Analysis
-
max time kernel
89s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
15/03/2023, 02:31
Static task
static1
Behavioral task
behavioral1
Sample
Extreme Injector v3.exe
Resource
win7-20230220-en
General
-
Target
Extreme Injector v3.exe
-
Size
2.5MB
-
MD5
db968aeb50c080c3a72229b1a8510120
-
SHA1
97bab715884b15042bcc5b0b7cdfd99008768c73
-
SHA256
c11e2996e5b8e13cfee2563d6b3feef431acb558f9925024304472142ab1bde7
-
SHA512
acadb5c7048226069d696d47469bb4ad526f3ee7a85ef7e0c941bfc7d0497c6ca23d6fa9aae46280680ff2f0c2b6d9341acf462de32eb209f211d4c20fbface5
-
SSDEEP
49152:uKUoU6fNT4krGHdiZoQ67UWqpjJXyZKB:TaAZIqpjR
Malware Config
Extracted
https://pastebin.com/raw/vNcCt60A
Extracted
asyncrat
1.0.7
Default
Mutex
-
delay
3
-
install
true
-
install_file
csrss.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/3Z9zi18j
Signatures
-
Async RAT payload 5 IoCs
resource yara_rule behavioral2/files/0x000e000000023163-217.dat asyncrat behavioral2/files/0x000e000000023163-219.dat asyncrat behavioral2/memory/4520-221-0x00000000003B0000-0x00000000003C6000-memory.dmp asyncrat behavioral2/files/0x0006000000023164-230.dat asyncrat behavioral2/files/0x0006000000023164-231.dat asyncrat -
Blocklisted process makes network request 3 IoCs
flow pid Process 33 4368 powershell.exe 35 4368 powershell.exe 37 4368 powershell.exe -
Downloads MZ/PE file
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 3180 attrib.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation Extreme Injector v3.exe Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation service.exe Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation tmp2DD2.exe -
Executes dropped EXE 3 IoCs
pid Process 3820 service.exe 4520 tmp2DD2.exe 1396 csrss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2836 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4832 timeout.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Extreme Injector v3.exe Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings service.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 4368 powershell.exe 4368 powershell.exe 4520 tmp2DD2.exe 4520 tmp2DD2.exe 4520 tmp2DD2.exe 4520 tmp2DD2.exe 4520 tmp2DD2.exe 4520 tmp2DD2.exe 4520 tmp2DD2.exe 4520 tmp2DD2.exe 4520 tmp2DD2.exe 4520 tmp2DD2.exe 4520 tmp2DD2.exe 4520 tmp2DD2.exe 4520 tmp2DD2.exe 4520 tmp2DD2.exe 4520 tmp2DD2.exe 4520 tmp2DD2.exe 4520 tmp2DD2.exe 4520 tmp2DD2.exe 4520 tmp2DD2.exe 4520 tmp2DD2.exe 4520 tmp2DD2.exe 4520 tmp2DD2.exe 4520 tmp2DD2.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 4368 powershell.exe Token: SeIncreaseQuotaPrivilege 4368 powershell.exe Token: SeSecurityPrivilege 4368 powershell.exe Token: SeTakeOwnershipPrivilege 4368 powershell.exe Token: SeLoadDriverPrivilege 4368 powershell.exe Token: SeSystemProfilePrivilege 4368 powershell.exe Token: SeSystemtimePrivilege 4368 powershell.exe Token: SeProfSingleProcessPrivilege 4368 powershell.exe Token: SeIncBasePriorityPrivilege 4368 powershell.exe Token: SeCreatePagefilePrivilege 4368 