Analysis
-
max time kernel
29s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
15/03/2023, 02:30
Static task
static1
Behavioral task
behavioral1
Sample
Extreme Injector v3.exe
Resource
win7-20230220-en
General
-
Target
Extreme Injector v3.exe
-
Size
2.5MB
-
MD5
db968aeb50c080c3a72229b1a8510120
-
SHA1
97bab715884b15042bcc5b0b7cdfd99008768c73
-
SHA256
c11e2996e5b8e13cfee2563d6b3feef431acb558f9925024304472142ab1bde7
-
SHA512
acadb5c7048226069d696d47469bb4ad526f3ee7a85ef7e0c941bfc7d0497c6ca23d6fa9aae46280680ff2f0c2b6d9341acf462de32eb209f211d4c20fbface5
-
SSDEEP
49152:uKUoU6fNT4krGHdiZoQ67UWqpjJXyZKB:TaAZIqpjR
Malware Config
Extracted
https://pastebin.com/raw/vNcCt60A
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 332 service.exe -
Loads dropped DLL 1 IoCs
pid Process 1100 Extreme Injector v3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1728 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1728 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1100 wrote to memory of 332 1100 Extreme Injector v3.exe 27 PID 1100 wrote to memory of 332 1100 Extreme Injector v3.exe 27 PID 1100 wrote to memory of 332 1100 Extreme Injector v3.exe 27 PID 1100 wrote to memory of 332 1100 Extreme Injector v3.exe 27 PID 332 wrote to memory of 1176 332 service.exe 28 PID 332 wrote to memory of 1176 332 service.exe 28 PID 332 wrote to memory of 1176 332 service.exe 28 PID 332 wrote to memory of 1176 332 service.exe 28 PID 1176 wrote to memory of 1728 1176 WScript.exe 29 PID 1176 wrote to memory of 1728 1176 WScript.exe 29 PID 1176 wrote to memory of 1728 1176 WScript.exe 29 PID 1176 wrote to memory of 1728 1176 WScript.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\service.exe"C:\Users\Admin\AppData\Local\Temp\service.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Unrestricted -nologo -command .\service.ps14⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147B
MD5e04e55d2e6cc3d920631fdc5d6dcc1ce
SHA12c4dbcff71f8678623a7c197440ec281804dc5a5
SHA256f641a99ec7e549970c81d724766f2a60ff031a5ec92aa6fc84228c82eeb4b4eb
SHA5129511fe4dc599187f4539b8cda476550c54e86cbfcaca339a5db12e980ec322bf488d7458bf76089aa1d845f164f7ddb8adea017923d9a4930b9e821b7a4ae998
-
Filesize
797B
MD5eb9c76ab230c2b8527d504429d7aca20
SHA1ca4fc2fcb5023fa8398fc5a0c15e7ad23a61e8cb
SHA256f985277690d6c85a064bc5d494d20d0774fb5017eaf7874685378c538bd49dbf
SHA512f791797d8301242f2334767153ae7133193cee75538ce38b9d5fa5b60388428a8808c22eb08dd070f6f7e3ce556cf1f04883285eaa44ddf8aba1bd67886429c2
-
Filesize
283KB
MD5cc9cbbfa9ccc9cefe75253c65ad22405
SHA1f126e2c4431a9eacab858316eaf031fb5e7bc9f1
SHA2564d19771fb289f892626b1b04c120f53d69492ec87df2bfd6809dd6fce8662c3c
SHA512bbc779e3daf6d9dcf249ba59d99feb34a62fe7f381d74b608fcc8719806eef88a04491983623417c9560f2dfc4858f6e8ec12362cf93e57ca3a78e1984ba2e17
-
Filesize
283KB
MD5cc9cbbfa9ccc9cefe75253c65ad22405
SHA1f126e2c4431a9eacab858316eaf031fb5e7bc9f1
SHA2564d19771fb289f892626b1b04c120f53d69492ec87df2bfd6809dd6fce8662c3c
SHA512bbc779e3daf6d9dcf249ba59d99feb34a62fe7f381d74b608fcc8719806eef88a04491983623417c9560f2dfc4858f6e8ec12362cf93e57ca3a78e1984ba2e17
-
Filesize
283KB
MD5cc9cbbfa9ccc9cefe75253c65ad22405
SHA1f126e2c4431a9eacab858316eaf031fb5e7bc9f1
SHA2564d19771fb289f892626b1b04c120f53d69492ec87df2bfd6809dd6fce8662c3c
SHA512bbc779e3daf6d9dcf249ba59d99feb34a62fe7f381d74b608fcc8719806eef88a04491983623417c9560f2dfc4858f6e8ec12362cf93e57ca3a78e1984ba2e17