Overview

overview

10

Static

static

8abebde631...e7.exe

windows7_x64

10

8abebde631...e7.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-07-2022 05:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8abebde631005ae15aba91eb8f36fbe7.exe

  • Size

    983KB

  • MD5

    8abebde631005ae15aba91eb8f36fbe7

  • SHA1

    d4ac00d9aee072b6d1499e730cf9bcb27ad957ad

  • SHA256

    2e66e23d1ae80b56efc2c38bf5adbb31dab91b811eaadce68f544e06323d52ef

  • SHA512

    7091584d35154b0711e4a8b6c788cc5db5ad0e6444e5cda5a16ad41a00cf333413fc8ac5b93e84b9b2e5e9350ca89837c6f69b5838ade967b403bd24322ab3fc

Score
10/10
imminentspywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 38 IoCs
  • Suspicious use of SendNotifyMessage 38 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe
    "C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uppEqmN.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2548
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uppEqmN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBEAC.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1604
    • C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe
      "C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Windows\SysWOW64\Taskmgr.exe
        "C:\Windows\System32\Taskmgr.exe"
        3⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3840

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpBEAC.tmp
    Filesize

    1KB

    MD5

    c25830118ff75c9d5efaffb74ef52a68

    SHA1

    015710f73062a3cb2c1932d95328ed2e837a2ebb

    SHA256

    791d7c6b1322be2042511f007e05111f45be8a4079ea949acef14f9680bbfdbe

    SHA512

    4c7d5d8aba21151ce0b49dc4fffbec6036886960dddecf4da681057c107d02e27581fef5bcf572a8fbfcc82e8ae786c8a5c94a0e0ba3fce8c4355d633ecc0a14

    Download Submit

  • memory/1724-142-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1724-147-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1724-162-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1724-157-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1724-165-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1724-154-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1724-163-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1724-160-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1724-148-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1724-156-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1724-145-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1724-146-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1724-150-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1724-151-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1724-149-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/2208-133-0x0000000004F80000-0x0000000004F8A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2208-130-0x00000000004D0000-0x00000000005CC000-memory.dmp

    Filesize

    1008KB

    Download

  • memory/2208-134-0x0000000008990000-0x0000000008A2C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2208-131-0x0000000005520000-0x0000000005AC4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2208-132-0x0000000005010000-0x00000000050A2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2208-135-0x000000000B420000-0x000000000B486000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2548-141-0x0000000005790000-0x0000000005DB8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2548-174-0x0000000007C50000-0x0000000007CE6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2548-143-0x00000000055E0000-0x0000000005602000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2548-138-0x0000000005120000-0x0000000005156000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2548-177-0x0000000007C40000-0x0000000007C48000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2548-167-0x00000000066B0000-0x00000000066CE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2548-168-0x0000000006C90000-0x0000000006CC2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2548-169-0x000000006EEB0000-0x000000006EEFC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2548-170-0x0000000006C70000-0x0000000006C8E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2548-171-0x0000000008000000-0x000000000867A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2548-172-0x00000000079C0000-0x00000000079DA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2548-173-0x0000000007A20000-0x0000000007A2A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2548-152-0x0000000005E30000-0x0000000005E96000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2548-175-0x0000000007C00000-0x0000000007C0E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2548-176-0x0000000007CF0000-0x0000000007D0A000-memory.dmp

    Filesize

    104KB

    Download