Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
11-04-2023 06:49
Static task
static1
Behavioral task
behavioral1
Sample
ekstre_pdf.exe
Resource
win7-20230220-en
General
-
Target
ekstre_pdf.exe
-
Size
308KB
-
MD5
a37dc47f86e84e5d0d2e6414c3cd5272
-
SHA1
7c9a14ff443cc5de805200d6bcc750d64fb4b677
-
SHA256
5902402fafb4be22faca64535718137ce5afd70004a14657daa9e7c6c3240feb
-
SHA512
5f7cae8e6dc0f6d35c56ec212943359d78ae792f6dcbd8eb5987c1d8e020c49befa23951788fda56550ca83b05a478c7fbbc0c6178c9b1830b6050741a7638a3
-
SSDEEP
6144:XhtyHU2Gthj3FRzxZckklMg0GGOvGmADclkMo6xkHwQEel:Xh4G9NxWBZ0VOvGm+cpRxg/Eel
Malware Config
Extracted
formbook
4.1
mi94
realdigitalmarketing.co.uk
athle91.com
zetuinteriors.africa
jewelry2adore.biz
sneakersuomo.com
hotcoa.com
bestpetfinds.com
elatedfreedom.com
louisegoulet.com
licensescape.com
jenniferfalconerrealtor.com
xqan.net
textare.net
doctorlinkscsk.link
bizformspro.com
ameriealthcaritasfl.com
hanfengmeiye.com
anjin98.com
credit-cards-54889.com
dinero.news
naijastudy.africa
cursosweb22.online
furniture-61686.com
furniture-42269.com
emiu6696.com
herhustlenation.com
kevinjasperinc.africa
hear-aid-92727.com
goodlifeprojectofficial.com
freshteak.com
bellvaniamail.com
peterslawonline.com
analogfair.com
fornettobarbecues.com
6880365.com
couragetokingdom.com
luivix.online
3ay82.xyz
tmcgroup.africa
canadianbreederprogram.com
funtime28.online
customcarpentry.uk
anotherworldrecord.com
aux100000epices.com
edelman-production.com
honorproduct.com
danuzioneto.com
iltuosentiero.com
healthinsurancearena.com
hunterboots--canada.com
irestoreart.com
lapalmaaccesible.com
khbmfbank.africa
laxmi.digital
leqidt.tax
fluffyjet.online
chuckclouds.com
bril-kre-l25.buzz
centracul.online
legacyengravers.com
guesstheword.net
ded-morozvrn.online
lemonga.com
crrgbb.com
crosswalkconsulting.co.uk
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4680-164-0x0000000000400000-0x0000000001654000-memory.dmp formbook behavioral2/memory/4680-166-0x0000000000400000-0x0000000001654000-memory.dmp formbook behavioral2/memory/2356-174-0x0000000000900000-0x000000000092F000-memory.dmp formbook behavioral2/memory/2356-176-0x0000000000900000-0x000000000092F000-memory.dmp formbook -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
ekstre_pdf.exeekstre_pdf.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe ekstre_pdf.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe ekstre_pdf.exe -
Loads dropped DLL 1 IoCs
Processes:
ekstre_pdf.exepid process 432 ekstre_pdf.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
ekstre_pdf.exepid process 4680 ekstre_pdf.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
ekstre_pdf.exeekstre_pdf.exepid process 432 ekstre_pdf.exe 4680 ekstre_pdf.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ekstre_pdf.exeekstre_pdf.exeNETSTAT.EXEdescription pid process target process PID 432 set thread context of 4680 432 ekstre_pdf.exe ekstre_pdf.exe PID 4680 set thread context of 3172 4680 ekstre_pdf.exe Explorer.EXE PID 2356 set thread context of 3172 2356 NETSTAT.EXE Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
ekstre_pdf.exedescription ioc process File opened for modification C:\Windows\resources\Fortalelserne\Wisconsinites\Ubeslutsomt.Her ekstre_pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 2356 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
ekstre_pdf.exeNETSTAT.EXEpid process 4680 ekstre_pdf.exe 4680 ekstre_pdf.exe 4680 ekstre_pdf.exe 4680 ekstre_pdf.exe 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE 2356 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3172 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
