Overview

overview

10

Static

static

1

ekstre_pdf.exe

windows7-x64

10

ekstre_pdf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-04-2023 06:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ekstre_pdf.exe

  • Size

    308KB

  • MD5

    a37dc47f86e84e5d0d2e6414c3cd5272

  • SHA1

    7c9a14ff443cc5de805200d6bcc750d64fb4b677

  • SHA256

    5902402fafb4be22faca64535718137ce5afd70004a14657daa9e7c6c3240feb

  • SHA512

    5f7cae8e6dc0f6d35c56ec212943359d78ae792f6dcbd8eb5987c1d8e020c49befa23951788fda56550ca83b05a478c7fbbc0c6178c9b1830b6050741a7638a3

  • SSDEEP

    6144:XhtyHU2Gthj3FRzxZckklMg0GGOvGmADclkMo6xkHwQEel:Xh4G9NxWBZ0VOvGm+cpRxg/Eel

Score
10/10
formbookguloadermi94downloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mi94

Decoy

realdigitalmarketing.co.uk

athle91.com

zetuinteriors.africa

jewelry2adore.biz

sneakersuomo.com

hotcoa.com

bestpetfinds.com

elatedfreedom.com

louisegoulet.com

licensescape.com

jenniferfalconerrealtor.com

xqan.net

textare.net

doctorlinkscsk.link

bizformspro.com

ameriealthcaritasfl.com

hanfengmeiye.com

anjin98.com

credit-cards-54889.com

dinero.news

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Formbook payload 4 IoCs
    rat
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3172
    • C:\Users\Admin\AppData\Local\Temp\ekstre_pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\ekstre_pdf.exe"
      2⤵
      • Checks QEMU agent file
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:432
      • C:\Users\Admin\AppData\Local\Temp\ekstre_pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\ekstre_pdf.exe"
        3⤵
        • Checks QEMU agent file
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4680
    • C:\Windows\SysWOW64\NETSTAT.EXE
      "C:\Windows\SysWOW64\NETSTAT.EXE"
      2⤵
      • Suspicious use of SetThreadContext
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2356
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\ekstre_pdf.exe"
        3⤵
          PID:4348

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Command-Line Interface

    1
    T1059

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nsz6E8E.tmp\System.dll
      Filesize

      12KB

      MD5

      d968cb2b98b83c03a9f02dd9b8df97dc

      SHA1

      d784c9b7a92dce58a5038beb62a48ff509e166a0

      SHA256

      a4ec98011ef99e595912718c1a1bf1aa67bfc2192575729d42f559d01f67b95c

      SHA512

      2ee41dc68f329a1519a8073ece7d746c9f3bf45d8ef3b915deb376af37e26074134af5f83c8af0fe0ab227f0d1acca9f37e5ca7ae37c46c3bcc0331fe5e2b97e

      Download Submit
    • C:\Users\Admin\AppData\Roaming\DORME.ini
      Filesize

      31B

      MD5

      3000f7f0f12b7139ea28160c52098e25

      SHA1

      9d032395f38d341881019b996e591160d542054b

      SHA256

      467b09ff26622746d205628ae325ec9838461bc5fe741b3757bb39ddec87ecb1

      SHA512

      a76a2f1e3686e2ffd03388ec7dbcd4afa6ae53ccd3aa40c6fbbf0c994eee5e2685d0c412f15ec4506c1175f5a84712e1a8b7ae32e6a0327e1ba47321a59e0ee2

      Download Submit
    • memory/432-159-0x0000000004630000-0x0000000006B01000-memory.dmp
      Filesize

      36.8MB

      Download
    • memory/432-160-0x0000000004630000-0x0000000006B01000-memory.dmp
      Filesize

      36.8MB

      Download
    • memory/2356-175-0x00000000010E0000-0x000000000142A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2356-178-0x0000000000E50000-0x0000000000EE4000-memory.dmp
      Filesize

      592KB

      Download
    • memory/2356-176-0x0000000000900000-0x000000000092F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2356-172-0x0000000000420000-0x000000000042B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/2356-174-0x0000000000900000-0x000000000092F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2356-170-0x0000000000420000-0x000000000042B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/3172-180-0x0000000008590000-0x0000000008685000-memory.dmp
      Filesize

      980KB

      Download
    • memory/3172-179-0x0000000008590000-0x0000000008685000-memory.dmp
      Filesize

      980KB

      Download
    • memory/3172-182-0x0000000008590000-0x0000000008685000-memory.dmp
      Filesize

      980KB

      Download
    • memory/3172-169-0x0000000007E30000-0x0000000007FB2000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/4680-167-0x0000000033F80000-0x00000000342CA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4680-171-0x0000000001660000-0x0000000003B31000-memory.dmp
      Filesize

      36.8MB

      Download
    • memory/4680-168-0x00000000000D0000-0x00000000000E5000-memory.dmp
      Filesize

      84KB

      Download
    • memory/4680-166-0x0000000000400000-0x0000000001654000-memory.dmp
      Filesize

      18.3MB

      Download
    • memory/4680-165-0x0000000001660000-0x0000000003B31000-memory.dmp
      Filesize

      36.8MB

      Download
    • memory/4680-164-0x0000000000400000-0x0000000001654000-memory.dmp
      Filesize

      18.3MB

      Download
    • memory/4680-163-0x0000000001660000-0x0000000003B31000-memory.dmp
      Filesize

      36.8MB

      Download
    • memory/4680-162-0x0000000001660000-0x0000000003B31000-memory.dmp
      Filesize

      36.8MB

      Download
    • memory/4680-161-0x0000000000400000-0x0000000001654000-memory.dmp
      Filesize

      18.3MB

      Download