Analysis

  • max time kernel
    152s
  • max time network
    167s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    22/01/2022, 01:10

General

  • Target

    a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe

  • Size

    1.4MB

  • MD5

    a87401f7224a349d9e93ffb98ba77f14

  • SHA1

    9b72bb09f33e4f58329bbd30289615f73283ca41

  • SHA256

    a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814

  • SHA512

    dd0c898d77366ad0bc26e75486874c1987e6a21ec655c1a5d71b693b46c1ea8ade5143cc1637217bdd826f2d2fbd4e952fbbd8a830ab493b7e1b9f3c8d652290

Score
10/10

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe
    "C:\Users\Admin\AppData\Local\Temp\a7dcdee5d981c3b94283137554445c6a32081a3ea4b9a32e70467d0bb36cc814.exe"
    1⤵
    • Maps connected drives based on registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:960
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Delete /TN "Update\60887b4d-0a73-4b81-9ce8-a6c9d424b9cc" /F
      2⤵
        PID:1472
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Update\60887b4d-0a73-4b81-9ce8-a6c9d424b9cc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp799550281.tmp"
        2⤵
        • Creates scheduled task(s)
        PID:1444
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /K "C:\Users\Admin\AppData\Roaming\Wfantaw.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1160
        • C:\Users\Admin\AppData\Roaming\Wfantaw.exe
          C:\Users\Admin\AppData\Roaming\Wfantaw.exe
          3⤵
          • Executes dropped EXE
          • Maps connected drives based on registry
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1704
          • C:\Users\Admin\AppData\Roaming\Wfantaw.exe
            C:\Users\Admin\AppData\Roaming\Wfantaw.exe
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:340

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/340-70-0x0000000002080000-0x0000000002081000-memory.dmp

      Filesize

      4KB

    • memory/960-55-0x0000000076921000-0x0000000076923000-memory.dmp

      Filesize

      8KB

    • memory/960-58-0x0000000000DB6000-0x0000000000DC7000-memory.dmp

      Filesize

      68KB

    • memory/960-57-0x0000000000DB1000-0x0000000000DB2000-memory.dmp

      Filesize

      4KB

    • memory/960-56-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

      Filesize

      4KB

    • memory/1160-76-0x0000000000130000-0x0000000000146000-memory.dmp

      Filesize

      88KB

    • memory/1160-71-0x0000000000160000-0x0000000000161000-memory.dmp

      Filesize

      4KB

    • memory/1160-75-0x0000000000130000-0x0000000000146000-memory.dmp

      Filesize

      88KB

    • memory/1160-77-0x0000000000130000-0x0000000000146000-memory.dmp

      Filesize

      88KB

    • memory/1160-79-0x0000000000130000-0x0000000000146000-memory.dmp

      Filesize

      88KB

    • memory/1160-81-0x0000000000130000-0x0000000000146000-memory.dmp

      Filesize

      88KB

    • memory/1160-83-0x0000000000130000-0x0000000000146000-memory.dmp

      Filesize

      88KB

    • memory/1160-85-0x0000000000150000-0x0000000000151000-memory.dmp

      Filesize

      4KB

    • memory/1160-86-0x0000000000150000-0x0000000000151000-memory.dmp

      Filesize

      4KB

    • memory/1704-67-0x0000000005110000-0x0000000005113000-memory.dmp

      Filesize

      12KB

    • memory/1704-66-0x00000000005E6000-0x00000000005F7000-memory.dmp

      Filesize

      68KB

    • memory/1704-64-0x00000000005E0000-0x00000000005E1000-memory.dmp

      Filesize

      4KB

    • memory/1704-65-0x00000000005E1000-0x00000000005E2000-memory.dmp

      Filesize

      4KB