imminent | fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2022 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
Size

563KB
MD5

51f6ccf656904d48cd90444417611fc0
SHA1

877814a4b088e1ea7530c6ca883804bc392c1f49
SHA256

fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b
SHA512

5996a3597b4131c1532c31599556ea9c836a8505275fc8153fdb1ffe45646eb7d54c7bbb405d51729f66d974867f391840aac39c8e2436eb7f7f50cc3cea9430
SSDEEP

6144:beTgANUWtpTMkP2ORImNQE4W1lgQPWC159tkgAAYyQfJEQgMjnLmPgshwPYnM3uJ:bhAN1tpAwImNQENN1XA3fXLiXC17

Score

10^/10

imminent evasion persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent
Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
2284	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\Teba\\Teba\\1.0.0.0\\WindowsUpdate.exe\""	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\Teba\\Teba\\1.0.0.0\\WindowsUpdate.exe\""	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default Key = "\\Default Folder\\Default File.exe"	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default Key = "C:\\Users\\Admin\\AppData\\Local\\Default Folder\\Default File.exe"	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2628 set thread context of 5008	2628	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	85
PID 2284 set thread context of 176	2284	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	94

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
File created	C:\Windows\assembly\Desktop.ini	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2908	REG.exe
1108	REG.exe
396	REG.exe
2620	REG.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5008	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
Token: SeDebugPrivilege	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
Token: SeDebugPrivilege	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 2908	2628	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	83
PID 2628 wrote to memory of 2908	2628	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	83
PID 2628 wrote to memory of 2908	2628	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	83
PID 2628 wrote to memory of 1108	2628	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	84
PID 2628 wrote to memory of 1108	2628	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	84
PID 2628 wrote to memory of 1108	2628	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	84
PID 2628 wrote to memory of 5008	2628	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	85
PID 2628 wrote to memory of 5008	2628	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	85
PID 2628 wrote to memory of 5008	2628	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	85
PID 2628 wrote to memory of 5008	2628	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	85
PID 2628 wrote to memory of 5008	2628	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	85
PID 2628 wrote to memory of 5008	2628	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	85
PID 2628 wrote to memory of 5008	2628	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	85
PID 2628 wrote to memory of 5008	2628	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	85
PID 5008 wrote to memory of 2284	5008	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	88
PID 5008 wrote to memory of 2284	5008	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	88
PID 5008 wrote to memory of 2284	5008	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	88
PID 5008 wrote to memory of 2424	5008	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	89
PID 5008 wrote to memory of 2424	5008	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	89
PID 5008 wrote to memory of 2424	5008	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	89
PID 2284 wrote to memory of 396	2284	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	91
PID 2284 wrote to memory of 396	2284	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	91
PID 2284 wrote to memory of 396	2284	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	91
PID 2284 wrote to memory of 2620	2284	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	93
PID 2284 wrote to memory of 2620	2284	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	93
PID 2284 wrote to memory of 2620	2284	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	93
PID 2284 wrote to memory of 176	2284	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	94
PID 2284 wrote to memory of 176	2284	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	94
PID 2284 wrote to memory of 176	2284	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	94
PID 2284 wrote to memory of 176	2284	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	94
PID 2284 wrote to memory of 176	2284	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	94
PID 2284 wrote to memory of 176	2284	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	94
PID 2284 wrote to memory of 176	2284	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	94
PID 2284 wrote to memory of 176	2284	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	94
PID 176 wrote to memory of 2756	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	96
PID 176 wrote to memory of 2756	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	96
PID 176 wrote to memory of 2756	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	96
PID 176 wrote to memory of 2136	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	97
PID 176 wrote to memory of 2136	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	97
PID 176 wrote to memory of 2136	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	97
PID 176 wrote to memory of 4352	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	99
PID 176 wrote to memory of 4352	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	99
PID 176 wrote to memory of 4352	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	99
PID 176 wrote to memory of 4300	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	100
PID 176 wrote to memory of 4300	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	100
PID 176 wrote to memory of 4300	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	100
PID 176 wrote to memory of 984	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	101
PID 176 wrote to memory of 984	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	101
PID 176 wrote to memory of 984	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	101
PID 176 wrote to memory of 4080	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	102
PID 176 wrote to memory of 4080	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	102
PID 176 wrote to memory of 4080	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	102
PID 176 wrote to memory of 4508	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	103
PID 176 wrote to memory of 4508	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	103
PID 176 wrote to memory of 4508	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	103
PID 176 wrote to memory of 4660	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	107
PID 176 wrote to memory of 4660	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	107
PID 176 wrote to memory of 4660	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	107
PID 176 wrote to memory of 400	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	108
PID 176 wrote to memory of 400	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	108
PID 176 wrote to memory of 400	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	108
PID 176 wrote to memory of 3584	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	109
PID 176 wrote to memory of 3584	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	109
PID 176 wrote to memory of 3584	176	fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe	109

C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
"C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2908
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:1108
- C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
  C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
    "C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\SysWOW64\REG.exe
      REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:396
  - - C:\Windows\SysWOW64\REG.exe
      REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
      C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Adds Run key to start application
      Drops desktop.ini file(s)
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:176
    - - C:\Windows\SysWOW64\Taskmgr.exe
        
