Overview

overview

10

Static

static

290906f49b...43.exe

windows7_x64

10

290906f49b...43.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    15/06/2022, 15:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    290906f49b5ee43d584cd47d44d8cc86662ba975494049d0f518fe3fcf9fd743.exe

  • Size

    431KB

  • MD5

    874070b71835ed9318ddd22f7bf19401

  • SHA1

    0f3da757863c2856806f8b2fc2528c6cba991158

  • SHA256

    290906f49b5ee43d584cd47d44d8cc86662ba975494049d0f518fe3fcf9fd743

  • SHA512

    b596ec5be90ff0d22f04114831c9f6263df86d25a616c0f5e7449690b387f9207a8f0f0533bee39888fff3ac7c50a5dde31bd393c47f91f9355db3cd9e0118d5

Score
10/10
imminentevasionspywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\290906f49b5ee43d584cd47d44d8cc86662ba975494049d0f518fe3fcf9fd743.exe
    "C:\Users\Admin\AppData\Local\Temp\290906f49b5ee43d584cd47d44d8cc86662ba975494049d0f518fe3fcf9fd743.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CipuKk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBAF7.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:524
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:772
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:1396

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpBAF7.tmp
      Filesize

      1KB

      MD5

      4b89bebc498a45b016e6cf4f6e2b2ef9

      SHA1

      92495bd89f8885866af84b192770d3bd980aa573

      SHA256

      c31a4348a0e78eb58e2c3eab18054a5cf4306bfbc53a20cfbbb8105d6722061d

      SHA512

      ca45ae35ddc0f7c7cd82292bff9be59619828f27ae6cfef14b775b9ccb1fb10819759bebba8105e609de8c09fcc00d4639392f3bfbb6a489569674d334ad5d13

      Download Submit

    • memory/772-64-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/772-63-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/772-73-0x00000000744C0000-0x0000000074A6B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/772-59-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/772-60-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/772-62-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/772-72-0x00000000744C0000-0x0000000074A6B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/772-70-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/772-68-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1984-67-0x0000000074860000-0x0000000074E0B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1984-56-0x0000000074860000-0x0000000074E0B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1984-54-0x00000000764C1000-0x00000000764C3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1984-55-0x0000000074860000-0x0000000074E0B000-memory.dmp

      Filesize

      5.7MB

      Download