Analysis
-
max time kernel
145s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 18:33
Static task
static1
Behavioral task
behavioral1
Sample
19.10.2022-21.10.2022 Ekstre.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
19.10.2022-21.10.2022 Ekstre.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
oujsjnpvzn.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
oujsjnpvzn.exe
Resource
win10v2004-20241007-en
General
-
Target
19.10.2022-21.10.2022 Ekstre.exe
-
Size
254KB
-
MD5
acb287f5d33a3bec62620ef511cd3e6a
-
SHA1
975cec902942585321f353e27d41f7dc4bf5b1f5
-
SHA256
622fcde32b89e9dce35b3513aec205891045470cb1111cf1c88f939cd10065fb
-
SHA512
8041d5d84098881f1051b66322726ef79718334b766e062b139ed11cfdd622c1b498e110954cd56af74bdefda40b676afb496f4b2c3264dc44384fb64221d23e
-
SSDEEP
6144:mbE/HUbHvDIgYx2yMlMdhpE63mj1CRK/dt1ImTXfGaW9:mb/HMylMdhnWj1C/WM9
Malware Config
Extracted
formbook
4.1
oy10
wzwanju.com
vaultnutrition.info
propane-gallon.site
balkanmetin2.com
costa-del-sol.email
kayodeokikiolu.com
singlesshirts.com
nearestfoods.com
trenddetail.com
yihaimaidan.net
dfdr3r.site
tuitionmatters.co.uk
benglas.online
coloraja.xyz
tianzicheng.com
lamkt.com
dileca.com
6698856.com
vishi.store
ablehair.com
superios.life
jsmultimedia.com
deadstone.store
specialtyhall.com
jurongchuan.top
kitchenservice.xyz
thediverseinvestor.com
081206.com
willdevphotography.co.uk
betsportsvt.com
nariaex.com
hronestop.net
allsecurityhub.com
altamira.info
mkba.store
packmidias.site
shunft.xyz
alison-winter.com
under-storey.co.uk
jet-india.com
chinagq.net
taprotek.online
spedizionepacchi.com
flowscreedsmanchester.online
chovaytiengop.info
91508.uk
safe365.cloud
flightrepay.co.uk
jokamet.info
asesoriaalicante.pro
hqxr2019.com
alastar.online
automatemyproperty.com
loyaltyovermoneyllc.biz
asperity.sbs
empiron.online
oojaaa.com
daileyduo.com
sxtarena.com
anpost.life
acquybuuphat.com
rautarasti.info
bigboss-digital.com
i-signal.info
rallingslaw.com
Signatures
-
Formbook family
-
Formbook payload 2 IoCs
resource yara_rule behavioral1/memory/2696-19-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2244-24-0x0000000000070000-0x000000000009F000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
pid Process 2712 oujsjnpvzn.exe 2912 oujsjnpvzn.exe -
Loads dropped DLL 4 IoCs
pid Process 2092 19.10.2022-21.10.2022 Ekstre.exe 2712 oujsjnpvzn.exe 2712 oujsjnpvzn.exe 2696 oujsjnpvzn.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2712 set thread context of 2696 2712 oujsjnpvzn.exe 33 PID 2696 set thread context of 1184 2696 oujsjnpvzn.exe 21 PID 2244 set thread context of 1184 2244 cscript.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 19.10.2022-21.10.2022 Ekstre.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oujsjnpvzn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2696 oujsjnpvzn.exe 2696 oujsjnpvzn.exe 2244 cscript.exe 2244 cscript.exe 2244 cscript.exe 2244 cscript.exe 2244 cscript.exe 2244 cscript.exe 2244 cscript.exe 2244 cscript.exe 2244 cscript.exe 2244 cscript.exe 2244 cscript.exe 2244 cscript.exe 2244 cscript.exe 2244 cscript.exe 2244 cscript.exe 2244 cscript.exe 2244 cscript.exe 2244 cscript.exe 2244 cscript.exe 2244 cscript.exe 2244 cscript.exe 2244 cscript.exe 2244 cscript.exe 2244 cscript.exe 2244 cscript.exe 2244 cscript.exe 2244 cscript.exe 2244 cscript.exe 2244 cscript.