1e2470cf5042f4ff269c98c7a33dd27ca36ddeed91d9fb18df591f40a2d18131

General

Target

Halkbank.pdf.exe
Size

720KB
MD5

da69ec614d0d3885c5a88cac8a75facd
SHA1

19508ae57240da4c9b69ed9bee3d74a4db6d4fe0
SHA256

1e2470cf5042f4ff269c98c7a33dd27ca36ddeed91d9fb18df591f40a2d18131
SHA512

00c456ef068b3f93a26a9b983f72ebbe1a98833eefec8571286aa1968ad5b34bad947d3f9647df53edbe13ccee7847890153523c7f9e4f8383e9311fe3fe0e49
SSDEEP

12288:yvV+s1bSQT6tjjdB4Y08uQcdcU00f2WCYO+DDQ6ZI7XpiKdPhBxz0AwPg3BqPPw4:ytCvuLf2YOjKI7kKhhBWA0IqPtfGH5er

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Control Panel\International\Geo\Nation	Halkbank.pdf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1384 set thread context of 932	1384	Halkbank.pdf.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1768	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1384	Halkbank.pdf.exe
1384	Halkbank.pdf.exe
1384	Halkbank.pdf.exe
1384	Halkbank.pdf.exe
524	powershell.exe
932	Halkbank.pdf.exe
932	Halkbank.pdf.exe
932	Halkbank.pdf.exe
932	Halkbank.pdf.exe
932	Halkbank.pdf.exe
932	Halkbank.pdf.exe
932	Halkbank.pdf.exe
932	Halkbank.pdf.exe
932	Halkbank.pdf.exe
932	Halkbank.pdf.exe
932	Halkbank.pdf.exe
932	Halkbank.pdf.exe
932	Halkbank.pdf.exe
932	Halkbank.pdf.exe
932	Halkbank.pdf.exe
932	Halkbank.pdf.exe
932	Halkbank.pdf.exe
932	Halkbank.pdf.exe
932	Halkbank.pdf.exe
932	Halkbank.pdf.exe
932	Halkbank.pdf.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1384	Halkbank.pdf.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeDebugPrivilege	932	Halkbank.pdf.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 524	1384	Halkbank.pdf.exe	28
PID 1384 wrote to memory of 524	1384	Halkbank.pdf.exe	28
PID 1384 wrote to memory of 524	1384	Halkbank.pdf.exe	28
PID 1384 wrote to memory of 524	1384	Halkbank.pdf.exe	28
PID 1384 wrote to memory of 1768	1384	Halkbank.pdf.exe	30
PID 1384 wrote to memory of 1768	1384	Halkbank.pdf.exe	30
PID 1384 wrote to memory of 1768	1384	Halkbank.pdf.exe	30
PID 1384 wrote to memory of 1768	1384	Halkbank.pdf.exe	30
PID 1384 wrote to memory of 932	1384	Halkbank.pdf.exe	32
PID 1384 wrote to memory of 932	1384	Halkbank.pdf.exe	32
PID 1384 wrote to memory of 932	1384	Halkbank.pdf.exe	32
PID 1384 wrote to memory of 932	1384	Halkbank.pdf.exe	32
PID 1384 wrote to memory of 932	1384	Halkbank.pdf.exe	32
PID 1384 wrote to memory of 932	1384	Halkbank.pdf.exe	32
PID 1384 wrote to memory of 932	1384	Halkbank.pdf.exe	32

C:\Users\Admin\AppData\Local\Temp\Halkbank.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ouFPJorC.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:524
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ouFPJorC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC60E.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1768
- C:\Users\Admin\AppData\Local\Temp\Halkbank.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Halkbank.pdf.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC60E.tmp

Filesize
1KB

MD5
9160cd8f56aafd2973bccb7ba270b11c

SHA1
3c0b68a6c19885ca5635ec1cd3abc6ff506bd9cc

SHA256
735968304b93972c457aeccff3c312f5c93b50cab081ee29144ed128f8a047ab

SHA512
973e8a7270d118a0fe24c8aafede0a32773f133597aa610465b5204bf0096f6bd4ede3e8dc81b3f8dca10ebf611a69f9219adc13c2bb80e55af803c3f0fbdaea

Download Submit
memory/524-75-0x00000000022B0000-0x00000000022F0000-memory.dmp

Filesize
256KB

Download
memory/524-74-0x00000000022B0000-0x00000000022F0000-memory.dmp

Filesize
256KB

Download
memory/524-72-0x00000000022B0000-0x00000000022F0000-memory.dmp

Filesize
256KB

Download
memory/932-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/932-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/932-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/932-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/932-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/932-76-0x0000000000840000-0x0000000000B43000-memory.dmp

Filesize
3.0MB

Download
memory/1384-59-0x0000000000D20000-0x0000000000D96000-memory.dmp

Filesize
472KB

Download
memory/1384-58-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/1384-65-0x0000000004700000-0x000000000473E000-memory.dmp

Filesize
248KB

Download
memory/1384-54-0x0000000000FA0000-0x000000000105A000-memory.dmp

Filesize
744KB

Download
memory/1384-57-0x0000000000CA0000-0x0000000000CE0000-memory.dmp

Filesize
256KB

Download
memory/1384-56-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/1384-55-0x0000000000CA0000-0x0000000000CE0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads