Analysis
-
max time kernel
53s -
max time network
57s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
15/03/2023, 02:30
Static task
static1
Behavioral task
behavioral1
Sample
Extreme Injector v3.exe
Resource
win7-20230220-en
General
-
Target
Extreme Injector v3.exe
-
Size
2.5MB
-
MD5
db968aeb50c080c3a72229b1a8510120
-
SHA1
97bab715884b15042bcc5b0b7cdfd99008768c73
-
SHA256
c11e2996e5b8e13cfee2563d6b3feef431acb558f9925024304472142ab1bde7
-
SHA512
acadb5c7048226069d696d47469bb4ad526f3ee7a85ef7e0c941bfc7d0497c6ca23d6fa9aae46280680ff2f0c2b6d9341acf462de32eb209f211d4c20fbface5
-
SSDEEP
49152:uKUoU6fNT4krGHdiZoQ67UWqpjJXyZKB:TaAZIqpjR
Malware Config
Extracted
https://pastebin.com/raw/vNcCt60A
Extracted
asyncrat
1.0.7
Default
Mutex
-
delay
3
-
install
true
-
install_file
csrss.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/3Z9zi18j
Signatures
-
Async RAT payload 5 IoCs
resource yara_rule behavioral2/files/0x000400000001fca6-218.dat asyncrat behavioral2/files/0x000400000001fca6-219.dat asyncrat behavioral2/memory/4612-221-0x00000000004D0000-0x00000000004E6000-memory.dmp asyncrat behavioral2/files/0x00020000000225be-230.dat asyncrat behavioral2/files/0x00020000000225be-231.dat asyncrat -
Blocklisted process makes network request 3 IoCs
flow pid Process 24 3604 powershell.exe 27 3604 powershell.exe 29 3604 powershell.exe -
Downloads MZ/PE file
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4908 attrib.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation Extreme Injector v3.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation service.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation tmp7DD1.exe -
Executes dropped EXE 3 IoCs
pid Process 2372 service.exe 4612 tmp7DD1.exe 2060 csrss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4204 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4192 timeout.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Extreme Injector v3.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings service.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 3604 powershell.exe 3604 powershell.exe 4612 tmp7DD1.exe 4612 tmp7DD1.exe 4612 tmp7DD1.exe 4612 tmp7DD1.exe 4612 tmp7DD1.exe 4612 tmp7DD1.exe 4612 tmp7DD1.exe 4612 tmp7DD1.exe 4612 tmp7DD1.exe 4612 tmp7DD1.exe 4612 tmp7DD1.exe 4612 tmp7DD1.exe 4612 tmp7DD1.exe 4612 tmp7DD1.exe 4612 tmp7DD1.exe 4612 tmp7DD1.exe 4612 tmp7DD1.exe 4612 tmp7DD1.exe 4612 tmp7DD1.exe 4612 tmp7DD1.exe 4612 tmp7DD1.exe 4612 tmp7DD1.exe 4612 tmp7DD1.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 3604 powershell.exe Token: SeIncreaseQuotaPrivilege 3604 powershell.exe Token: SeSecurityPrivilege 3604 powershell.exe Token: SeTakeOwnershipPrivilege 3604 powershell.exe Token: SeLoadDriverPrivilege 3604 powershell.exe Token: SeSystemProfilePrivilege 3604 powershell.exe Token: SeSystemtimePrivilege 3604 powershell.exe Token: SeProfSingleProcessPrivilege 3604 powershell.exe Token: SeIncBasePriorityPrivilege 3604 powershell.exe Token: SeCreatePagefilePrivilege 3604 