Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-06-2022 16:50

General

  • Target

    3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe

  • Size

    399KB

  • MD5

    9feaf964c8cf229116b3439a7520bbed

  • SHA1

    0a606159afef156db4df1f6a2b79d933379b5198

  • SHA256

    3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347

  • SHA512

    7111a74efa2ec69381baf5d28e81f91dd172dc1478b976a1c0b0075ad1bc2785d8869f87cd3e2d172dae045710cffba30139beb263f8278e0e5b95f46264ec02

Score
10/10

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 13 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe
    "C:\Users\Admin\AppData\Local\Temp\3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:272
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:1364
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe.lnk" /f
        3⤵
          PID:840
      • C:\Users\Admin\AppData\Local\Temp\tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:944
      • C:\Users\Admin\AppData\Local\Temp\svhost.exe
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:340
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
          dw20.exe -x -s 388
          3⤵
          • Loads dropped DLL
          PID:276
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe.bat
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1208
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 120
          3⤵
          • Delays execution with timeout.exe
          PID:600
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist /nh /fi "imagename eq .exe"
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1828
        • C:\Windows\SysWOW64\find.exe
          find /i ".exe"
          3⤵
            PID:1140
          • C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe
            "C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1928
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe"
              4⤵
              • NTFS ADS
              • Suspicious use of WriteProcessMemory
              PID:1084
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe.lnk" /f
                5⤵
                  PID:1612
              • C:\Users\Admin\AppData\Local\Temp\tmp.exe
                "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
                4⤵
                • Executes dropped EXE
                PID:964
              • C:\Users\Admin\AppData\Local\Temp\svhost.exe
                "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
                4⤵
                • Executes dropped EXE
                PID:1952
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                  dw20.exe -x -s 388
                  5⤵
                  • Loads dropped DLL
                  PID:2012
            • C:\Windows\SysWOW64\timeout.exe
              timeout /t 120
              3⤵
              • Delays execution with timeout.exe
              PID:624
        • C:\Windows\system32\wbem\WmiApSrv.exe
          C:\Windows\system32\wbem\WmiApSrv.exe
          1⤵
            PID:384

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe

            Filesize

            399KB

            MD5

            9feaf964c8cf229116b3439a7520bbed

            SHA1

            0a606159afef156db4df1f6a2b79d933379b5198

            SHA256

            3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347

            SHA512

            7111a74efa2ec69381baf5d28e81f91dd172dc1478b976a1c0b0075ad1bc2785d8869f87cd3e2d172dae045710cffba30139beb263f8278e0e5b95f46264ec02

          • C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe

            Filesize

            399KB

            MD5

            9feaf964c8cf229116b3439a7520bbed

            SHA1

            0a606159afef156db4df1f6a2b79d933379b5198

            SHA256

            3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347

            SHA512

            7111a74efa2ec69381baf5d28e81f91dd172dc1478b976a1c0b0075ad1bc2785d8869f87cd3e2d172dae045710cffba30139beb263f8278e0e5b95f46264ec02

          • C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe

            Filesize

            399KB

            MD5

            9feaf964c8cf229116b3439a7520bbed

            SHA1

            0a606159afef156db4df1f6a2b79d933379b5198

            SHA256

            3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347

            SHA512

            7111a74efa2ec69381baf5d28e81f91dd172dc1478b976a1c0b0075ad1bc2785d8869f87cd3e2d172dae045710cffba30139beb263f8278e0e5b95f46264ec02

          • C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe

            Filesize

            399KB

            MD5

            9feaf964c8cf229116b3439a7520bbed

            SHA1

            0a606159afef156db4df1f6a2b79d933379b5198

            SHA256

            3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347

            SHA512

            7111a74efa2ec69381baf5d28e81f91dd172dc1478b976a1c0b0075ad1bc2785d8869f87cd3e2d172dae045710cffba30139beb263f8278e0e5b95f46264ec02

