Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    15-06-2022 04:48

General

  • Target

    2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe

  • Size

    644KB

  • MD5

    9bcc457ffd5258761ce4e1feb7356581

  • SHA1

    07b2d106a5a1103462228fd25b05f09ca53ce616

  • SHA256

    2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0

  • SHA512

    1ff4082c29237567df010040c2dd5323fb48c22c98ccbdac6dcf08fe819a7c4e8adb59c529edc42a6955a247b6210ee5a178994667a126b539fee2b54928bce9

Score
10/10

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe
    "C:\Users\Admin\AppData\Local\Temp\2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hn3shhpe\hn3shhpe.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA59.tmp" "c:\Users\Admin\AppData\Local\Temp\hn3shhpe\CSCCC78FC098BE4763AD1BB9A020874148.TMP"
        3⤵
          PID:1912
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1984
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:1472

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RESDA59.tmp

        Filesize

        1KB

        MD5

        ad3ee5524f154dc3624f749c95a1a78e

        SHA1

        6f65ced390922010c13ac3ac652717baa506bc05

        SHA256

        f989213977f15e5bb0b0611cdcc52a0c46ee5cb38ee6037cc7047bed1e3c8cf5

        SHA512

        02377ef37c0d666873da077ee34bfb0ebbce7d2f91a800d05aa649128dabfc6e220cdb304631f33c88b0343f09fdeacfc04e8e15ae8cdf9d01c05d0541f27334

      • C:\Users\Admin\AppData\Local\Temp\hn3shhpe\hn3shhpe.dll

        Filesize

        9KB

        MD5

        ebad19ea0c16974fd008526b530ce044

        SHA1

        e9328dad083bee063407c47e037723433b428041

        SHA256

        1c263f2d803887d6ddab2260a79b69460166159f3902f58b4670281c58f0fb7e

        SHA512

        f809c92061bb5eb3868da35a924aec5a9677d06d7b614e4299ff8d6483211e4d871351267b4cf76c8020c7303aa4d9184844df329d121486d5e13262ed614685

      • C:\Users\Admin\AppData\Local\Temp\hn3shhpe\hn3shhpe.pdb

        Filesize

        29KB

        MD5

        6d103d0c7b5c864dd16f77c5a7b683ec

        SHA1

        e172ac71ddac5f6ed8cc14a4171baf2e14ccd5a9

        SHA256

        16e6f8f447e1042eb2f58249e97da82f54cf3198caaf0c085af095385a12057f

        SHA512

        19fa284c7cd616459462f471c24040f09a7ee2a3c5c40d67eb15bf22d9aff60595336c530ff003375879cf9279e7e5ee13fd44938bb2d2e5e782dfcfe2c3a2a5

      • \??\c:\Users\Admin\AppData\Local\Temp\hn3shhpe\CSCCC78FC098BE4763AD1BB9A020874148.TMP

        Filesize

        1KB

        MD5

        ad53f6e5c476ca0446ccfa0e8db268f9

        SHA1

        2d49ed8ad19b293bb0264e30203c893622330ad2

        SHA256

        5b29f843e5cd133a346681ced91a8baa38158a5ba9ff0f5a1049e070997ad48e

        SHA512

        fb679f303366930ce4b06bfe15d1335279b6da3e9702d70e4de62beed5a11d5547ea59f1d2edefc849cdd0819dd8be4ee2581146117a26526a81a0d97b217884

      • \??\c:\Users\Admin\AppData\Local\Temp\hn3shhpe\hn3shhpe.0.cs

        Filesize

        10KB

        MD5

        90151e8f2b4ed32beed1f203aefc46b4

        SHA1

        b25bc7d8ef0e79fa32170f0f9f353f1681b6783f

        SHA256

        a95c551c89a9622b77946098efbf24107e41025cd17634999a2989a7c782c4c9

        SHA512

        40843600d7a00ba6d80d16d059660ab3cf42f066b5f6973deeeba4940670be70157e27988c1b269bb4f5ef945dff14017057d13de909d854087d00d806614f3f

      • \??\c:\Users\Admin\AppData\Local\Temp\hn3shhpe\hn3shhpe.cmdline

        Filesize

        312B

        MD5

        36273623e68826696cb5157c0974b52d

        SHA1

        e6afa46d01e8aa0dbc7930fe0bf107dac85f37f2

        SHA256

        782cf5dbadfb34e2302ca7c6d90b30d0352fdd1afe0feb0415d1e4d52b8133d3

        SHA512

        52187b532aa2996f5fd590c7b84b97bda9ceda1293284ac4b267412fc933d3a5e8ed844be582ec084c1dce353e59efd6744ba9b04c666d0ffea6cd10367414ae

      • memory/1260-66-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

        Filesize

        8KB

      • memory/1260-63-0x0000000000300000-0x0000000000308000-memory.dmp

        Filesize

        32KB

      • memory/1260-64-0x0000000000AB0000-0x0000000000B10000-memory.dmp

        Filesize

        384KB

      • memory/1260-65-0x00000000003F0000-0x00000000003FC000-memory.dmp

        Filesize

        48KB

      • memory/1260-54-0x0000000000CB0000-0x0000000000D40000-memory.dmp

        Filesize

        576KB

      • memory/1260-67-0x00000000049A0000-0x00000000049F6000-memory.dmp

        Filesize

        344KB

      • memory/1912-58-0x0000000000000000-mapping.dmp

      • memory/1940-55-0x0000000000000000-mapping.dmp

      • memory/1984-69-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

      • memory/1984-68-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

      • memory/1984-72-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

      • memory/1984-71-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

      • memory/1984-73-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

      • memory/1984-74-0x0000000000451C8E-mapping.dmp

      • memory/1984-76-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

      • memory/1984-78-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

      • memory/1984-80-0x0000000000350000-0x0000000000360000-memory.dmp

        Filesize

        64KB

      • memory/1984-81-0x0000000004460000-0x000000000450E000-memory.dmp

        Filesize

        696KB

      • memory/1984-82-0x0000000000460000-0x0000000000488000-memory.dmp

        Filesize

        160KB

      • memory/1984-83-0x00000000005C0000-0x00000000005D6000-memory.dmp

        Filesize

        88KB