powershell.exe Token: SeBackupPrivilege 3604 powershell.exe Token: SeRestorePrivilege 3604 powershell.exe Token: SeShutdownPrivilege 3604 powershell.exe Token: SeDebugPrivilege 3604 powershell.exe Token: SeSystemEnvironmentPrivilege 3604 powershell.exe Token: SeRemoteShutdownPrivilege 3604 powershell.exe Token: SeUndockPrivilege 3604 powershell.exe Token: SeManageVolumePrivilege 3604 powershell.exe Token: 33 3604 powershell.exe Token: 34 3604 powershell.exe Token: 35 3604 powershell.exe Token: 36 3604 powershell.exe Token: SeDebugPrivilege 4612 tmp7DD1.exe Token: SeDebugPrivilege 2060 csrss.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 824 wrote to memory of 2372 824 Extreme Injector v3.exe 86 PID 824 wrote to memory of 2372 824 Extreme Injector v3.exe 86 PID 824 wrote to memory of 2372 824 Extreme Injector v3.exe 86 PID 2372 wrote to memory of 208 2372 service.exe 87 PID 2372 wrote to memory of 208 2372 service.exe 87 PID 2372 wrote to memory of 208 2372 service.exe 87 PID 208 wrote to memory of 3604 208 WScript.exe 88 PID 208 wrote to memory of 3604 208 WScript.exe 88 PID 208 wrote to memory of 3604 208 WScript.exe 88 PID 3604 wrote to memory of 4908 3604 powershell.exe 93 PID 3604 wrote to memory of 4908 3604 powershell.exe 93 PID 3604 wrote to memory of 4908 3604 powershell.exe 93 PID 3604 wrote to memory of 4612 3604 powershell.exe 94 PID 3604 wrote to memory of 4612 3604 powershell.exe 94 PID 4612 wrote to memory of 3372 4612 tmp7DD1.exe 98 PID 4612 wrote to memory of 3372 4612 tmp7DD1.exe 98 PID 4612 wrote to memory of 3380 4612 tmp7DD1.exe 100 PID 4612 wrote to memory of 3380 4612 tmp7DD1.exe 100 PID 3372 wrote to memory of 4204 3372 cmd.exe 102 PID 3372 wrote to memory of 4204 3372 cmd.exe 102 PID 3380 wrote to memory of 4192 3380 cmd.exe 103 PID 3380 wrote to memory of 4192 3380 cmd.exe 103 PID 3380 wrote to memory of 2060 3380 cmd.exe 105 PID 3380 wrote to memory of 2060 3380 cmd.exe 105 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4908 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Users\Admin\AppData\Local\Temp\service.exe"C:\Users\Admin\AppData\Local\Temp\service.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Unrestricted -nologo -command .\service.ps14⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\attrib.exe"C:\Windows\system32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\tmp7DD1.exe5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4908
-
-
C:\Users\Admin\AppData\Local\Temp\tmp7DD1.exe"C:\Users\Admin\AppData\Local\Temp\tmp7DD1.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"' & exit6⤵
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"'7⤵
- Creates scheduled task(s)
PID:4204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBE34.tmp.bat""6⤵
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\system32\timeout.exetimeout 37⤵
- Delays execution with timeout.exe
PID:4192
-
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147B
MD5e04e55d2e6cc3d920631fdc5d6dcc1ce