          • C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe.bat

            Filesize

            193B

            MD5

            3b6a56f303d5dd98b42084fac3feb0d1

            SHA1

            a8bdb37904ef6aa59608088f19ba98d38f494117

            SHA256

            ef83e0a4dfad7ba70badd2153861ba96bba3a09bcd26195c5534952ffda2e696

            SHA512

            66070b7139213da25bcf0945622802dad37a3eface1745c617bbbc6b3aca2b88d7ad8eb4b8ac20647805773f5fd9f71d4d49c2dc56566ed5a1e1d7e708d62c3c

          • C:\Users\Admin\AppData\Local\Temp\WinDir\Update.exe.lnk

            Filesize

            956B

            MD5

            623e40a7b9876d9b6204217bff6f0364

            SHA1

            c752cb509589015855d89065ec0af9eb3bcd754a

            SHA256

            b3fa57455edc0934c97d07433783d37138b57986a4a3f606513d00d3f33061aa

            SHA512

            fa098a690f6650b4453c4fe22d20a1a1f4f5e0177af3621e3a8d5d05becf181ed84df88b561b04b48dca31c1ab29abd6e45c5a76233f32eed205299bf5c54409

          • C:\Users\Admin\AppData\Local\Temp\svhost.exe

            Filesize

            85KB

            MD5

            2e5f1cf69f92392f8829fc9c9263ae9b

            SHA1

            97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

            SHA256

            51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

            SHA512

            f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

          • C:\Users\Admin\AppData\Local\Temp\svhost.exe

            Filesize

            85KB

            MD5

            2e5f1cf69f92392f8829fc9c9263ae9b

            SHA1

            97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

            SHA256

            51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

            SHA512

            f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

          • C:\Users\Admin\AppData\Local\Temp\svhost.exe

            Filesize

            85KB

            MD5

            2e5f1cf69f92392f8829fc9c9263ae9b

            SHA1

            97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

            SHA256

            51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

            SHA512

            f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

          • C:\Users\Admin\AppData\Local\Temp\tmp.exe

            Filesize

            323KB

            MD5

            56a28a67e708d9f099528457384f456d

            SHA1

            a625be6fba78381e79da9912bbefce21e05031dd

            SHA256

            a7985fafa6b874057289e59eb8aff0633b10dc9c704a251efb605dadf7a5431d

            SHA512

            1c5a3e9efbd40a454d35dd1bb36db68e74290826f20c657dc705b4eb26b3f3c01520c67bc4233e0e1ddea991ad685ed77fd87e3683b41aa1b2a670a6b729e261

          • C:\Users\Admin\AppData\Local\Temp\tmp.exe

            Filesize

            323KB

            MD5

            56a28a67e708d9f099528457384f456d

            SHA1

            a625be6fba78381e79da9912bbefce21e05031dd

            SHA256

            a7985fafa6b874057289e59eb8aff0633b10dc9c704a251efb605dadf7a5431d

            SHA512

            1c5a3e9efbd40a454d35dd1bb36db68e74290826f20c657dc705b4eb26b3f3c01520c67bc4233e0e1ddea991ad685ed77fd87e3683b41aa1b2a670a6b729e261

          • C:\Users\Admin\AppData\Local\Temp\tmp.exe

            Filesize

            323KB

            MD5

            56a28a67e708d9f099528457384f456d

            SHA1

            a625be6fba78381e79da9912bbefce21e05031dd

            SHA256

            a7985fafa6b874057289e59eb8aff0633b10dc9c704a251efb605dadf7a5431d

            SHA512

            1c5a3e9efbd40a454d35dd1bb36db68e74290826f20c657dc705b4eb26b3f3c01520c67bc4233e0e1ddea991ad685ed77fd87e3683b41aa1b2a670a6b729e261

          • \Users\Admin\AppData\Local\Temp\WinDir\Update.exe

            Filesize

            399KB

            MD5

            9feaf964c8cf229116b3439a7520bbed

            SHA1

            0a606159afef156db4df1f6a2b79d933379b5198

            SHA256

            3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347

            SHA512

            7111a74efa2ec69381baf5d28e81f91dd172dc1478b976a1c0b0075ad1bc2785d8869f87cd3e2d172dae045710cffba30139beb263f8278e0e5b95f46264ec02

