Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2022 02:18

General

  • Target

    MT1893878746.PDF.IMG.exe

  • Size

    1.2MB

  • MD5

    b7babb9f64a9ecd894d100ce02f132fe

  • SHA1

    8fa93c638d331f51ec638655d82ec431fdae3f6a

  • SHA256

    fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934

  • SHA512

    8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

  • SSDEEP

    12288:4v+bQYpRi8N69+d0qKu3rXbSIVfqNZSM1fpJwNDxGVwef3G1oMfqzpcfu2E:bpRbi+d0qPVGZTFfLweO1oMSzpKE

Score
10/10

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
    "C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5056
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dGKItyBaw.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:224
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dGKItyBaw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4343.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1592
    • C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
      "C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"
      2⤵
        PID:3888
      • C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
        "C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"
        2⤵
          PID:2132
        • C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
          "C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"
          2⤵
          • Checks computer location settings
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1680
          • C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
            "C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe"
            3⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3124
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dGKItyBaw.exe"
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4288
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dGKItyBaw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1DF.tmp"
              4⤵
              • Creates scheduled task(s)
              PID:3544
            • C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
              "C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:2680
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4652
            • C:\Windows\SysWOW64\PING.EXE
              ping 1.1.1.1 -n 1 -w 1000
              4⤵
              • Runs ping.exe
              PID:3252

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MT1893878746.PDF.IMG.exe.log

        Filesize

        1KB

        MD5

        e08f822522c617a40840c62e4b0fb45e

        SHA1

        ae516dca4da5234be6676d3f234c19ec55725be7

        SHA256

        bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7

        SHA512

        894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

        Filesize

        2KB

        MD5

        968cb9309758126772781b83adb8a28f

        SHA1

        8da30e71accf186b2ba11da1797cf67f8f78b47c

        SHA256

        92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

        SHA512

        4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        18KB

        MD5

        a1f712bbb24c0c57040457914e05cce9

        SHA1

        ce4141b3ef830c38469889b49372eaba7069cf2c

        SHA256

        5622bc17b65ee10f24f9ec1b00f87f5608c351bfa572af45eede9d59e37629fc

        SHA512

        211085fd2dbe635cc5c8ad788dc1a48b954712732200f1381a2fa0ded499b3fd06f8cb5219fd3501f434222f7ca1077c6a8b9050085f8272444e180ace69c2bc

      • C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

        Filesize

        1.2MB

        MD5

        b7babb9f64a9ecd894d100ce02f132fe

        SHA1

        8fa93c638d331f51ec638655d82ec431fdae3f6a

        SHA256

        fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934

        SHA512

        8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

      • C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

        Filesize

        1.2MB

        MD5

        b7babb9f64a9ecd894d100ce02f132fe

        SHA1

        8fa93c638d331f51ec638655d82ec431fdae3f6a

        SHA256

        fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934

        SHA512

        8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

      • C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

        Filesize

        1.2MB

        MD5

        b7babb9f64a9ecd894d100ce02f132fe

        SHA1

        8fa93c638d331f51ec638655d82ec431fdae3f6a

        SHA256

        fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934

        SHA512

        8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

      • C:\Users\Admin\AppData\Local\Temp\tmp1DF.tmp

        Filesize

        1KB

        MD5

        b7c3522e7806bcaeee8cf0d3ad042f6b

        SHA1

        0b32a2c9baf33e88048f80574cb60127d53c6ef5

        SHA256

        c542a546d2a588eba9e92dcba27adb3aea9ef74662e2c8a7a5e3ff577bc5169f

        SHA512

        2353cc418ca323663cd5f47fc21274ef069dc2dd6c559f749cea5baeb6f3d7897140066fc36d9fa839a4969d91c1fcdc4c55a712698ee23787654ac967fe8904

      • C:\Users\Admin\AppData\Local\Temp\tmp4343.tmp

        Filesize

        1KB

        MD5

        b7c3522e7806bcaeee8cf0d3ad042f6b

        SHA1

        0b32a2c9baf33e88048f80574cb60127d53c6ef5

        SHA256

        c542a546d2a588eba9e92dcba27adb3aea9ef74662e2c8a7a5e3ff577bc5169f

        SHA512

        2353cc418ca323663cd5f47fc21274ef069dc2dd6c559f749cea5baeb6f3d7897140066fc36d9fa839a4969d91c1fcdc4c55a712698ee23787654ac967fe8904

