Overview

overview

10

Static

static

42aa8ecf06...3a.exe

windows7_x64

8

42aa8ecf06...3a.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    08-07-2022 01:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42aa8ecf0677adfb5dcdbcb7a19485dcbe7a2c2749fc5dda541d2157cdd2be3a.exe

  • Size

    805KB

  • MD5

    8b683771c162d0f751ec0eed59ab8471

  • SHA1

    749e230bfaaab4e79aeab3ba5ca8e6cdc7bde183

  • SHA256

    42aa8ecf0677adfb5dcdbcb7a19485dcbe7a2c2749fc5dda541d2157cdd2be3a

  • SHA512

    bec4cf42857a7a217ec4f4e4cc99905eb9e69a560f6945869fa421b5cfcb7b4b4442385ff3ab758bced5db53f5472d1984a8e23a85cc28e54c8d8cdcfdfe78d2

Score
10/10
imminentpersistencespywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\42aa8ecf0677adfb5dcdbcb7a19485dcbe7a2c2749fc5dda541d2157cdd2be3a.exe
    "C:\Users\Admin\AppData\Local\Temp\42aa8ecf0677adfb5dcdbcb7a19485dcbe7a2c2749fc5dda541d2157cdd2be3a.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe" /c select, C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llswni.exe
      2⤵
        PID:1004
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4696
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llswni.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llswni.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4980
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
          3⤵
          • Drops desktop.ini file(s)
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4488
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:2124

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llswni.exe
        Filesize

        805KB

        MD5

        8b683771c162d0f751ec0eed59ab8471

        SHA1

        749e230bfaaab4e79aeab3ba5ca8e6cdc7bde183

        SHA256

        42aa8ecf0677adfb5dcdbcb7a19485dcbe7a2c2749fc5dda541d2157cdd2be3a

        SHA512

        bec4cf42857a7a217ec4f4e4cc99905eb9e69a560f6945869fa421b5cfcb7b4b4442385ff3ab758bced5db53f5472d1984a8e23a85cc28e54c8d8cdcfdfe78d2

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llswni.exe
        Filesize

        805KB

        MD5

        8b683771c162d0f751ec0eed59ab8471

        SHA1

        749e230bfaaab4e79aeab3ba5ca8e6cdc7bde183

        SHA256

        42aa8ecf0677adfb5dcdbcb7a19485dcbe7a2c2749fc5dda541d2157cdd2be3a

        SHA512

        bec4cf42857a7a217ec4f4e4cc99905eb9e69a560f6945869fa421b5cfcb7b4b4442385ff3ab758bced5db53f5472d1984a8e23a85cc28e54c8d8cdcfdfe78d2

        Download Submit

      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
        Filesize

        514B

        MD5

        7036eb16911c2cec76f7edfbe4c59d67

        SHA1

        ed3aa528de2da2e8844c028d38d17624f4da917f

        SHA256

        5653cfc26cb99bbf9b0ee8ef4ab6ec18da9f5a2492e257cf0ae6215ecd7e3593

        SHA512

        fe969ac05997ca9d1697fa02bbf5022ce7a41a6a8ce4f0b440f9bf8287162095d405f21df1941173858cd0591de97504ec6de312a941ec5106714bbf28fb782e

        Download Submit

      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
        Filesize

        514B

        MD5

        7036eb16911c2cec76f7edfbe4c59d67

        SHA1

        ed3aa528de2da2e8844c028d38d17624f4da917f

        SHA256

        5653cfc26cb99bbf9b0ee8ef4ab6ec18da9f5a2492e257cf0ae6215ecd7e3593

        SHA512

        fe969ac05997ca9d1697fa02bbf5022ce7a41a6a8ce4f0b440f9bf8287162095d405f21df1941173858cd0591de97504ec6de312a941ec5106714bbf28fb782e

        Download Submit

      • memory/2184-133-0x0000000074660000-0x0000000074C11000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2184-131-0x0000000074660000-0x0000000074C11000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2184-130-0x0000000074660000-0x0000000074C11000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4488-142-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

        Download

      • memory/4488-144-0x00000000745E0000-0x0000000074B91000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4488-145-0x00000000745E0000-0x0000000074B91000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4980-139-0x00000000745E0000-0x0000000074B91000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4980-140-0x00000000745E0000-0x0000000074B91000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4980-143-0x00000000745E0000-0x0000000074B91000-memory.dmp

        Filesize

        5.7MB

        Download