          • \Users\Admin\AppData\Local\Temp\WinDir\Update.exe

            Filesize

            399KB

            MD5

            9feaf964c8cf229116b3439a7520bbed

            SHA1

            0a606159afef156db4df1f6a2b79d933379b5198

            SHA256

            3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347

            SHA512

            7111a74efa2ec69381baf5d28e81f91dd172dc1478b976a1c0b0075ad1bc2785d8869f87cd3e2d172dae045710cffba30139beb263f8278e0e5b95f46264ec02

          • \Users\Admin\AppData\Local\Temp\WinDir\Update.exe

            Filesize

            399KB

            MD5

            9feaf964c8cf229116b3439a7520bbed

            SHA1

            0a606159afef156db4df1f6a2b79d933379b5198

            SHA256

            3208175e7d69432beeb4e69dad7aa9d343ced9942284cdf9a5f1c5df45093347

            SHA512

            7111a74efa2ec69381baf5d28e81f91dd172dc1478b976a1c0b0075ad1bc2785d8869f87cd3e2d172dae045710cffba30139beb263f8278e0e5b95f46264ec02

          • \Users\Admin\AppData\Local\Temp\svhost.exe

            Filesize

            85KB

            MD5

            2e5f1cf69f92392f8829fc9c9263ae9b

            SHA1

            97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

            SHA256

            51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

            SHA512

            f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

          • \Users\Admin\AppData\Local\Temp\svhost.exe

            Filesize

            85KB

            MD5

            2e5f1cf69f92392f8829fc9c9263ae9b

            SHA1

            97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

            SHA256

            51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

            SHA512

            f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

          • \Users\Admin\AppData\Local\Temp\svhost.exe

            Filesize

            85KB

            MD5

            2e5f1cf69f92392f8829fc9c9263ae9b

            SHA1

            97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

            SHA256

            51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

            SHA512

            f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

          • \Users\Admin\AppData\Local\Temp\svhost.exe

            Filesize

            85KB

            MD5

            2e5f1cf69f92392f8829fc9c9263ae9b

            SHA1

            97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

            SHA256

            51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

            SHA512

            f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

          • \Users\Admin\AppData\Local\Temp\svhost.exe

            Filesize

            85KB

            MD5

            2e5f1cf69f92392f8829fc9c9263ae9b

            SHA1

            97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

            SHA256

            51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

            SHA512

            f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

          • \Users\Admin\AppData\Local\Temp\svhost.exe

            Filesize

            85KB

            MD5

            2e5f1cf69f92392f8829fc9c9263ae9b

            SHA1

            97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

            SHA256

            51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

            SHA512

            f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

          • \Users\Admin\AppData\Local\Temp\svhost.exe

            Filesize

            85KB

            MD5

            2e5f1cf69f92392f8829fc9c9263ae9b

            SHA1

            97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

            SHA256

            51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

            SHA512

            f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

          • \Users\Admin\AppData\Local\Temp\svhost.exe

            Filesize

            85KB

            MD5

            2e5f1cf69f92392f8829fc9c9263ae9b

            SHA1

            97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

            SHA256

            51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

            SHA512

            f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

          • \Users\Admin\AppData\Local\Temp\tmp.exe

            Filesize

            323KB

            MD5

            56a28a67e708d9f099528457384f456d

            SHA1

            a625be6fba78381e79da9912bbefce21e05031dd

            SHA256

            a7985fafa6b874057289e59eb8aff0633b10dc9c704a251efb605dadf7a5431d

            SHA512

            1c5a3e9efbd40a454d35dd1bb36db68e74290826f20c657dc705b4eb26b3f3c01520c67bc4233e0e1ddea991ad685ed77fd87e3683b41aa1b2a670a6b729e261

