Analysis
-
max time kernel
132s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:22
Static task
static1
Behavioral task
behavioral1
Sample
Halkbank,pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Halkbank,pdf.exe
Resource
win10v2004-20220414-en
General
-
Target
Halkbank,pdf.exe
-
Size
893KB
-
MD5
a7624902cc07011b5dadbcdd8267c9dc
-
SHA1
7d983b597b535d60123a773a1c40fcc14e0500b7
-
SHA256
c0cb41070b74fa0e592f10c6d5312e55009f1cc884bd1c242591bc75c5f9e5eb
-
SHA512
64487fd6dd327d119fe52a79bd3b2ad602a2a5be418ae97bba71642e03f9e46347ef140c70826a2fbafca570817e798c2d76e93139f98f43c14a6f7208a3ebe9
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main Payload 9 IoCs
Processes:
resource yara_rule behavioral1/memory/1156-62-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral1/memory/1156-63-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral1/memory/1156-64-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral1/memory/1156-65-0x000000000048173E-mapping.dmp family_masslogger behavioral1/memory/1156-67-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral1/memory/1156-69-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral1/memory/1348-89-0x000000000048173E-mapping.dmp family_masslogger behavioral1/memory/1348-92-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger behavioral1/memory/1348-94-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger -
Executes dropped EXE 2 IoCs
Processes:
vlc.exevlc.exepid process 580 vlc.exe 1348 vlc.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
vlc.exeHalkbank,pdf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation vlc.exe Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation Halkbank,pdf.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1948 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
Processes:
vlc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook vlc.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook vlc.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vlc.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook vlc.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vlc.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vlc.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vlc.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vlc.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vlc.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vlc.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vlc.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vlc.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook vlc.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vlc.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook vlc.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook vlc.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook vlc.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vlc.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook vlc.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vlc.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vlc.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook vlc.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vlc.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vlc.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vlc.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vlc.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook vlc.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vlc.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vlc.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vlc.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vlc.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook vlc.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vlc.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vlc.exe Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook vlc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 7 api.ipify.org -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Halkbank,pdf.exevlc.exedescription pid process target process PID 1688 set thread context of 1156 1688 Halkbank,pdf.exe Halkbank,pdf.exe PID 580 set thread context of 1348 580 vlc.exe vlc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1572 timeout.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 1348 vlc.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
Halkbank,pdf.exeHalkbank,pdf.exevlc.exevlc.exepid process 1688 Halkbank,pdf.exe 1688 Halkbank,pdf.exe 1688 Halkbank,pdf.exe 1156 Halkbank,pdf.exe 1156 Halkbank,pdf.exe 1156 Halkbank,pdf.exe 1156 Halkbank,pdf.exe 580 vlc.exe 580 vlc.exe 1348 vlc.exe 1348 vlc.exe 1348 vlc.exe 1348 vlc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Halkbank,pdf.exeHalkbank,pdf.exevlc.exevlc.exedescription pid process Token: SeDebugPrivilege 1688 Halkbank,pdf.exe Token: SeDebugPrivilege 1156 Halkbank,pdf.exe Token: SeDebugPrivilege 580 vlc.exe Token: SeDebugPrivilege 1348 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vlc.exepid process 1348 vlc.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
Halkbank,pdf.exeHalkbank,pdf.execmd.execmd.exevlc.exedescription pid process target process PID 1688 wrote to memory of 1156 1688 Halkbank,pdf.exe Halkbank,pdf.exe PID 1688 wrote to memory of 1156 1688 Halkbank,pdf.exe Halkbank,pdf.exe PID 1688 wrote to memory of 1156 1688 Halkbank,pdf.exe Halkbank,pdf.exe PID 1688 wrote to memory of 1156 1688 Halkbank,pdf.exe Halkbank,pdf.exe PID 1688 wrote to memory of 1156 1688 Halkbank,pdf.exe Halkbank,pdf.exe PID 1688 wrote to memory of 1156 1688 Halkbank,pdf.exe Halkbank,pdf.exe PID 1688 wrote to memory of 1156 1688 Halkbank,pdf.exe Halkbank,pdf.exe PID 1688 wrote to memory of 1156 1688 Halkbank,pdf.exe Halkbank,pdf.exe PID 1688 wrote to memory of 1156 1688 Halkbank,pdf.exe Halkbank,pdf.exe PID 1156 wrote to memory of 1952 1156 Halkbank,pdf.exe cmd.exe PID 1156 wrote to memory of 1952 1156 Halkbank,pdf.exe cmd.exe PID 1156 wrote to memory of 1952 1156 Halkbank,pdf.exe cmd.exe PID 1156 wrote to memory of 1952 1156 Halkbank,pdf.exe cmd.exe PID 1156 wrote to memory of 1948 1156 Halkbank,pdf.exe cmd.exe PID 1156 wrote to memory of 1948 1156 Halkbank,pdf.exe cmd.exe PID 1156 wrote to memory of 1948 1156 Halkbank,pdf.exe cmd.exe PID 1156 wrote to memory of 1948 1156 Halkbank,pdf.exe cmd.exe PID 1952 wrote to memory of 1784 1952 cmd.exe schtasks.exe PID 1952 wrote to memory of 1784 1952 cmd.exe schtasks.exe PID 1952 wrote to memory of 1784 1952 cmd.exe schtasks.exe PID 1952 wrote to memory of 1784 1952 cmd.exe schtasks.exe PID 1948 wrote to memory of 1572 1948 cmd.exe timeout.exe PID 1948 wrote to memory of 1572 1948 cmd.exe timeout.exe PID 1948 wrote to memory of 1572 1948 cmd.exe timeout.exe PID 1948 wrote to memory of 1572 1948 cmd.exe timeout.exe PID 1948 wrote to memory of 580 1948 cmd.exe vlc.exe PID 1948 wrote to memory of 580 1948 cmd.exe vlc.exe PID 1948 wrote to memory of 580 1948 cmd.exe vlc.exe PID 1948 wrote to memory of 580 1948 cmd.exe vlc.exe PID 580 wrote to memory of 1348 580 vlc.exe vlc.exe PID 580 wrote to memory of 1348 580 vlc.exe vlc.exe PID 580 wrote to memory of 1348 580 vlc.exe vlc.exe PID 580 wrote to memory of 1348 580 vlc.exe vlc.exe PID 580 wrote to memory of 1348 580 vlc.exe vlc.exe PID 580 wrote to memory of 1348 580 vlc.exe vlc.exe PID 580 wrote to memory of 1348 580 vlc.exe vlc.exe PID 580 wrote to memory of 1348 580 vlc.exe vlc.exe PID 580 wrote to memory of 1348 580 vlc.exe vlc.exe -
outlook_office_path 1 IoCs
Processes:
vlc.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vlc.exe -
outlook_win_path 1 IoCs
Processes:
vlc.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vlc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Halkbank,pdf.exe"C:\Users\Admin\AppData\Local\Temp\Halkbank,pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\Halkbank,pdf.exe"{path}"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"'4⤵
- Creates scheduled task(s)
PID:1784 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4BE0.tmp.bat""3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:1572 -
C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"{path}"5⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1348
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156B
MD54606f52953f5230bfd03c9d37b31d738
SHA1a7fc83db7cd19eca8caa360efdaddf9e55ff9f0a
SHA2560e59f186b98e27b7b62a2e78fb2585bc5c8e083df56594b2a63733a9f75476d5
SHA512af37fc55b87eea23352f8ea1b7f77ccf6bb19826ec20ceb122021d21bc5d2e114b04fbb300e034e8d8a04b03d15feaa620f6e4df3a90f683d1420d4a56ba016d
-
Filesize
893KB
MD5a7624902cc07011b5dadbcdd8267c9dc
SHA17d983b597b535d60123a773a1c40fcc14e0500b7
SHA256c0cb41070b74fa0e592f10c6d5312e55009f1cc884bd1c242591bc75c5f9e5eb
SHA51264487fd6dd327d119fe52a79bd3b2ad602a2a5be418ae97bba71642e03f9e46347ef140c70826a2fbafca570817e798c2d76e93139f98f43c14a6f7208a3ebe9
-
Filesize
893KB
MD5a7624902cc07011b5dadbcdd8267c9dc
SHA17d983b597b535d60123a773a1c40fcc14e0500b7
SHA256c0cb41070b74fa0e592f10c6d5312e55009f1cc884bd1c242591bc75c5f9e5eb
SHA51264487fd6dd327d119fe52a79bd3b2ad602a2a5be418ae97bba71642e03f9e46347ef140c70826a2fbafca570817e798c2d76e93139f98f43c14a6f7208a3ebe9
-
Filesize
893KB
MD5a7624902cc07011b5dadbcdd8267c9dc
SHA17d983b597b535d60123a773a1c40fcc14e0500b7
SHA256c0cb41070b74fa0e592f10c6d5312e55009f1cc884bd1c242591bc75c5f9e5eb
SHA51264487fd6dd327d119fe52a79bd3b2ad602a2a5be418ae97bba71642e03f9e46347ef140c70826a2fbafca570817e798c2d76e93139f98f43c14a6f7208a3ebe9
-
Filesize
893KB
MD5a7624902cc07011b5dadbcdd8267c9dc
SHA17d983b597b535d60123a773a1c40fcc14e0500b7
SHA256c0cb41070b74fa0e592f10c6d5312e55009f1cc884bd1c242591bc75c5f9e5eb
SHA51264487fd6dd327d119fe52a79bd3b2ad602a2a5be418ae97bba71642e03f9e46347ef140c70826a2fbafca570817e798c2d76e93139f98f43c14a6f7208a3ebe9