Analysis
-
max time kernel
187s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 19:54
Behavioral task
behavioral1
Sample
Extreme Injector.v3.7.2.-.by.master131.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Extreme Injector.v3.7.2.-.by.master131.exe
Resource
win10v2004-20221111-en
General
-
Target
Extreme Injector.v3.7.2.-.by.master131.exe
-
Size
174KB
-
MD5
f40ed39309831ba693ab389aa1dc5b56
-
SHA1
80044850f09949adb5c83a42f4e58158f98f10dc
-
SHA256
ec42e0369da6a7296ab3dfadd47b61b857c626e1181333089851ffb088e76740
-
SHA512
a409bbc9e2c3502ab6a792f1194366208535bac4abf634a1f161262b41b144fb9b7fc95b10fa294f79c615b542b47f51bd9b253752cc0c876335baaf82eb746e
-
SSDEEP
1536:+3ZdeRqxoZ+gRJNJoLNAgV5sM7gSA+z874dqlZfFO73AyJpj/CQQmao5GFV2:+3feIq+yJbKNr7Lt3Q7EsYhJVQC5Gv
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 2 IoCs
Processes:
Extreme Injector.v3.7.2.-.by.master131.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings Extreme Injector.v3.7.2.-.by.master131.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exepid process 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 3964 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 3964 taskmgr.exe Token: SeSystemProfilePrivilege 3964 taskmgr.exe Token: SeCreateGlobalPrivilege 3964 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe 3964 taskmgr.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
OpenWith.exepid process 4532 OpenWith.exe 4532 OpenWith.exe 4532 OpenWith.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Extreme Injector.v3.7.2.-.by.master131.exe"C:\Users\Admin\AppData\Local\Temp\Extreme Injector.v3.7.2.-.by.master131.exe"1⤵
- Modifies registry class
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx