Analysis
-
max time kernel
150s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
15/03/2023, 02:34
Static task
static1
Behavioral task
behavioral1
Sample
New Project 1.exe
Resource
win7-20230220-en
General
-
Target
New Project 1.exe
-
Size
3.3MB
-
MD5
0b82679d42cab0b409f8931a42b5b146
-
SHA1
cb04cd8a5b8a964e02029d4e8c7b58dffb027090
-
SHA256
c161fdee3b643c98fe1b8f7697e7862343eae67823692a122ec27fe9bf0ce8bb
-
SHA512
d28e03ae32c4f7cec3cbc0d40c8a295a222b5746ea1e40074ec6bb2cecbe74920f27cd6874450e0d9f851f90bd0a59a758e5752246cfe808863f36108e94dcb8
-
SSDEEP
49152:OzsaGqHikFPJcC2wxmDK30zBSs0xThNydNqLB7ZhCABTkPe:3wiXC1OB0Kni5JkP
Malware Config
Extracted
https://pastebin.com/raw/vNcCt60A
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 912 Extreme Injector v3.exe 568 service.exe -
Loads dropped DLL 2 IoCs
pid Process 1732 New Project 1.exe 1732 New Project 1.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 636 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: SeDebugPrivilege 636 powershell.exe Token: SeDebugPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe Token: SeIncBasePriorityPrivilege 912 Extreme Injector v3.exe Token: 33 912 Extreme Injector v3.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1732 wrote to memory of 912 1732 New Project 1.exe 28 PID 1732 wrote to memory of 912 1732 New Project 1.exe 28 PID 1732 wrote to memory of 912 1732 New Project 1.exe 28 PID 1732 wrote to memory of 912 1732 New Project 1.exe 28 PID 1732 wrote to memory of 568 1732 New Project 1.exe 29 PID 1732 wrote to memory of 568 1732 New Project 1.exe 29 PID 1732 wrote to memory of 568 1732 New Project 1.exe 29 PID 1732 wrote to memory of 568 1732 New Project 1.exe 29 PID 568 wrote to memory of 876 568 service.exe 30 PID 568 wrote to memory of 876 568 service.exe 30 PID 568 wrote to memory of 876 568 service.exe 30 PID 568 wrote to memory of 876 568 service.exe 30 PID 876 wrote to memory of 636 876 WScript.exe 31 PID 876 wrote to memory of 636 876 WScript.exe 31 PID 876 wrote to memory of 636 876 WScript.exe 31 PID 876 wrote to memory of 636 876 WScript.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Project 1.exe"C:\Users\Admin\AppData\Local\Temp\New Project 1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:912
-
-
C:\Users\Admin\AppData\Local\Temp\service.exe"C:\Users\Admin\AppData\Local\Temp\service.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Unrestricted -nologo -command .\service.ps14⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:636
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5ec801a7d4b72a288ec6c207bb9ff0131
SHA132eec2ae1f9e201516fa7fcdc16c4928f7997561
SHA256b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46
SHA512a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac
-
Filesize
1.9MB
MD5ec801a7d4b72a288ec6c207bb9ff0131
SHA132eec2ae1f9e201516fa7fcdc16c4928f7997561
SHA256b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46
SHA512a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac
-
Filesize
147B
MD5e04e55d2e6cc3d920631fdc5d6dcc1ce
SHA12c4dbcff71f8678623a7c197440ec281804dc5a5
SHA256f641a99ec7e549970c81d724766f2a60ff031a5ec92aa6fc84228c82eeb4b4eb
SHA5129511fe4dc599187f4539b8cda476550c54e86cbfcaca339a5db12e980ec322bf488d7458bf76089aa1d845f164f7ddb8adea017923d9a4930b9e821b7a4ae998
-
Filesize
797B
MD5eb9c76ab230c2b8527d504429d7aca20
SHA1ca4fc2fcb5023fa8398fc5a0c15e7ad23a61e8cb
SHA256f985277690d6c85a064bc5d494d20d0774fb5017eaf7874685378c538bd49dbf
SHA512f791797d8301242f2334767153ae7133193cee75538ce38b9d5fa5b60388428a8808c22eb08dd070f6f7e3ce556cf1f04883285eaa44ddf8aba1bd67886429c2
-
Filesize
283KB
MD5cc9cbbfa9ccc9cefe75253c65ad22405
SHA1f126e2c4431a9eacab858316eaf031fb5e7bc9f1
SHA2564d19771fb289f892626b1b04c120f53d69492ec87df2bfd6809dd6fce8662c3c
SHA512bbc779e3daf6d9dcf249ba59d99feb34a62fe7f381d74b608fcc8719806eef88a04491983623417c9560f2dfc4858f6e8ec12362cf93e57ca3a78e1984ba2e17
-
Filesize
283KB
MD5cc9cbbfa9ccc9cefe75253c65ad22405
SHA1f126e2c4431a9eacab858316eaf031fb5e7bc9f1
SHA2564d19771fb289f892626b1b04c120f53d69492ec87df2bfd6809dd6fce8662c3c
SHA512bbc779e3daf6d9dcf249ba59d99feb34a62fe7f381d74b608fcc8719806eef88a04491983623417c9560f2dfc4858f6e8ec12362cf93e57ca3a78e1984ba2e17
-
Filesize
1.9MB
MD5ec801a7d4b72a288ec6c207bb9ff0131
SHA132eec2ae1f9e201516fa7fcdc16c4928f7997561
SHA256b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46
SHA512a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac
-
Filesize
283KB
MD5cc9cbbfa9ccc9cefe75253c65ad22405
SHA1f126e2c4431a9eacab858316eaf031fb5e7bc9f1
SHA2564d19771fb289f892626b1b04c120f53d69492ec87df2bfd6809dd6fce8662c3c
SHA512bbc779e3daf6d9dcf249ba59d99feb34a62fe7f381d74b608fcc8719806eef88a04491983623417c9560f2dfc4858f6e8ec12362cf93e57ca3a78e1984ba2e17