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2696 oujsjnpvzn.exe 2696 oujsjnpvzn.exe 2696 oujsjnpvzn.exe 2244 cscript.exe 2244 cscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2696 oujsjnpvzn.exe Token: SeDebugPrivilege 2244 cscript.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2712 2092 19.10.2022-21.10.2022 Ekstre.exe 30 PID 2092 wrote to memory of 2712 2092 19.10.2022-21.10.2022 Ekstre.exe 30 PID 2092 wrote to memory of 2712 2092 19.10.2022-21.10.2022 Ekstre.exe 30 PID 2092 wrote to memory of 2712 2092 19.10.2022-21.10.2022 Ekstre.exe 30 PID 2712 wrote to memory of 2912 2712 oujsjnpvzn.exe 32 PID 2712 wrote to memory of 2912 2712 oujsjnpvzn.exe 32 PID 2712 wrote to memory of 2912 2712 oujsjnpvzn.exe 32 PID 2712 wrote to memory of 2912 2712 oujsjnpvzn.exe 32 PID 2712 wrote to memory of 2696 2712 oujsjnpvzn.exe 33 PID 2712 wrote to memory of 2696 2712 oujsjnpvzn.exe 33 PID 2712 wrote to memory of 2696 2712 oujsjnpvzn.exe 33 PID 2712 wrote to memory of 2696 2712 oujsjnpvzn.exe 33 PID 2712 wrote to memory of 2696 2712 oujsjnpvzn.exe 33 PID 1184 wrote to memory of 2244 1184 Explorer.EXE 34 PID 1184 wrote to memory of 2244 1184 Explorer.EXE 34 PID 1184 wrote to memory of 2244 1184 Explorer.EXE 34 PID 1184 wrote to memory of 2244 1184 Explorer.EXE 34 PID 2244 wrote to memory of 2764 2244 cscript.exe 35 PID 2244 wrote to memory of 2764 2244 cscript.exe 35 PID 2244 wrote to memory of 2764 2244 cscript.exe 35 PID 2244 wrote to memory of 2764 2244 cscript.exe 35
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\19.10.2022-21.10.2022 Ekstre.exe"C:\Users\Admin\AppData\Local\Temp\19.10.2022-21.10.2022 Ekstre.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\oujsjnpvzn.exe"C:\Users\Admin\AppData\Local\Temp\oujsjnpvzn.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\oujsjnpvzn.exe"C:\Users\Admin\AppData\Local\Temp\oujsjnpvzn.exe"4⤵
- Executes dropped EXE
PID:2912
-
-
C:\Users\Admin\AppData\Local\Temp\oujsjnpvzn.exe"C:\Users\Admin\AppData\Local\Temp\oujsjnpvzn.exe"4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
-
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\oujsjnpvzn.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2764
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5df0d19c758434ec79b2df3ed6b051a63
SHA146d2da8bfccfe08abe80ca3b061d8fb2dcceed69
SHA256f4db6669e8ee95be76030c8bc895c8dd91897afe74af9a3c2a90dd098ede89ae
SHA5127091c98f0b86e6db0640a7751778e283a523be1ad5e174c2a74ea4c92e4b92c4f042317c32fa751764ecca94a55dd097aa769aab563e4f9b4a13373e7fdbf5ee
-
Filesize
185KB
MD5a673c10951267a6553631dace3a24cfb
SHA107f38a7a0ea1c4677c62fb85e6fb758875c0089b
SHA2564fe1118d5bcb9ae4cb1204f4d411e792516b48c341a65c7d7a7e742560e379f3
SHA512c7035f44a84398ce2d2668322efc950a838daefb2ef2ce6b6b007470a7347ad0ac62e99883a090c7ef20d93fdf7ab6bcaa42bd19152068808b966bd92d6123cf
-
Filesize
58KB
MD5a53bf35dd3f2a0ece1babdf99d98ddb7
SHA1866e4d1315486d4f792e03449def24bf48fba2f5
SHA256f27f1c46335ed31550b8fd38781e85fd498edaf77ffc7fdea7b32f044c5cc26d
SHA512f0ea778f032871260b891116e880c1814a7eeb512b4f649c8a3d355109aed9858128477a8d2c1d12dac5ace5be74879dfd590b9959c309ce67d1879828f679f2