Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10_x64 -
resource
win10 -
submitted
07-07-2020 10:02
Static task
static1
Behavioral task
behavioral1
Sample
Ekstre.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
Ekstre.exe
Resource
win10
General
-
Target
Ekstre.exe
-
Size
499KB
-
MD5
fe599cbeeae671dd2e7684bd0cce9289
-
SHA1
3b06b72d997fb3154d946e4f43b2e03977e96a92
-
SHA256
7369dcfec21741f712f75662e29752b6a55fcacd1fbf76b9948d40b82e89b9a0
-
SHA512
a34118abba227266ecbcdffcc3c77701efcb1be6b67a2a6f1b770f7d253cfb5868f0309d4ee28ff7596f5bcd41b0502a8df8fda080633bf8bbae417639334d22
Malware Config
Signatures
-
Processes:
msiexec.exedescription ioc process Key created \Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msiexec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Ekstre.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Ekstre.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 Ekstre.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer msiexec.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Ekstre.exeExplorer.EXEmsiexec.exedescription pid process target process PID 3920 wrote to memory of 3176 3920 Ekstre.exe Ekstre.exe PID 3920 wrote to memory of 3176 3920 Ekstre.exe Ekstre.exe PID 3920 wrote to memory of 3176 3920 Ekstre.exe Ekstre.exe PID 3920 wrote to memory of 3176 3920 Ekstre.exe Ekstre.exe PID 3920 wrote to memory of 3176 3920 Ekstre.exe Ekstre.exe PID 3920 wrote to memory of 3176 3920 Ekstre.exe Ekstre.exe PID 2988 wrote to memory of 2556 2988 Explorer.EXE msiexec.exe PID 2988 wrote to memory of 2556 2988 Explorer.EXE msiexec.exe PID 2988 wrote to memory of 2556 2988 Explorer.EXE msiexec.exe PID 2556 wrote to memory of 732 2556 msiexec.exe cmd.exe PID 2556 wrote to memory of 732 2556 msiexec.exe cmd.exe PID 2556 wrote to memory of 732 2556 msiexec.exe cmd.exe PID 2556 wrote to memory of 1732 2556 msiexec.exe cmd.exe PID 2556 wrote to memory of 1732 2556 msiexec.exe cmd.exe PID 2556 wrote to memory of 1732 2556 msiexec.exe cmd.exe PID 2556 wrote to memory of 2088 2556 msiexec.exe Firefox.exe PID 2556 wrote to memory of 2088 2556 msiexec.exe Firefox.exe PID 2556 wrote to memory of 2088 2556 msiexec.exe Firefox.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
Ekstre.exemsiexec.exepid process 3176 Ekstre.exe 3176 Ekstre.exe 3176 Ekstre.exe 3176 Ekstre.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Ekstre.exeEkstre.exemsiexec.exedescription pid process target process PID 3920 set thread context of 3176 3920 Ekstre.exe Ekstre.exe PID 3176 set thread context of 2988 3176 Ekstre.exe Explorer.EXE PID 3176 set thread context of 2988 3176 Ekstre.exe Explorer.EXE PID 2556 set thread context of 2988 2556 msiexec.exe Explorer.EXE -
Adds Run entry to policy start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\2DJD4RBPUBOT = "C:\\Program Files (x86)\\Hbpx\\helpwrqlmdix.exe" msiexec.exe -
Drops file in Program Files directory 1 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Program Files (x86)\Hbpx\helpwrqlmdix.exe msiexec.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Ekstre.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Ekstre.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Ekstre.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
Ekstre.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools Ekstre.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
Ekstre.exemsiexec.exepid process 3176 Ekstre.exe 3176 Ekstre.exe 3176 Ekstre.exe 3176 Ekstre.exe 3176 Ekstre.exe 3176 Ekstre.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe 2556 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
Ekstre.exemsiexec.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3176 Ekstre.exe Token: SeDebugPrivilege 2556 msiexec.exe Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
Ekstre.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions Ekstre.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\Ekstre.exe"C:\Users\Admin\AppData\Local\Temp\Ekstre.exe"2⤵
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Checks BIOS information in registry
- Looks for VMWare Tools registry key
- Looks for VirtualBox Guest Additions in registry
PID:3920 -
C:\Users\Admin\AppData\Local\Temp\Ekstre.exe"{path}"3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3176 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Modifies Internet Explorer settings
- System policy modification
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Adds Run entry to policy start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Ekstre.exe"3⤵PID:732
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:1732
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:2088