imminent | 40ba07f9761a6565642d7aae57f2f4622030e33fe80eb46a543446dcb8e3f1ca | Triage

Sharing

General

Target

Downloads.rar
Size

30.7MB
Sample

210315-4tlv3wg3ax
MD5

475b06abee2f66e15943ac519666a381
SHA1

becd1f63736d32bc5c2f3cff31caeef95921f10b
SHA256

40ba07f9761a6565642d7aae57f2f4622030e33fe80eb46a543446dcb8e3f1ca
SHA512

5c6fe9e948a1951ff973d2136ede19ac0f6bb1b9d268953f01391c1aa9b903300022bed19896188ea52d78aa987c5821d711e50fab0528726b3f7e2e22e1535a

Score

10^/10

imminent locky_lukitus xmrig discovery evasion miner persistence ransomware spyware stealer trojan upx

Malware Config

Targets

- Target
  
  04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be
- Size
  
  730KB
- MD5
  
  07f1fa24a6fcb3708ab0689a2706ad8c
- SHA1
  
  5da69784e467f242b4f0318fed2b3aed988c6466
- SHA256
  
  04443c70d34ded7f17d3a00b0f3f7309291dbcb7957a1c5664aab6c7886b17be
- SHA512
  
  59a67d2e495b948a45f32f67e3e2a85f0d8343942677e16d8f53162b42ba3a535dd72b713ca1ab59f871a7cbb614f13626741b782b2b2cc4c875bf3a82e83bfb
Score

9^/10

miner persistence upx
- Detected Stratum cryptominer command
  Looks to be attempting to contact Stratum mining pool.
  miner
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Cryptocurrency Miner
  Makes network request to known mining pool URL.
  miner
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  05535d72f3f98c73d9b660625e1b627b1bebbd15d7d4add4ecc492a2b0d67a06
- Size
  
  1.5MB
- MD5
  
  5c3986f4603187cbd1aeb622c8df8d10
- SHA1
  
  4c70e2f27d47516386780f7e6a1aefe870790e5b
- SHA256
  
  05535d72f3f98c73d9b660625e1b627b1bebbd15d7d4add4ecc492a2b0d67a06
- SHA512
  
  e3eba052589d7147c44b289a4bd5e5258d1c108915a5dedf5c337cc1bbeba0f93e939edc8c60923269324dbe2795fd5414d408b7c05e62aec6dd0b7d2a22d902
Score

1^/10
behavioral3 behavioral4
- Target
  
  1bec139d54d147196c4e736d8dcf1f39d2bff390d59d5b240b4a97e03763cf72
- Size
  
  1.8MB
- MD5
  
  feb0e4a9e482c4a551de22193719b54c
- SHA1
  
  768e728b04f59c87ee318d92a90b82cd4981631c
- SHA256
  
  1bec139d54d147196c4e736d8dcf1f39d2bff390d59d5b240b4a97e03763cf72
- SHA512
  
  06a0f41f0060fbafc658a5da2246451a649fad8e1f58839d9b1d9914f00a80b46952e06d6bd027dbd3c06b8d04235e74652cdc0a589b12a6797b6458a547d196
Score

8^/10

discovery
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral5 behavioral6
- Target
  
  1f670ff8cca59a61aa0d58f297788916a6a9a318c1e7a3319367b6ffdc45c755
- Size
  
  777KB
- MD5
  
  bcc7caa6a013aad40f40c4ef7711c725
- SHA1
  
  1917a4ca3e14d003b618d1ba6835177bd12591b4
- SHA256
  
  1f670ff8cca59a61aa0d58f297788916a6a9a318c1e7a3319367b6ffdc45c755
- SHA512
  
  8383c150e5adc100cc92005747497eae33be8d09610577583961c73ecabf2c924f40394a7b9e64cac14e392f99ead367922e718b519689cc2bdc463c419edf41
Score

1^/10
behavioral7 behavioral8
- Target
  
  2deaa0ec7445c26f1442f860eb32f4fcda2d501699d09a94c26035d6185803ea
- Size
  
  657KB
- MD5
  
  8009e4433aad21916a7761d374ee2be9
- SHA1
  
  e0538c4bb3d0310f827799c98707b681d1f91b45
- SHA256
  
  2deaa0ec7445c26f1442f860eb32f4fcda2d501699d09a94c26035d6185803ea
- SHA512
  
  404f98fb57d0842aa43d5a113a395ff1d5d963ae60bce81d4dc22f3f0b382a7ba06703b0d7404a240e5edf5f1f75f8bc9b980a966bd29b9e432cd09cb1507071
Score

