Overview

overview

10

Static

static

571d1286aa...f2.exe

windows7-x64

10

571d1286aa...f2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2022 00:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    571d1286aa8bfe4bcc65da6d1fba71a7c48261b14142233f187dd2ff628544f2.exe

  • Size

    535KB

  • MD5

    5c47ef53e1269db13123dc2e2d0d997d

  • SHA1

    1abd812966b34e8392fd40e0e3fe2e8a4997df13

  • SHA256

    571d1286aa8bfe4bcc65da6d1fba71a7c48261b14142233f187dd2ff628544f2

  • SHA512

    b6aab032422dc225cd45d6e5f509b39496d1e6c8766eee1eb72081d7077294702c4a4f33c07687c403db5ea63ee525d4e4e8bab1b94f6b84fa17018fa0c0aa2d

Score
10/10
imminentspywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Drops startup file 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\571d1286aa8bfe4bcc65da6d1fba71a7c48261b14142233f187dd2ff628544f2.exe
    "C:\Users\Admin\AppData\Local\Temp\571d1286aa8bfe4bcc65da6d1fba71a7c48261b14142233f187dd2ff628544f2.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4176
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mx03v1gq\mx03v1gq.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4852
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA741.tmp" "c:\Users\Admin\AppData\Local\Temp\mx03v1gq\CSCC148DEFEF0F4DE296D6C551C720A630.TMP"
        3⤵
          PID:3616
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        2⤵
        • Drops desktop.ini file(s)
        • Drops file in Windows directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2340
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:3576

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RESA741.tmp
        Filesize

        1KB

        MD5

        974a6fbf7bb2ef0f37506f1ceed0c428

        SHA1

        e29f3b82a566e186042eba963704685a2d7e96b8

        SHA256

        5bd9750ee904db851dea0d1d6192b0e34e6d9ceee1ee5d9aecde857cc77ebaeb

        SHA512

        255b1428d271616ef0ff85697a6620b6d9b028d143d9949e533a23d1b6ec34a2111dd99383feaf58a096cc706b6130d8912ffa0b21e2a705b87fd719cffeaeac

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\mx03v1gq\mx03v1gq.dll
        Filesize

        15KB

        MD5

        2e8ef1aa8eaa6ac96e3ec8c12103274b

        SHA1

        ceb8b0c33f124d88131718036846990feacea4d8

        SHA256

        f3fd140f9c8457120b7df9f4041aee0540f2c08852f1e8bdb9b521654faad13d

        SHA512

        0184801e9050b6fe5cb1361c66b6daa5b987015f2134ae9d8243739495d48ae89b03a49062eb25801cd6696824f9c1786f05798444291fa3feff628226300c98

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\mx03v1gq\mx03v1gq.pdb
        Filesize

        49KB

        MD5

        8ad4a2730533ec2c9777e527c2703eba

        SHA1

        b638a9fb14f5a4879894470369a9d52b2fb90696

        SHA256

        1fd74c3d10346a0825954064a62a2f475dc6336d415b49fa692b9b60af8d5c9c

        SHA512

        47098c6b0f0460d70ed7db2863bb9ac383dd953ff7fabe533c39dbbfe800c2f4ded58024f160476ebdec1fadcb42de801f82e45eac50ad9569c2d173c66c87b8

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\mx03v1gq\CSCC148DEFEF0F4DE296D6C551C720A630.TMP
        Filesize

        1KB

        MD5

        354550698a9cd09a14629d2be4ee0053

        SHA1

        fa2bbd7e3af6e7e71c53ab02c22a815e9908b275

        SHA256

        ddc34c2e765377cb444fb9e40360e7e8d7918d256585cf215729f83ef675f564

        SHA512

        a6dadc31e57f66d2f2e58478b02d7e63ef2b49f9c793814b5ebae6a9d03195b3d9f0e29a37d8fa493002da2228951e2dd40a4e650922017022683c01f3275924

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\mx03v1gq\mx03v1gq.0.cs
        Filesize

        28KB

        MD5

        c4bd1e2f14a267499aabd2bc0ceb26c3

        SHA1

        9b405d02d970b588700bd6a65e5515ef43bc1c29

        SHA256

        95db4c6e10ce5e1f2422f0ff92d8a5e2fa8b2365bcb5304e593c4b732108d176

        SHA512

        6a3b29be5b45cf7ace6a65be259c890fe536614d434a330750d9ac91987fc8c9dfefa283473319b24cfdd31e7d430d1ea1b0a4f33b9bd80b47cfc6308a6d5cde

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\mx03v1gq\mx03v1gq.cmdline
        Filesize

        312B

        MD5

        756d2bcea7f0c766c4dd64cb9cdeb467

        SHA1

        8e1b6ffcdc7c58f5dc10a6c3012dd9b162e52f40

        SHA256

        c0771e24ef0e0ac93994870d86c9832130cdec4966ee1380c7bf2621d8b502c6

        SHA512

        61f0ae848da486ec8b32ec1da4fa70b8a41c609bd769385b43d3973fa05054a03cda1679132b8e82d4540c63c09ff37d130a15006484a2bcb14418af57d7199a

        Download Submit

      • memory/2340-142-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

        Download

      • memory/2340-143-0x0000000074EB0000-0x0000000075461000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2340-144-0x0000000074EB0000-0x0000000075461000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4176-130-0x0000000000520000-0x00000000005AC000-memory.dmp

        Filesize

        560KB

        Download

      • memory/4176-139-0x0000000004F90000-0x0000000005022000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4176-140-0x0000000005630000-0x00000000056CC000-memory.dmp

        Filesize

        624KB

        Download