Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
07-07-2020 10:02
Static task
static1
Behavioral task
behavioral1
Sample
Ekstre.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
Ekstre.exe
Resource
win10
General
-
Target
Ekstre.exe
-
Size
499KB
-
MD5
fe599cbeeae671dd2e7684bd0cce9289
-
SHA1
3b06b72d997fb3154d946e4f43b2e03977e96a92
-
SHA256
7369dcfec21741f712f75662e29752b6a55fcacd1fbf76b9948d40b82e89b9a0
-
SHA512
a34118abba227266ecbcdffcc3c77701efcb1be6b67a2a6f1b770f7d253cfb5868f0309d4ee28ff7596f5bcd41b0502a8df8fda080633bf8bbae417639334d22
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Ekstre.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Ekstre.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Ekstre.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
Ekstre.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions Ekstre.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
Ekstre.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools Ekstre.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Ekstre.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Ekstre.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Ekstre.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
Ekstre.exeEkstre.exemsiexec.exepid process 1296 Ekstre.exe 1296 Ekstre.exe 1296 Ekstre.exe 1772 Ekstre.exe 1772 Ekstre.exe 760 msiexec.exe 760 msiexec.exe 760 msiexec.exe 760 msiexec.exe 760 msiexec.exe 760 msiexec.exe 760 msiexec.exe 760 msiexec.exe 760 msiexec.exe 760 msiexec.exe 760 msiexec.exe 760 msiexec.exe 760 msiexec.exe 760 msiexec.exe 760 msiexec.exe 760 msiexec.exe 760 msiexec.exe 760 msiexec.exe 760 msiexec.exe -
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\8PTXHFWXGV = "C:\\Program Files (x86)\\L8ptdb08\\autochk2d3.exe" msiexec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
msiexec.exedescription ioc process Key created \Registry\User\S-1-5-21-910373003-3952921535-3480519689-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msiexec.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Ekstre.exeEkstre.exemsiexec.exedescription pid process target process PID 1296 set thread context of 1772 1296 Ekstre.exe Ekstre.exe PID 1772 set thread context of 1304 1772 Ekstre.exe Explorer.EXE PID 760 set thread context of 1304 760 msiexec.exe Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Ekstre.exeEkstre.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1296 Ekstre.exe Token: SeDebugPrivilege 1772 Ekstre.exe Token: SeDebugPrivilege 760 msiexec.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
Ekstre.exemsiexec.exepid process 1772 Ekstre.exe 1772 Ekstre.exe 1772 Ekstre.exe 760 msiexec.exe 760 msiexec.exe 760 msiexec.exe 760 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1304 Explorer.EXE 1304 Explorer.EXE 1304 Explorer.EXE 1304 Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Program Files (x86)\L8ptdb08\autochk2d3.exe msiexec.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
Ekstre.exeExplorer.EXEmsiexec.exedescription pid process target process PID 1296 wrote to memory of 1792 1296 Ekstre.exe Ekstre.exe PID 1296 wrote to memory of 1792 1296 Ekstre.exe Ekstre.exe PID 1296 wrote to memory of 1792 1296 Ekstre.exe Ekstre.exe PID 1296 wrote to memory of 1792 1296 Ekstre.exe Ekstre.exe PID 1296 wrote to memory of 1772 1296 Ekstre.exe Ekstre.exe PID 1296 wrote to memory of 1772 1296 Ekstre.exe Ekstre.exe PID 1296 wrote to memory of 1772 1296 Ekstre.exe Ekstre.exe PID 1296 wrote to memory of 1772 1296 Ekstre.exe Ekstre.exe PID 1296 wrote to memory of 1772 1296 Ekstre.exe Ekstre.exe PID 1296 wrote to memory of 1772 1296 Ekstre.exe Ekstre.exe PID 1296 wrote to memory of 1772 1296 Ekstre.exe Ekstre.exe PID 1304 wrote to memory of 760 1304 Explorer.EXE msiexec.exe PID 1304 wrote to memory of 760 1304 Explorer.EXE msiexec.exe PID 1304 wrote to memory of 760 1304 Explorer.EXE msiexec.exe PID 1304 wrote to memory of 760 1304 Explorer.EXE msiexec.exe PID 1304 wrote to memory of 760 1304 Explorer.EXE msiexec.exe PID 1304 wrote to memory of 760 1304 Explorer.EXE msiexec.exe PID 1304 wrote to memory of 760 1304 Explorer.EXE msiexec.exe PID 760 wrote to memory of 1000 760 msiexec.exe cmd.exe PID 760 wrote to memory of 1000 760 msiexec.exe cmd.exe PID 760 wrote to memory of 1000 760 msiexec.exe cmd.exe PID 760 wrote to memory of 1000 760 msiexec.exe cmd.exe PID 760 wrote to memory of 1900 760 msiexec.exe Firefox.exe PID 760 wrote to memory of 1900 760 msiexec.exe Firefox.exe PID 760 wrote to memory of 1900 760 msiexec.exe Firefox.exe PID 760 wrote to memory of 1900 760 msiexec.exe Firefox.exe PID 760 wrote to memory of 1900 760 msiexec.exe Firefox.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1304 Explorer.EXE 1304 Explorer.EXE 1304 Explorer.EXE 1304 Explorer.EXE -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1000 cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\Ekstre.exe"C:\Users\Admin\AppData\Local\Temp\Ekstre.exe"2⤵
- Checks BIOS information in registry
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\Ekstre.exe"{path}"3⤵PID:1792
-
C:\Users\Admin\AppData\Local\Temp\Ekstre.exe"{path}"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:1772 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
- Modifies Internet Explorer settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Ekstre.exe"3⤵
- Deletes itself
PID:1000 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1900