        "C:\Windows\System32\Taskmgr.exe"
        5⤵
        
        PID:2756
    - - C:\Windows\SysWOW64\Taskmgr.exe
        
        "C:\Windows\System32\Taskmgr.exe"
        5⤵
        
        PID:2136
    - - C:\Windows\SysWOW64\Taskmgr.exe
        
        "C:\Windows\System32\Taskmgr.exe"
        5⤵
        
        PID:4352
    - - C:\Windows\SysWOW64\Taskmgr.exe
        
        "C:\Windows\System32\Taskmgr.exe"
        5⤵
        
        PID:4300
    - - C:\Windows\SysWOW64\Taskmgr.exe
        
        "C:\Windows\System32\Taskmgr.exe"
        5⤵
        
        PID:984
    - - C:\Windows\SysWOW64\Taskmgr.exe
        
        "C:\Windows\System32\Taskmgr.exe"
        5⤵
        
        PID:4080
    - - C:\Windows\SysWOW64\Taskmgr.exe
        
        "C:\Windows\System32\Taskmgr.exe"
        5⤵
        
        PID:4508
    - - C:\Windows\SysWOW64\Taskmgr.exe
        
        "C:\Windows\System32\Taskmgr.exe"
        5⤵
        
        PID:4660
    - - C:\Windows\SysWOW64\Taskmgr.exe
        
        "C:\Windows\System32\Taskmgr.exe"
        5⤵
        
        PID:400
    - - C:\Windows\SysWOW64\Taskmgr.exe
        
        "C:\Windows\System32\Taskmgr.exe"
        5⤵
        
        PID:3584
    - - C:\Windows\SysWOW64\Taskmgr.exe
        
        "C:\Windows\System32\Taskmgr.exe"
        5⤵
        
        PID:4744
    - - C:\Windows\SysWOW64\Taskmgr.exe
        
        "C:\Windows\System32\Taskmgr.exe"
        5⤵
        
        PID:1476
    - - C:\Windows\SysWOW64\Taskmgr.exe
        
        "C:\Windows\System32\Taskmgr.exe"
        5⤵
        
        PID:3148
    - - C:\Windows\SysWOW64\Taskmgr.exe
        
        "C:\Windows\System32\Taskmgr.exe"
        5⤵
        
        PID:4796
    - - C:\Windows\SysWOW64\Taskmgr.exe
        
        "C:\Windows\System32\Taskmgr.exe"
        5⤵
        
        PID:2476
    - - C:\Windows\SysWOW64\Taskmgr.exe
        
        "C:\Windows\System32\Taskmgr.exe"
        5⤵
        
        PID:380
    - - C:\Windows\SysWOW64\Taskmgr.exe
        
        "C:\Windows\System32\Taskmgr.exe"
        5⤵
        
        PID:1332
    - - C:\Windows\SysWOW64\Taskmgr.exe
        
        "C:\Windows\System32\Taskmgr.exe"
        5⤵
        
        PID:4584
    - - C:\Windows\SysWOW64\Taskmgr.exe
        
        "C:\Windows\System32\Taskmgr.exe"
        5⤵
        
        PID:3372
    - - C:\Windows\SysWOW64\Taskmgr.exe
        
        "C:\Windows\System32\Taskmgr.exe"
        5⤵
        
        PID:4632
    - - C:\Windows\SysWOW64\Taskmgr.exe
        
        "C:\Windows\System32\Taskmgr.exe"
        5⤵
        
        PID:5008
    - - C:\Windows\SysWOW64\Taskmgr.exe
        
        "C:\Windows\System32\Taskmgr.exe"
        5⤵
        
        PID:4372
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe"
    3⤵
    PID:2424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe.log

Filesize
771B

MD5
8d62bbabdf7b4f0f60cd9eae79236ed5

SHA1
d6477264febcf5bd26ad44b6e9c60a3567e48967

SHA256
f352c1aa1d93ee66e12948e5e3add72d7c25dda070df9b6a5040cb60e289ddd4

SHA512
96949b062c1a99094453e4c76175aecf10a9b2c89e102e6a63d8c13e58a56076d5f5e1d41cdcd147738b17574c42c1f8d01253f7d3ed953cad7b6537ed162afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe

Filesize
563KB

MD5
51f6ccf656904d48cd90444417611fc0

SHA1
877814a4b088e1ea7530c6ca883804bc392c1f49

SHA256
fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b

SHA512
5996a3597b4131c1532c31599556ea9c836a8505275fc8153fdb1ffe45646eb7d54c7bbb405d51729f66d974867f391840aac39c8e2436eb7f7f50cc3cea9430

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe

Filesize
563KB

MD5
51f6ccf656904d48cd90444417611fc0

SHA1
877814a4b088e1ea7530c6ca883804bc392c1f49

SHA256
fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b

SHA512
5996a3597b4131c1532c31599556ea9c836a8505275fc8153fdb1ffe45646eb7d54c7bbb405d51729f66d974867f391840aac39c8e2436eb7f7f50cc3cea9430

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b\fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b.exe

Filesize
563KB

MD5
51f6ccf656904d48cd90444417611fc0

SHA1
877814a4b088e1ea7530c6ca883804bc392c1f49

SHA256
fbf6c079b9aae15b6442ba5dd5f366a9a9f418cec9ea553e5eb1ee8161e3dc2b

SHA512
5996a3597b4131c1532c31599556ea9c836a8505275fc8153fdb1ffe45646eb7d54c7bbb405d51729f66d974867f391840aac39c8e2436eb7f7f50cc3cea9430

Download Submit
memory/176-152-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/176-155-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/2284-151-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/2628-132-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/2628-137-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/5008-138-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/5008-136-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/5008-139-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download
memory/5008-145-0x0000000074880000-0x0000000074E31000-memory.dmp

Filesize
5.7MB

Download