powershell.exe Token: SeBackupPrivilege 4368 powershell.exe Token: SeRestorePrivilege 4368 powershell.exe Token: SeShutdownPrivilege 4368 powershell.exe Token: SeDebugPrivilege 4368 powershell.exe Token: SeSystemEnvironmentPrivilege 4368 powershell.exe Token: SeRemoteShutdownPrivilege 4368 powershell.exe Token: SeUndockPrivilege 4368 powershell.exe Token: SeManageVolumePrivilege 4368 powershell.exe Token: 33 4368 powershell.exe Token: 34 4368 powershell.exe Token: 35 4368 powershell.exe Token: 36 4368 powershell.exe Token: SeDebugPrivilege 4520 tmp2DD2.exe Token: SeDebugPrivilege 1396 csrss.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4644 wrote to memory of 3820 4644 Extreme Injector v3.exe 85 PID 4644 wrote to memory of 3820 4644 Extreme Injector v3.exe 85 PID 4644 wrote to memory of 3820 4644 Extreme Injector v3.exe 85 PID 3820 wrote to memory of 3864 3820 service.exe 86 PID 3820 wrote to memory of 3864 3820 service.exe 86 PID 3820 wrote to memory of 3864 3820 service.exe 86 PID 3864 wrote to memory of 4368 3864 WScript.exe 87 PID 3864 wrote to memory of 4368 3864 WScript.exe 87 PID 3864 wrote to memory of 4368 3864 WScript.exe 87 PID 4368 wrote to memory of 3180 4368 powershell.exe 98 PID 4368 wrote to memory of 3180 4368 powershell.exe 98 PID 4368 wrote to memory of 3180 4368 powershell.exe 98 PID 4368 wrote to memory of 4520 4368 powershell.exe 99 PID 4368 wrote to memory of 4520 4368 powershell.exe 99 PID 4520 wrote to memory of 3744 4520 tmp2DD2.exe 100 PID 4520 wrote to memory of 3744 4520 tmp2DD2.exe 100 PID 4520 wrote to memory of 3228 4520 tmp2DD2.exe 102 PID 4520 wrote to memory of 3228 4520 tmp2DD2.exe 102 PID 3228 wrote to memory of 4832 3228 cmd.exe 104 PID 3228 wrote to memory of 4832 3228 cmd.exe 104 PID 3744 wrote to memory of 2836 3744 cmd.exe 105 PID 3744 wrote to memory of 2836 3744 cmd.exe 105 PID 3228 wrote to memory of 1396 3228 cmd.exe 106 PID 3228 wrote to memory of 1396 3228 cmd.exe 106 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 3180 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\service.exe"C:\Users\Admin\AppData\Local\Temp\service.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Unrestricted -nologo -command .\service.ps14⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\attrib.exe"C:\Windows\system32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\tmp2DD2.exe5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3180
-
-
C:\Users\Admin\AppData\Local\Temp\tmp2DD2.exe"C:\Users\Admin\AppData\Local\Temp\tmp2DD2.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"' & exit6⤵
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"'7⤵
- Creates scheduled task(s)
PID:2836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCC9C.tmp.bat""6⤵
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\system32\timeout.exetimeout 37⤵
- Delays execution with timeout.exe
PID:4832
-
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147B
MD5e04e55d2e6cc3d920631fdc5d6dcc1ce
SHA12c4dbcff71f8678623a7c197440ec281804dc5a5