10^/10

locky_lukitus ransomware
- Locky (Lukitus variant)
  Variant of the Locky ransomware seen in the wild since late 2017.
  ransomware locky_lukitus
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Sets desktop wallpaper using registry
  ransomware
behavioral9 behavioral10
- Target
  
  372b929ae9362bf357a3a8c5c968921f2c950094d928b2ed2cf94ea04bcfdbef
- Size
  
  846KB
- MD5
  
  85003057fbddd3468478adc04a1b50cd
- SHA1
  
  acdd39a0d8068bfc4a16a0193c90eae85a5831fa
- SHA256
  
  372b929ae9362bf357a3a8c5c968921f2c950094d928b2ed2cf94ea04bcfdbef
- SHA512
  
  989f0738855e83b3ec9d97a7c9f93c0362285393cb1b7a266d6d1287bffad97c3a674c1738d1d0dc32c9751f68025da34f176a9bcc81c27b39fc1accdbbabb06
Score

9^/10

persistence spyware stealer upx
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Blocklisted process makes network request
- Drops file in Drivers directory
- Sets service image path in registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops file in System32 directory
behavioral11 behavioral12
- Target
  
  38ee6bea62658ae4fa75914261a5848a8db5b332ddfb52daf01e958871559e15
- Size
  
  1.6MB
- MD5
  
  7feccbef4ed3a323ed763d24d022e4df
- SHA1
  
  c6d62240ffd19c94a5f5080d7518b65555eb4fb2
- SHA256
  
  38ee6bea62658ae4fa75914261a5848a8db5b332ddfb52daf01e958871559e15
- SHA512
  
  ccb1b77974fb1be74fc71f3f6d036aafdf077d214efadd933f8e3f7e4e9e9f4e8915d9d4da31b95a65e15c29429a726aa3d3116fbb4f2b73c3fa95ddc78d22e2
Score

3^/10
behavioral13 behavioral14
- Target
  
  437d91ce52c0b54e125d28ea1bc6b5547183f04e40f9e487150be7862e61688f
- Size
  
  3.5MB
- MD5
  
  7ec07e27817c7dc87b3cf22533509581
- SHA1
  
  b3cd8a2386897d53133b8a6193989f2a6324a71f
- SHA256
  
  437d91ce52c0b54e125d28ea1bc6b5547183f04e40f9e487150be7862e61688f
- SHA512
  
  aed38074b14d441566677af3cada2b695f2ffca9651e79f3df0ccad9daac8c69d03cca016a4bd36a9fc3e798debe4a39cb60d00ef566c02c25813c35d6ccf36f
Score

4^/10
behavioral15 behavioral16
- Target
  
  447058c1c6551c352895be7569e33c96384da3757303fc97004be45f56b4e9a8
- Size
  
  618KB
- MD5
  
  fa441d64d6ff82b1720ad98b1140f955
- SHA1
  
  0afa7eb0fb26f69ca0146c68d2b7d84c2ad5078e
- SHA256
  
  447058c1c6551c352895be7569e33c96384da3757303fc97004be45f56b4e9a8
- SHA512
  
  606dd4e96f435665b29c8254ef143e0c303c0304e452f2bf1d3206ef0803ae920885e4c751c2a9a5f4a93103bc5b81c9fdebb9289fbd1d3e13a1dbc32e838e4e
Score

9^/10

upx
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
behavioral17 behavioral18
- Target
  
  5061c0b08d522fdae45fc9285ac45fb96a4e80bd859867a0e988dfaeb2b33b03
- Size
  
  1001KB
- MD5
  
  36882198e11da2783e28b84eed923fca
- SHA1
  
  7b438dcc035151bdec22ff1c879ec0461ebad8fd
- SHA256
  
  5061c0b08d522fdae45fc9285ac45fb96a4e80bd859867a0e988dfaeb2b33b03
- SHA512
  
  cae626bd2810c171e73256e4553d9558b40fa98afca46b31dbb6fd81ebe70eaf2c16ec23f17f2fb41553bea7b21b1868ea867904e4ed2b479ae2c985fbc4d8f2
Score

1^/10
behavioral19 behavioral20
- Target
  
  5ed4b682efcc4d63e5fc8a5f666f64e206e710dd408455d6061ddf3d8c95aed4
- Size
  
  611KB
- MD5
  
  646a7f19343274ba87dbddc903dd60d0
- SHA1
  
  eb84789fda3ad3fa6e838c954e1ac0d1e9fd2848
- SHA256
  
  5ed4b682efcc4d63e5fc8a5f666f64e206e710dd408455d6061ddf3d8c95aed4
- SHA512
  
  3589d32cce5620232b2b6e7b6fc4f64fad7cf7b0ff95bd161913f8f59b45a086c9d93aa453dbc6f4d9b63b40b7a3e1101f09fe6ee5bcd997de1177a5d798c362
Score