          • \Users\Admin\AppData\Local\Temp\tmp.exe

            Filesize

            323KB

            MD5

            56a28a67e708d9f099528457384f456d

            SHA1

            a625be6fba78381e79da9912bbefce21e05031dd

            SHA256

            a7985fafa6b874057289e59eb8aff0633b10dc9c704a251efb605dadf7a5431d

            SHA512

            1c5a3e9efbd40a454d35dd1bb36db68e74290826f20c657dc705b4eb26b3f3c01520c67bc4233e0e1ddea991ad685ed77fd87e3683b41aa1b2a670a6b729e261

          • memory/272-94-0x0000000074710000-0x0000000074CBB000-memory.dmp

            Filesize

            5.7MB

          • memory/272-83-0x0000000074710000-0x0000000074CBB000-memory.dmp

            Filesize

            5.7MB

          • memory/272-54-0x0000000075951000-0x0000000075953000-memory.dmp

            Filesize

            8KB

          • memory/276-78-0x0000000000000000-mapping.dmp

          • memory/340-69-0x0000000000400000-0x0000000000458000-memory.dmp

            Filesize

            352KB

          • memory/340-64-0x0000000000400000-0x0000000000458000-memory.dmp

            Filesize

            352KB

          • memory/340-67-0x0000000000400000-0x0000000000458000-memory.dmp

            Filesize

            352KB

          • memory/340-68-0x0000000000400000-0x0000000000458000-memory.dmp

            Filesize

            352KB

          • memory/340-70-0x00000000004521BE-mapping.dmp

          • memory/340-73-0x0000000000400000-0x0000000000458000-memory.dmp

            Filesize

            352KB

          • memory/340-95-0x0000000074710000-0x0000000074CBB000-memory.dmp

            Filesize

            5.7MB

          • memory/340-65-0x0000000000400000-0x0000000000458000-memory.dmp

            Filesize

            352KB

          • memory/340-75-0x0000000000400000-0x0000000000458000-memory.dmp

            Filesize

            352KB

          • memory/340-85-0x0000000074710000-0x0000000074CBB000-memory.dmp

            Filesize

            5.7MB

          • memory/600-88-0x0000000000000000-mapping.dmp

          • memory/624-133-0x0000000000000000-mapping.dmp

          • memory/840-56-0x0000000000000000-mapping.dmp

          • memory/944-89-0x0000000000340000-0x0000000000350000-memory.dmp

            Filesize

            64KB

          • memory/944-81-0x0000000000040000-0x0000000000098000-memory.dmp

            Filesize

            352KB

          • memory/944-60-0x0000000000000000-mapping.dmp

          • memory/944-93-0x00000000004B0000-0x00000000004C6000-memory.dmp

            Filesize

            88KB

          • memory/944-91-0x00000000003F0000-0x0000000000418000-memory.dmp

            Filesize

            160KB

          • memory/944-90-0x0000000004950000-0x0000000004A00000-memory.dmp

            Filesize

            704KB

          • memory/964-110-0x0000000000000000-mapping.dmp

          • memory/1084-104-0x0000000000000000-mapping.dmp

          • memory/1140-97-0x0000000000000000-mapping.dmp

          • memory/1208-86-0x0000000000000000-mapping.dmp

          • memory/1364-55-0x0000000000000000-mapping.dmp

          • memory/1612-107-0x0000000000000000-mapping.dmp

          • memory/1828-96-0x0000000000000000-mapping.dmp

          • memory/1928-103-0x0000000074710000-0x0000000074CBB000-memory.dmp

            Filesize

            5.7MB

          • memory/1928-100-0x0000000000000000-mapping.dmp

          • memory/1928-132-0x0000000074710000-0x0000000074CBB000-memory.dmp

            Filesize

            5.7MB

          • memory/1952-119-0x00000000004521BE-mapping.dmp

          • memory/1952-131-0x0000000074710000-0x0000000074CBB000-memory.dmp

            Filesize

            5.7MB

          • memory/1952-134-0x0000000074710000-0x0000000074CBB000-memory.dmp

            Filesize

            5.7MB

          • memory/2012-126-0x0000000000000000-mapping.dmp