SHA256f641a99ec7e549970c81d724766f2a60ff031a5ec92aa6fc84228c82eeb4b4eb
SHA5129511fe4dc599187f4539b8cda476550c54e86cbfcaca339a5db12e980ec322bf488d7458bf76089aa1d845f164f7ddb8adea017923d9a4930b9e821b7a4ae998
-
Filesize
797B
MD5eb9c76ab230c2b8527d504429d7aca20
SHA1ca4fc2fcb5023fa8398fc5a0c15e7ad23a61e8cb
SHA256f985277690d6c85a064bc5d494d20d0774fb5017eaf7874685378c538bd49dbf
SHA512f791797d8301242f2334767153ae7133193cee75538ce38b9d5fa5b60388428a8808c22eb08dd070f6f7e3ce556cf1f04883285eaa44ddf8aba1bd67886429c2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
283KB
MD5cc9cbbfa9ccc9cefe75253c65ad22405
SHA1f126e2c4431a9eacab858316eaf031fb5e7bc9f1
SHA2564d19771fb289f892626b1b04c120f53d69492ec87df2bfd6809dd6fce8662c3c
SHA512bbc779e3daf6d9dcf249ba59d99feb34a62fe7f381d74b608fcc8719806eef88a04491983623417c9560f2dfc4858f6e8ec12362cf93e57ca3a78e1984ba2e17
-
Filesize
283KB
MD5cc9cbbfa9ccc9cefe75253c65ad22405
SHA1f126e2c4431a9eacab858316eaf031fb5e7bc9f1
SHA2564d19771fb289f892626b1b04c120f53d69492ec87df2bfd6809dd6fce8662c3c
SHA512bbc779e3daf6d9dcf249ba59d99feb34a62fe7f381d74b608fcc8719806eef88a04491983623417c9560f2dfc4858f6e8ec12362cf93e57ca3a78e1984ba2e17
-
Filesize
283KB
MD5cc9cbbfa9ccc9cefe75253c65ad22405
SHA1f126e2c4431a9eacab858316eaf031fb5e7bc9f1
SHA2564d19771fb289f892626b1b04c120f53d69492ec87df2bfd6809dd6fce8662c3c
SHA512bbc779e3daf6d9dcf249ba59d99feb34a62fe7f381d74b608fcc8719806eef88a04491983623417c9560f2dfc4858f6e8ec12362cf93e57ca3a78e1984ba2e17
-
Filesize
63KB
MD5d2053aeb9216c3040b40e67d72578669
SHA13a33aab579e13bac21c4966b4e2491cee400155f
SHA2568bd23941838cd09c9e3aba327a8ab6e8d78f2d5325ec790ec30e2963420ab2df
SHA5128baf916842fc62aa743ca62851130d9552da8c3edc90d8b468bd154454bc643bb9d6474301a5414bccdd381d743b0dcaccb9683f7571b9f06d216a3ee754518f
-
Filesize
63KB
MD5d2053aeb9216c3040b40e67d72578669
SHA13a33aab579e13bac21c4966b4e2491cee400155f
SHA2568bd23941838cd09c9e3aba327a8ab6e8d78f2d5325ec790ec30e2963420ab2df
SHA5128baf916842fc62aa743ca62851130d9552da8c3edc90d8b468bd154454bc643bb9d6474301a5414bccdd381d743b0dcaccb9683f7571b9f06d216a3ee754518f
-
Filesize
149B
MD5d2fcd0491a68ee4ce690b7cdb59a60da
SHA1380a6e13d8502a2549112aae8a9ffa98fd744a0c
SHA256d566498c3411c209aa4ae31587bd3038e987940489fa66d0edde474304b5f751
SHA5123f6b42cbbbc6a52d917973a3756f7b23687ffe2b3c6f7c0a82cee494c6fa1f2e245bbfcabfece8846be8efdae10f4bd253ce02dc962f64ec9831bae2d4ce9b3b
-
Filesize
63KB
MD5d2053aeb9216c3040b40e67d72578669
SHA13a33aab579e13bac21c4966b4e2491cee400155f
SHA2568bd23941838cd09c9e3aba327a8ab6e8d78f2d5325ec790ec30e2963420ab2df
SHA5128baf916842fc62aa743ca62851130d9552da8c3edc90d8b468bd154454bc643bb9d6474301a5414bccdd381d743b0dcaccb9683f7571b9f06d216a3ee754518f
-
Filesize
63KB
MD5d2053aeb9216c3040b40e67d72578669
SHA13a33aab579e13bac21c4966b4e2491cee400155f
SHA2568bd23941838cd09c9e3aba327a8ab6e8d78f2d5325ec790ec30e2963420ab2df
SHA5128baf916842fc62aa743ca62851130d9552da8c3edc90d8b468bd154454bc643bb9d6474301a5414bccdd381d743b0dcaccb9683f7571b9f06d216a3ee754518f