Overview

overview

10

Static

static

490eb76d8c...bd.exe

windows7_x64

10

490eb76d8c...bd.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    160s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    14-07-2022 01:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    490eb76d8c614a6a4b6a463f3898b752001d330e5ef4a8b69756570260f25ebd.exe

  • Size

    320KB

  • MD5

    c9d745c1b0fbdc39e61af869ba5b9c6e

  • SHA1

    84230dd47a0ae5cdbf4d91599872e6b5aaeb3aff

  • SHA256

    490eb76d8c614a6a4b6a463f3898b752001d330e5ef4a8b69756570260f25ebd

  • SHA512

    24b236e4d69a134a40a15bb0f595bdd122ab1063fdf9272653249085b8710d16a98baf89988ea33d7a97758a0d586607b612215e240902ceeb0692e10397fe80

Score
10/10
imminentspywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\490eb76d8c614a6a4b6a463f3898b752001d330e5ef4a8b69756570260f25ebd.exe
    "C:\Users\Admin\AppData\Local\Temp\490eb76d8c614a6a4b6a463f3898b752001d330e5ef4a8b69756570260f25ebd.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Users\Admin\AppData\Local\Temp\490eb76d8c614a6a4b6a463f3898b752001d330e5ef4a8b69756570260f25ebd\490eb76d8c614a6a4b6a463f3898b752001d330e5ef4a8b69756570260f25ebd.exe
      "C:\Users\Admin\AppData\Local\Temp\490eb76d8c614a6a4b6a463f3898b752001d330e5ef4a8b69756570260f25ebd\490eb76d8c614a6a4b6a463f3898b752001d330e5ef4a8b69756570260f25ebd.exe"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1992
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\490eb76d8c614a6a4b6a463f3898b752001d330e5ef4a8b69756570260f25ebd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4324
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 1000
        3⤵
        • Runs ping.exe
        PID:3080
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:2552

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\490eb76d8c614a6a4b6a463f3898b752001d330e5ef4a8b69756570260f25ebd\490eb76d8c614a6a4b6a463f3898b752001d330e5ef4a8b69756570260f25ebd.exe
      Filesize

      320KB

      MD5

      c9d745c1b0fbdc39e61af869ba5b9c6e

      SHA1

      84230dd47a0ae5cdbf4d91599872e6b5aaeb3aff

      SHA256

      490eb76d8c614a6a4b6a463f3898b752001d330e5ef4a8b69756570260f25ebd

      SHA512

      24b236e4d69a134a40a15bb0f595bdd122ab1063fdf9272653249085b8710d16a98baf89988ea33d7a97758a0d586607b612215e240902ceeb0692e10397fe80

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\490eb76d8c614a6a4b6a463f3898b752001d330e5ef4a8b69756570260f25ebd\490eb76d8c614a6a4b6a463f3898b752001d330e5ef4a8b69756570260f25ebd.exe
      Filesize

      320KB

      MD5

      c9d745c1b0fbdc39e61af869ba5b9c6e

      SHA1

      84230dd47a0ae5cdbf4d91599872e6b5aaeb3aff

      SHA256

      490eb76d8c614a6a4b6a463f3898b752001d330e5ef4a8b69756570260f25ebd

      SHA512

      24b236e4d69a134a40a15bb0f595bdd122ab1063fdf9272653249085b8710d16a98baf89988ea33d7a97758a0d586607b612215e240902ceeb0692e10397fe80

      Download Submit

    • memory/1680-130-0x0000000074B10000-0x00000000750C1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1680-131-0x0000000074B10000-0x00000000750C1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1680-137-0x0000000074B10000-0x00000000750C1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1992-138-0x0000000074B10000-0x00000000750C1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1992-139-0x0000000074B10000-0x00000000750C1000-memory.dmp

      Filesize

      5.7MB

      Download