Analysis

  • max time kernel
    172s
  • max time network
    179s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    15-06-2022 04:48

General

  • Target

    2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe

  • Size

    644KB

  • MD5

    9bcc457ffd5258761ce4e1feb7356581

  • SHA1

    07b2d106a5a1103462228fd25b05f09ca53ce616

  • SHA256

    2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0

  • SHA512

    1ff4082c29237567df010040c2dd5323fb48c22c98ccbdac6dcf08fe819a7c4e8adb59c529edc42a6955a247b6210ee5a178994667a126b539fee2b54928bce9

Score
10/10

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe
    "C:\Users\Admin\AppData\Local\Temp\2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3092
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ddcwaoex\ddcwaoex.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1172
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCDA.tmp" "c:\Users\Admin\AppData\Local\Temp\ddcwaoex\CSC41E329BCF8164DB09F8B98C02B605C51.TMP"
        3⤵
          PID:3120
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        2⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4300
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:704

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RESCCDA.tmp

        Filesize

        1KB

        MD5

        5210c72865344653b4200fadfb691ab6

        SHA1

        ea82dd90de56b1ebb8659b46e02e43b1c3e3dea0

        SHA256

        98ff2bd5fc192d87c26ce1627019d87bb5adda3ab76014af482598c2fdd5078a

        SHA512

        e126615c6a232d744ca16e885e8cb9be42d2936cf361b7cea15cbca8ea3e9a7ef389181a2b00032527c3f49e8e792126ee54e73ea77198d0b6c6dcb015081fb9

      • C:\Users\Admin\AppData\Local\Temp\ddcwaoex\ddcwaoex.dll

        Filesize

        9KB

        MD5

        9d757ee978ad784c4c0d56b84018d843

        SHA1

        7b94d154cb7fb320b728c9426aec035c2403a417

        SHA256

        7126b65e38486f8264b36e3b88c6e4443b8fc4c368b25c1656d32139a6d1d8b2

        SHA512

        180df1bfecab95a59890362e7f52cc5c36e8f2c5484958fa08b5ae522710a4dcd4dc0321a551418ea8c8d5d5e6ff91f6c2ba265bd676fc18d0108bc8572aa742

      • C:\Users\Admin\AppData\Local\Temp\ddcwaoex\ddcwaoex.pdb

        Filesize

        29KB

        MD5

        02f801c0b771d282c5c82a1865ad95b7

        SHA1

        0b884a783f43cd65a52842a896a2986c1cc37dbe

        SHA256

        f2892d6e61de70b0adb76234e6174c5832ee5399cbecf9772e2cc27172be08ef

        SHA512

        06dbefe7cd613a88213360a212222322e4b8ba504db2cc0dce352529b9bed97717bfa6465de2ed1d70e86f000db7567017edd155c63733647f07c721a61d9f64

      • \??\c:\Users\Admin\AppData\Local\Temp\ddcwaoex\CSC41E329BCF8164DB09F8B98C02B605C51.TMP

        Filesize

        1KB

        MD5

        4f434918c1fe872467996c4b0981a2f7

        SHA1

        203c3313da70c80d1a43b3b0e767f20c7d35ee3e

        SHA256

        42c8c65164719c22a5a5fd81e295fa9719b8ef69473611f12dd602c1426b5155

        SHA512

        89a99825fce64aa00a86cd2d1366de9476de8a48ecd64669dfeaeffce2d02ee1969b98d4bf5a97f2d274c510fd63663e1c6efb9690325bcdaee090e752a6a031

      • \??\c:\Users\Admin\AppData\Local\Temp\ddcwaoex\ddcwaoex.0.cs

        Filesize

        10KB

        MD5

        90151e8f2b4ed32beed1f203aefc46b4

        SHA1

        b25bc7d8ef0e79fa32170f0f9f353f1681b6783f

        SHA256

        a95c551c89a9622b77946098efbf24107e41025cd17634999a2989a7c782c4c9

        SHA512

        40843600d7a00ba6d80d16d059660ab3cf42f066b5f6973deeeba4940670be70157e27988c1b269bb4f5ef945dff14017057d13de909d854087d00d806614f3f

      • \??\c:\Users\Admin\AppData\Local\Temp\ddcwaoex\ddcwaoex.cmdline

        Filesize

        312B

        MD5

        9c2881fbfc4f23d10d818bd3361cd815

        SHA1

        e55222701a22e7be2e852570870d594af776ec94

        SHA256

        58853cc742466382f9852fb020d083de7a3a8467fc6c9cfcf7f2a2e3733a054f

        SHA512

        58e6c863ab66ce3daae8a421ec9cdd67979d3147cb2bffc508ddd4c028eedf02e673442f2a3f34de112535fbc1bfaf25ef5d437811a552f801ca0fcdf553b440

      • memory/1172-131-0x0000000000000000-mapping.dmp

      • memory/3092-140-0x00000000052E0000-0x000000000537C000-memory.dmp

        Filesize

        624KB

      • memory/3092-130-0x00000000001E0000-0x0000000000270000-memory.dmp

        Filesize

        576KB

      • memory/3092-139-0x0000000004D10000-0x0000000004DA2000-memory.dmp

        Filesize

        584KB

      • memory/3120-134-0x0000000000000000-mapping.dmp

      • memory/4300-141-0x0000000000000000-mapping.dmp

      • memory/4300-142-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

      • memory/4300-143-0x0000000006AC0000-0x0000000007064000-memory.dmp

        Filesize

        5.6MB

      • memory/4300-144-0x00000000070E0000-0x0000000007146000-memory.dmp

        Filesize

        408KB

      • memory/4300-145-0x0000000007900000-0x000000000790A000-memory.dmp

        Filesize

        40KB