 1540 948 Halkbank_Ekstre_20211020_101606_507653.exe powershell.exe PID 948 wrote to memory of 1540 948 Halkbank_Ekstre_20211020_101606_507653.exe powershell.exe PID 948 wrote to memory of 1540 948 Halkbank_Ekstre_20211020_101606_507653.exe powershell.exe PID 948 wrote to memory of 960 948 Halkbank_Ekstre_20211020_101606_507653.exe powershell.exe PID 948 wrote to memory of 960 948 Halkbank_Ekstre_20211020_101606_507653.exe powershell.exe PID 948 wrote to memory of 960 948 Halkbank_Ekstre_20211020_101606_507653.exe powershell.exe PID 948 wrote to memory of 960 948 Halkbank_Ekstre_20211020_101606_507653.exe powershell.exe PID 948 wrote to memory of 1320 948 Halkbank_Ekstre_20211020_101606_507653.exe AdvancedRun.exe PID 948 wrote to memory of 1320 948 Halkbank_Ekstre_20211020_101606_507653.exe AdvancedRun.exe PID 948 wrote to memory of 1320 948 Halkbank_Ekstre_20211020_101606_507653.exe AdvancedRun.exe PID 948 wrote to memory of 1320 948 Halkbank_Ekstre_20211020_101606_507653.exe AdvancedRun.exe PID 1320 wrote to memory of 1604 1320 AdvancedRun.exe AdvancedRun.exe PID 1320 wrote to memory of 1604 1320 AdvancedRun.exe AdvancedRun.exe PID 1320 wrote to memory of 1604 1320 AdvancedRun.exe AdvancedRun.exe PID 1320 wrote to memory of 1604 1320 AdvancedRun.exe AdvancedRun.exe PID 948 wrote to memory of 556 948 Halkbank_Ekstre_20211020_101606_507653.exe powershell.exe PID 948 wrote to memory of 556 948 Halkbank_Ekstre_20211020_101606_507653.exe powershell.exe PID 948 wrote to memory of 556 948 Halkbank_Ekstre_20211020_101606_507653.exe powershell.exe PID 948 wrote to memory of 556 948 Halkbank_Ekstre_20211020_101606_507653.exe powershell.exe -
outlook_office_path 1 IoCs
Processes:
Halkbank_Ekstre_20211020_101606_507653.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Halkbank_Ekstre_20211020_101606_507653.exe -
outlook_win_path 1 IoCs
Processes:
Halkbank_Ekstre_20211020_101606_507653.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Halkbank_Ekstre_20211020_101606_507653.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20211020_101606_507653.exe"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20211020_101606_507653.exe"1⤵
- Loads dropped DLL
- Windows security modification
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\뽉뽫뽇뽎뾄뽺뽐뽯뽽뽐뽋뽍뽈뽉뽐\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20211020_101606_507653.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\뽉뽫뽇뽎뾄뽺뽐뽯뽽뽐뽋뽍뽈뽉뽐\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\d3f41ba3-a411-4c04-8d2d-a265de6abcfa\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\d3f41ba3-a411-4c04-8d2d-a265de6abcfa\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\d3f41ba3-a411-4c04-8d2d-a265de6abcfa\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d3f41ba3-a411-4c04-8d2d-a265de6abcfa\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\d3f41ba3-a411-4c04-8d2d-a265de6abcfa\AdvancedRun.exe" /SpecialRun 4101d8 13203⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20211020_101606_507653.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\d3f41ba3-a411-4c04-8d2d-a265de6abcfa\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\d3f41ba3-a411-4c04-8d2d-a265de6abcfa\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\d3f41ba3-a411-4c04-8d2d-a265de6abcfa\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
b43ce162298c642003feeffd2788e501
SHA111f86b0b6ec32a08024cbef305e098f5edad4a73
SHA25681eb850e8c5643b078f3b6ede1cd83cf17a04ba2e4b459b3505bed4bff2dd4ff
SHA512aad92533cb2b497db061979192bb33d0d321f360065bea5b949b78886b31a8f5de53e78a77dc9ac796b6f142ed73fd132a0e2ba36ba07f56b21f29dbb9ba24f7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
b43ce162298c642003feeffd2788e501
SHA111f86b0b6ec32a08024cbef305e098f5edad4a73
SHA25681eb850e8c5643b078f3b6ede1cd83cf17a04ba2e4b459b3505bed4bff2dd4ff
SHA512aad92533cb2b497db061979192bb33d0d321f360065bea5b949b78886b31a8f5de53e78a77dc9ac796b6f142ed73fd132a0e2ba36ba07f56b21f29dbb9ba24f7
-
\Users\Admin\AppData\Local\Temp\d3f41ba3-a411-4c04-8d2d-a265de6abcfa\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\d3f41ba3-a411-4c04-8d2d-a265de6abcfa\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\d3f41ba3-a411-4c04-8d2d-a265de6abcfa\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\d3f41ba3-a411-4c04-8d2d-a265de6abcfa\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
memory/556-91-0x00000000023E0000-0x000000000302A000-memory.dmpFilesize
12.3MB
-
memory/556-87-0x0000000000000000-mapping.dmp
-
memory/948-57-0x0000000075D31000-0x0000000075D33000-memory.dmpFilesize
8KB
-
memory/948-59-0x0000000000590000-0x0000000000618000-memory.dmpFilesize
544KB
-
memory/948-55-0x0000000001210000-0x0000000001211000-memory.dmpFilesize
4KB
-
memory/948-89-0x0000000001120000-0x0000000001156000-memory.dmpFilesize
216KB
-
memory/948-58-0x0000000004710000-0x0000000004711000-memory.dmpFilesize
4KB
-
memory/960-82-0x0000000002441000-0x0000000002442000-memory.dmpFilesize
4KB
-
memory/960-63-0x0000000000000000-mapping.dmp
-
memory/960-78-0x0000000002440000-0x0000000002441000-memory.dmpFilesize
4KB
-
memory/960-84-0x0000000002442000-0x0000000002444000-memory.dmpFilesize
8KB
-
memory/1320-68-0x0000000000000000-mapping.dmp
-
memory/1540-85-0x00000000003E2000-0x00000000003E4000-memory.dmpFilesize
8KB
-
memory/1540-81-0x00000000003E1000-0x00000000003E2000-memory.dmpFilesize
4KB
-
memory/1540-79-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/1540-61-0x0000000000000000-mapping.dmp
-
memory/1604-75-0x0000000000000000-mapping.dmp
-
memory/1824-83-0x0000000002440000-0x000000000308A000-memory.dmpFilesize
12.3MB
-
memory/1824-80-0x0000000002440000-0x000000000308A000-memory.dmpFilesize
12.3MB
-
memory/1824-86-0x0000000002440000-0x000000000308A000-memory.dmpFilesize
12.3MB
-
memory/1824-60-0x0000000000000000-mapping.dmp