SHA12c4dbcff71f8678623a7c197440ec281804dc5a5
SHA256f641a99ec7e549970c81d724766f2a60ff031a5ec92aa6fc84228c82eeb4b4eb
SHA5129511fe4dc599187f4539b8cda476550c54e86cbfcaca339a5db12e980ec322bf488d7458bf76089aa1d845f164f7ddb8adea017923d9a4930b9e821b7a4ae998
-
Filesize
797B
MD5eb9c76ab230c2b8527d504429d7aca20
SHA1ca4fc2fcb5023fa8398fc5a0c15e7ad23a61e8cb
SHA256f985277690d6c85a064bc5d494d20d0774fb5017eaf7874685378c538bd49dbf
SHA512f791797d8301242f2334767153ae7133193cee75538ce38b9d5fa5b60388428a8808c22eb08dd070f6f7e3ce556cf1f04883285eaa44ddf8aba1bd67886429c2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
283KB
MD5cc9cbbfa9ccc9cefe75253c65ad22405
SHA1f126e2c4431a9eacab858316eaf031fb5e7bc9f1
SHA2564d19771fb289f892626b1b04c120f53d69492ec87df2bfd6809dd6fce8662c3c
SHA512bbc779e3daf6d9dcf249ba59d99feb34a62fe7f381d74b608fcc8719806eef88a04491983623417c9560f2dfc4858f6e8ec12362cf93e57ca3a78e1984ba2e17
-
Filesize
283KB
MD5cc9cbbfa9ccc9cefe75253c65ad22405
SHA1f126e2c4431a9eacab858316eaf031fb5e7bc9f1
SHA2564d19771fb289f892626b1b04c120f53d69492ec87df2bfd6809dd6fce8662c3c
SHA512bbc779e3daf6d9dcf249ba59d99feb34a62fe7f381d74b608fcc8719806eef88a04491983623417c9560f2dfc4858f6e8ec12362cf93e57ca3a78e1984ba2e17
-
Filesize
283KB
MD5cc9cbbfa9ccc9cefe75253c65ad22405
SHA1f126e2c4431a9eacab858316eaf031fb5e7bc9f1
SHA2564d19771fb289f892626b1b04c120f53d69492ec87df2bfd6809dd6fce8662c3c
SHA512bbc779e3daf6d9dcf249ba59d99feb34a62fe7f381d74b608fcc8719806eef88a04491983623417c9560f2dfc4858f6e8ec12362cf93e57ca3a78e1984ba2e17
-
Filesize
63KB
MD5d2053aeb9216c3040b40e67d72578669
SHA13a33aab579e13bac21c4966b4e2491cee400155f
SHA2568bd23941838cd09c9e3aba327a8ab6e8d78f2d5325ec790ec30e2963420ab2df
SHA5128baf916842fc62aa743ca62851130d9552da8c3edc90d8b468bd154454bc643bb9d6474301a5414bccdd381d743b0dcaccb9683f7571b9f06d216a3ee754518f
-
Filesize
63KB
MD5d2053aeb9216c3040b40e67d72578669
SHA13a33aab579e13bac21c4966b4e2491cee400155f
SHA2568bd23941838cd09c9e3aba327a8ab6e8d78f2d5325ec790ec30e2963420ab2df
SHA5128baf916842fc62aa743ca62851130d9552da8c3edc90d8b468bd154454bc643bb9d6474301a5414bccdd381d743b0dcaccb9683f7571b9f06d216a3ee754518f
-
Filesize
149B
MD57e5c3913b9b01f1d4888634609cab3c2
SHA12964be4db3a78cb562dc5343c44862996ada2d4a
SHA2562910928d9cd8ce7a420d68c6726e30bd64dab3d199ee200864908d66b2aa835d
SHA512a1923cf9f1400388b04b164b5838e4b3e6676047ed5d2888b2fc868de300b5f02dce23a7331a07ede04e7072bfe8a6e40cae99b096db49a61a8f79265b5f7853
-
Filesize
63KB
MD5d2053aeb9216c3040b40e67d72578669
SHA13a33aab579e13bac21c4966b4e2491cee400155f
SHA2568bd23941838cd09c9e3aba327a8ab6e8d78f2d5325ec790ec30e2963420ab2df
SHA5128baf916842fc62aa743ca62851130d9552da8c3edc90d8b468bd154454bc643bb9d6474301a5414bccdd381d743b0dcaccb9683f7571b9f06d216a3ee754518f
-
Filesize
63KB
MD5d2053aeb9216c3040b40e67d72578669
SHA13a33aab579e13bac21c4966b4e2491cee400155f
SHA2568bd23941838cd09c9e3aba327a8ab6e8d78f2d5325ec790ec30e2963420ab2df
SHA5128baf916842fc62aa743ca62851130d9552da8c3edc90d8b468bd154454bc643bb9d6474301a5414bccdd381d743b0dcaccb9683f7571b9f06d216a3ee754518f