8^/10
- Executes dropped EXE
- Loads dropped DLL
behavioral21 behavioral22
- Target
  
  6970600d21285371d6a4fd6175b65b672b9b9aaea36353e1544f0672944c9fb5
- Size
  
  766KB
- MD5
  
  25fa4e744078e82fd359f8755191bdf5
- SHA1
  
  6ef18a8590fc8aa4874ec16a3682123624eafbd8
- SHA256
  
  6970600d21285371d6a4fd6175b65b672b9b9aaea36353e1544f0672944c9fb5
- SHA512
  
  bf26f615cbccd58758adef227730a2bf90b9e038cf0078d413f749c513664a8f171b33f05539bcff46cec5182ed7be69a1d4fc2166ea5542b60eb275fbc03484
Score

1^/10
behavioral23 behavioral24
- Target
  
  72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592
- Size
  
  818KB
- MD5
  
  d8e9c7825c9f7c3828ff4a579a965a8a
- SHA1
  
  8db1c5dcd2d583a6644f7e7d613837309b0092a5
- SHA256
  
  72f528f9a6bb7e6ccf45d9e25e77badb6e9fd8533c0fd8dac26a087347ff8592
- SHA512
  
  9379b64c348f3b070cdf0a962ccd22f8ff7111fd0bbc7f242feca32cada3cb5ce46b132be1675705983f96e75146051ed2a84d36fe13bc7ac10fe89105a103b3
Score

8^/10

persistence upx
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral25 behavioral26
- Target
  
  73dcee7abeca24a9170f800d069e80283b9ea1bd7cc6fbabdf55c613897f9699
- Size
  
  3.6MB
- MD5
  
  5bdc58d9791dd30ca23b19c1ef88affb
- SHA1
  
  73379a7aea0b87ffa3305603ae76e02443e9378f
- SHA256
  
  73dcee7abeca24a9170f800d069e80283b9ea1bd7cc6fbabdf55c613897f9699
- SHA512
  
  53113b9aebd79a9f64029491ea8b4eda159388a2c68010bac12f2ad32f1aa417f12ad27c2a554bfee2737cbe1e7c8374b315d8e6bc69ec9929cee372ebcc286d
Score

1^/10
behavioral27 behavioral28
- Target
  
  7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2
- Size
  
  1.2MB
- MD5
  
  629616cf3527c449d804903309e7ce66
- SHA1
  
  90374cb88ca94ed7cc0ec7a0eca33be01e40b6d0
- SHA256
  
  7e118b534abb919903bc15b33f5fe2db15a54f7f39a7abc87c61e4617f35c0d2
- SHA512
  
  da12c2757632698ea0ba35261c95a3c712b3f4a2d276b628fba703d2a2c4c2e2d2929c6dc178c1cd18142d6010e54ef9b7b8b8f009ed5b402007bc7cd431fa67
Score

10^/10

xmrig miner upx
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner Payload
  miner
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops startup file
- Suspicious use of SetThreadContext
behavioral29 behavioral30
- Target
  
  8034fffb03faec5aa94d3c16cdb98dfbcce06e8f8f7a278f7c30cff0398ea03c
- Size
  
  2.8MB
- MD5
  
  1b571c3e29d65ece64e292985cbb020c
- SHA1
  
  09ef64cdef28ea000ed410615a779d6b17039a01
- SHA256
  
  8034fffb03faec5aa94d3c16cdb98dfbcce06e8f8f7a278f7c30cff0398ea03c
- SHA512
  
  9c6330aa486796104ee0d8e0e71130b8e1a91dd16e347218e6a72d8a6b5ee7b99b1099f1fb2c02310f75b2032ac43781902d1e2a831d59273556829c85d613f4
Score

10^/10

imminent evasion spyware trojan
- Imminent RAT
  Remote-access trojan based on Imminent Monitor remote admin software.
  trojan spyware imminent
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral31 behavioral32

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

minerpersistenceupx

behavioral2

minerpersistenceupx

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

locky_lukitusransomware

behavioral10

locky_lukitusransomware

behavioral11

persistencespywarestealerupx

behavioral12

persistencespywarestealerupx

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

imminentevasionspywaretrojan

behavioral32

imminentevasionspywaretrojan