ekstre_pdf.exeekstre_pdf.exeNETSTAT.EXEpid process 432 ekstre_pdf.exe 4680 ekstre_pdf.exe 4680 ekstre_pdf.exe 4680 ekstre_pdf.exe 2356 NETSTAT.EXE 2356 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ekstre_pdf.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 4680 ekstre_pdf.exe Token: SeDebugPrivilege 2356 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
ekstre_pdf.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 432 wrote to memory of 4680 432 ekstre_pdf.exe ekstre_pdf.exe PID 432 wrote to memory of 4680 432 ekstre_pdf.exe ekstre_pdf.exe PID 432 wrote to memory of 4680 432 ekstre_pdf.exe ekstre_pdf.exe PID 432 wrote to memory of 4680 432 ekstre_pdf.exe ekstre_pdf.exe PID 3172 wrote to memory of 2356 3172 Explorer.EXE NETSTAT.EXE PID 3172 wrote to memory of 2356 3172 Explorer.EXE NETSTAT.EXE PID 3172 wrote to memory of 2356 3172 Explorer.EXE NETSTAT.EXE PID 2356 wrote to memory of 4348 2356 NETSTAT.EXE cmd.exe PID 2356 wrote to memory of 4348 2356 NETSTAT.EXE cmd.exe PID 2356 wrote to memory of 4348 2356 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ekstre_pdf.exe"C:\Users\Admin\AppData\Local\Temp\ekstre_pdf.exe"2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ekstre_pdf.exe"C:\Users\Admin\AppData\Local\Temp\ekstre_pdf.exe"3⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\ekstre_pdf.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsz6E8E.tmp\System.dllFilesize
12KB
MD5d968cb2b98b83c03a9f02dd9b8df97dc
SHA1d784c9b7a92dce58a5038beb62a48ff509e166a0
SHA256a4ec98011ef99e595912718c1a1bf1aa67bfc2192575729d42f559d01f67b95c
SHA5122ee41dc68f329a1519a8073ece7d746c9f3bf45d8ef3b915deb376af37e26074134af5f83c8af0fe0ab227f0d1acca9f37e5ca7ae37c46c3bcc0331fe5e2b97e
-
C:\Users\Admin\AppData\Roaming\DORME.iniFilesize
31B
MD53000f7f0f12b7139ea28160c52098e25
SHA19d032395f38d341881019b996e591160d542054b
SHA256467b09ff26622746d205628ae325ec9838461bc5fe741b3757bb39ddec87ecb1
SHA512a76a2f1e3686e2ffd03388ec7dbcd4afa6ae53ccd3aa40c6fbbf0c994eee5e2685d0c412f15ec4506c1175f5a84712e1a8b7ae32e6a0327e1ba47321a59e0ee2
-
memory/432-159-0x0000000004630000-0x0000000006B01000-memory.dmpFilesize
36.8MB
-
memory/432-160-0x0000000004630000-0x0000000006B01000-memory.dmpFilesize
36.8MB
-
memory/2356-175-0x00000000010E0000-0x000000000142A000-memory.dmpFilesize
3.3MB
-
memory/2356-178-0x0000000000E50000-0x0000000000EE4000-memory.dmpFilesize
592KB
-
memory/2356-176-0x0000000000900000-0x000000000092F000-memory.dmpFilesize
188KB
-
memory/2356-172-0x0000000000420000-0x000000000042B000-memory.dmpFilesize
44KB
-
memory/2356-174-0x0000000000900000-0x000000000092F000-memory.dmpFilesize
188KB
-
memory/2356-170-0x0000000000420000-0x000000000042B000-memory.dmpFilesize
44KB
-
memory/3172-180-0x0000000008590000-0x0000000008685000-memory.dmpFilesize
980KB
-
memory/3172-179-0x0000000008590000-0x0000000008685000-memory.dmpFilesize
980KB
-
memory/3172-182-0x0000000008590000-0x0000000008685000-memory.dmpFilesize
980KB
-
memory/3172-169-0x0000000007E30000-0x0000000007FB2000-memory.dmpFilesize
1.5MB
-
memory/4680-167-0x0000000033F80000-0x00000000342CA000-memory.dmpFilesize
3.3MB
-
memory/4680-171-0x0000000001660000-0x0000000003B31000-memory.dmpFilesize
36.8MB
-
memory/4680-168-0x00000000000D0000-0x00000000000E5000-memory.dmpFilesize
84KB
-
memory/4680-166-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/4680-165-0x0000000001660000-0x0000000003B31000-memory.dmpFilesize
36.8MB
-
memory/4680-164-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/4680-163-0x0000000001660000-0x0000000003B31000-memory.dmpFilesize
36.8MB
-
memory/4680-162-0x0000000001660000-0x0000000003B31000-memory.dmpFilesize
36.8MB
-
memory/4680-161-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB