Overview

overview

10

Static

static

10

5272eb5633...52.exe

windows7-x64

10

5272eb5633...52.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-07-2022 02:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5272eb5633081ec229c864e0c6fbc36900989010010a448dd12cce4be7b83952.exe

  • Size

    1.6MB

  • MD5

    b13338b707a3f01899b967e510470d57

  • SHA1

    53455ca26f91bbcee28a4aa04e0c31451c4138b3

  • SHA256

    5272eb5633081ec229c864e0c6fbc36900989010010a448dd12cce4be7b83952

  • SHA512

    c715d06e416803b1be645daed13e8e158f4b783c0261e2385e5980981fa94352b0f17810d96f2a432229155cec8422725bade0e04db8b716540929a1f4823d34

Score
10/10
imminentneshtapersistencespywarestealertrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5272eb5633081ec229c864e0c6fbc36900989010010a448dd12cce4be7b83952.exe
    "C:\Users\Admin\AppData\Local\Temp\5272eb5633081ec229c864e0c6fbc36900989010010a448dd12cce4be7b83952.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1440
    • C:\Users\Admin\AppData\Local\Temp\3582-490\5272eb5633081ec229c864e0c6fbc36900989010010a448dd12cce4be7b83952.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\5272eb5633081ec229c864e0c6fbc36900989010010a448dd12cce4be7b83952.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2100
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
        3⤵
        • Drops desktop.ini file(s)
        • Drops file in Windows directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4692

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\5272eb5633081ec229c864e0c6fbc36900989010010a448dd12cce4be7b83952.exe
    Filesize

    1.6MB

    MD5

    2e5f6b22c316a284786551f0da4903ea

    SHA1

    3a7791fee492833d32f59eefbb0045f7fce84f59

    SHA256

    d8e687500c68b521fc97061bdca07d4a4dd7bfe902c59599c2bb4fc92a66ea4b

    SHA512

    46db603e2837230bf0999f73abbb172641f98d023434962540cb3be00b900cf9bf2ad6f1951fbd3c4672bf578edf634e46954b8cb2ed1f410e2a76bbea32fa21

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\5272eb5633081ec229c864e0c6fbc36900989010010a448dd12cce4be7b83952.exe
    Filesize

    1.6MB

    MD5

    2e5f6b22c316a284786551f0da4903ea

    SHA1

    3a7791fee492833d32f59eefbb0045f7fce84f59

    SHA256

    d8e687500c68b521fc97061bdca07d4a4dd7bfe902c59599c2bb4fc92a66ea4b

    SHA512

    46db603e2837230bf0999f73abbb172641f98d023434962540cb3be00b900cf9bf2ad6f1951fbd3c4672bf578edf634e46954b8cb2ed1f410e2a76bbea32fa21

    Download Submit

  • memory/2100-130-0x0000000000000000-mapping.dmp

    Download

  • memory/2100-133-0x00000000024F0000-0x0000000002549000-memory.dmp

    Filesize

    356KB

    Download

  • memory/4692-141-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4692-147-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4692-140-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4692-142-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4692-134-0x0000000000000000-mapping.dmp

    Download

  • memory/4692-143-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4692-145-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4692-135-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4692-148-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4692-151-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4692-154-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4692-153-0x0000000073F80000-0x0000000074531000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4692-155-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4692-157-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4692-158-0x0000000073F80000-0x0000000074531000-memory.dmp

    Filesize

    5.7MB

    Download