      • memory/224-184-0x00000000071B0000-0x00000000071BE000-memory.dmp

        Filesize

        56KB

      • memory/224-181-0x0000000006F70000-0x0000000006F8A000-memory.dmp

        Filesize

        104KB

      • memory/224-142-0x0000000004D50000-0x0000000005378000-memory.dmp

        Filesize

        6.2MB

      • memory/224-185-0x00000000072C0000-0x00000000072DA000-memory.dmp

        Filesize

        104KB

      • memory/224-171-0x0000000005C70000-0x0000000005C8E000-memory.dmp

        Filesize

        120KB

      • memory/224-183-0x00000000071F0000-0x0000000007286000-memory.dmp

        Filesize

        600KB

      • memory/224-182-0x0000000006FE0000-0x0000000006FEA000-memory.dmp

        Filesize

        40KB

      • memory/224-186-0x00000000072A0000-0x00000000072A8000-memory.dmp

        Filesize

        32KB

      • memory/224-148-0x00000000053F0000-0x0000000005412000-memory.dmp

        Filesize

        136KB

      • memory/224-140-0x00000000046E0000-0x0000000004716000-memory.dmp

        Filesize

        216KB

      • memory/224-149-0x0000000005590000-0x00000000055F6000-memory.dmp

        Filesize

        408KB

      • memory/224-180-0x00000000075B0000-0x0000000007C2A000-memory.dmp

        Filesize

        6.5MB

      • memory/224-179-0x0000000006200000-0x000000000621E000-memory.dmp

        Filesize

        120KB

      • memory/224-178-0x0000000070A00000-0x0000000070A4C000-memory.dmp

        Filesize

        304KB

      • memory/224-177-0x0000000006230000-0x0000000006262000-memory.dmp

        Filesize

        200KB

      • memory/224-138-0x0000000000000000-mapping.dmp

      • memory/1592-139-0x0000000000000000-mapping.dmp

      • memory/1680-146-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

      • memory/1680-155-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

      • memory/1680-162-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

      • memory/1680-165-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

      • memory/1680-167-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

      • memory/1680-168-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

      • memory/1680-170-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

      • memory/1680-159-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

      • memory/1680-161-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

      • memory/1680-151-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

      • memory/1680-157-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

      • memory/1680-156-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

      • memory/1680-152-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

      • memory/1680-145-0x0000000000000000-mapping.dmp

      • memory/1680-154-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

      • memory/1680-153-0x0000000000400000-0x0000000000460000-memory.dmp

        Filesize

        384KB

      • memory/2132-144-0x0000000000000000-mapping.dmp

      • memory/2680-191-0x0000000000000000-mapping.dmp

      • memory/3124-172-0x0000000000000000-mapping.dmp

      • memory/3252-176-0x0000000000000000-mapping.dmp

      • memory/3544-188-0x0000000000000000-mapping.dmp

      • memory/3888-143-0x0000000000000000-mapping.dmp

      • memory/4288-187-0x0000000000000000-mapping.dmp

      • memory/4288-216-0x0000000075530000-0x000000007557C000-memory.dmp

        Filesize

        304KB

      • memory/4652-175-0x0000000000000000-mapping.dmp

      • memory/5056-132-0x0000000000950000-0x0000000000A7E000-memory.dmp

        Filesize

        1.2MB

      • memory/5056-137-0x00000000095E0000-0x0000000009646000-memory.dmp

        Filesize

        408KB

      • memory/5056-136-0x0000000009540000-0x00000000095DC000-memory.dmp

        Filesize

        624KB

      • memory/5056-135-0x0000000005410000-0x000000000541A000-memory.dmp

        Filesize

        40KB

      • memory/5056-134-0x0000000005460000-0x00000000054F2000-memory.dmp

        Filesize

        584KB

      • memory/5056-133-0x0000000005A10000-0x0000000005FB4000-memory.dmp

        Filesize

        5.6MB