Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    16-06-2022 06:26

General

  • Target

    270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe

  • Size

    399KB

  • MD5

    e035a73d8a216ce93433d036d12dd1ee

  • SHA1

    97bc39189f172c07d4d46314a0138bf22a09998c

  • SHA256

    270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba

  • SHA512

    15fcfd6de2a3158f7768359e4ccabc42dc8183c3795eeffe87b682a3020dbfc3fe734add8c7fe845de8a7f3d2055b1057acf873276071bc128ea066f4f08e7b5

Score
10/10

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe
    "C:\Users\Admin\AppData\Local\Temp\270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gsyaih2n\gsyaih2n.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1036
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF6CE.tmp" "c:\Users\Admin\AppData\Local\Temp\gsyaih2n\CSC1FD0533EB005447F8D6E83A32BE1B089.TMP"
        3⤵
          PID:1828
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        2⤵
          PID:1336
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          2⤵
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1060
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
          PID:868

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RESF6CE.tmp

          Filesize

          1KB

          MD5

          ee21c6595b15fc5840e258b768badade

          SHA1

          f2dd04f2f05e350adee38040c17e64daa0f40cad

          SHA256

          c5ca0ed99d42e4f008fefdc2509948a4ac011b5ada7ac048a8ee94b51fe6df38

          SHA512

          4ff5fadd2d2d035544391b919de770ac2dd1cc9672227bb02d06bed8032117e5048925ee03a7b6c4dbc11e04da6765560e41145ae0115a6b7e8ab4fe264a8130

        • C:\Users\Admin\AppData\Local\Temp\gsyaih2n\gsyaih2n.dll

          Filesize

          9KB

          MD5

          dbc225d2b404853907e3af80b9e8e6ca

          SHA1

          f8eb069c6967b9f75cf132c5eeece29b73d1c3d3

          SHA256

          5e4369e377852e88420b9b6e605e2ee77e79ccd3fd78fe854c604d7e585e3efa

          SHA512

          54741c0228ebfbc433d304e9e21af696625a438050afc9a2523f1e16045b1a637ff037b5ad58cc9120e00584db936668750e258401a46097a1b2d1c2b95d73cb

        • C:\Users\Admin\AppData\Local\Temp\gsyaih2n\gsyaih2n.pdb

          Filesize

          29KB

          MD5

          3185869f58e72cf0c523331d649d73b4

          SHA1

          334a533bc4ab327f65476ac04580e70ecfe72ec1

          SHA256

          444c335d9dd2d1acc212f4a81d6d476ffe1901840fb83adc58e5cfa4558d5287

          SHA512

          b63e1421c603ff2641868f16d8e2eec0c14b595d8980d2620d7bee96d73433f6f66ca12f80265219f6c6205025a6a453fb9461f833b3a2d19bcefc7b062da629

        • \??\c:\Users\Admin\AppData\Local\Temp\gsyaih2n\CSC1FD0533EB005447F8D6E83A32BE1B089.TMP

          Filesize

          1KB

          MD5

          c77817f595493681a1c11ed7b0d103aa

          SHA1

          1cee93c4d5dd7666491109a8e2d9a87f9b373d9b

          SHA256

          b042b26cd8e61a4e05b151391b4147662490705c8220eb4554c42cc76ae70d07

          SHA512

          26e34a0c84b26c6ee210dc8301ccbf0f1d2f6558e33ce522bb8ab570009c64c6c1cf53a485bd8729608a9066c306a5a26a717078c6257862e65dd177abb15f1f

        • \??\c:\Users\Admin\AppData\Local\Temp\gsyaih2n\gsyaih2n.0.cs

          Filesize

          10KB

          MD5

          2ce6b0712b18eade5ac3a9fd3cdced80

          SHA1

          89762aafc9d4de9cc19138daa335ccd3a3f10fa8

          SHA256

          3dab14b8f11229fb2726bbb02500fbbe37326b97a4865e333f349178924a7c8c

          SHA512

          35cb4d1c478871c1868f5438ed8ea0a0df2838e81e3e0161d4d21677aa48f9b98de0a7b6143b552ee920990495b5f10d74c33afce8db98de8241156d6a975ba4

        • \??\c:\Users\Admin\AppData\Local\Temp\gsyaih2n\gsyaih2n.cmdline

          Filesize

          248B

          MD5

          c460a3516d238357137b8d48ab65c12b

          SHA1

          32a92b68812bea66243ed7aa492ad2dc6cbd4d8e

          SHA256

          657ae81381a2f27b24ab0ea7b1c1802056bb94ead408bcdd251802c98de0ba7f

          SHA512

          8574292ac479a8159aa93f4f81b0095d67479bff5eb1379f698ea4fe4786944a5d135baef69ec1877d68df40d317371715ef7dd2f67b0a51bb08a70ae0c0cb52

        • memory/1036-55-0x0000000000000000-mapping.dmp

        • memory/1060-73-0x0000000000451A0E-mapping.dmp

        • memory/1060-77-0x0000000000400000-0x0000000000456000-memory.dmp

          Filesize

          344KB

        • memory/1060-80-0x0000000074600000-0x0000000074BAB000-memory.dmp

          Filesize

          5.7MB

        • memory/1060-79-0x0000000074600000-0x0000000074BAB000-memory.dmp

          Filesize

          5.7MB

        • memory/1060-78-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

          Filesize

          8KB

        • memory/1060-72-0x0000000000400000-0x0000000000456000-memory.dmp

          Filesize

          344KB

        • memory/1060-67-0x0000000000400000-0x0000000000456000-memory.dmp

          Filesize

          344KB

        • memory/1060-68-0x0000000000400000-0x0000000000456000-memory.dmp

          Filesize

          344KB

        • memory/1060-70-0x0000000000400000-0x0000000000456000-memory.dmp

          Filesize

          344KB

        • memory/1060-71-0x0000000000400000-0x0000000000456000-memory.dmp

          Filesize

          344KB

        • memory/1060-75-0x0000000000400000-0x0000000000456000-memory.dmp

          Filesize

          344KB

        • memory/1672-54-0x0000000000180000-0x00000000001EA000-memory.dmp

          Filesize

          424KB

        • memory/1672-66-0x0000000004F40000-0x0000000004F96000-memory.dmp

          Filesize

          344KB

        • memory/1672-65-0x00000000003B0000-0x00000000003BC000-memory.dmp

          Filesize

          48KB

        • memory/1672-64-0x0000000004550000-0x00000000045B0000-memory.dmp

          Filesize

          384KB

        • memory/1672-63-0x0000000000350000-0x0000000000358000-memory.dmp

          Filesize

          32KB

        • memory/1828-58-0x0000000000000000-mapping.dmp