Overview

overview

10

Static

static

0b42161e88...af.exe

windows7-x64

10

0b42161e88...af.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    188s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-10-2022 09:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe

  • Size

    2.3MB

  • MD5

    1acd748077b01272fc18ca9a1271c7b0

  • SHA1

    b2c7fce642fd06ec9122021ee43a9ca593914cc3

  • SHA256

    0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af

  • SHA512

    b7396be5df422911ba28b5ee04c3b2b2d691f3dde074a9af897be9041aa1b4798842f862e9420d3734dbb49caab947b91dd4cbaa5a089819d60b35a01ae39a72

  • SSDEEP

    49152:xpymeCZZQYiMg6+vf8YfogWyxSQtrbXFLO6W4mAeEAGnpfBDb:xpyEZQ6c0Imy0UfVLOYm0nR5b

Score
10/10
imminentpersistencespywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s) 2 IoCs
  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
    "C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4760
    • C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe
      "C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4176
      • C:\Users\Admin\AppData\Local\TempCSGO Client.exe
        "C:\Users\Admin\AppData\Local\TempCSGO Client.exe"
        3⤵
        • Executes dropped EXE
        PID:2540
      • C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe
        "C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\831626" "C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe"
        3⤵
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3884
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3648
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 0127.0.0.1
            5⤵
            • Runs ping.exe
            PID:2388
    • C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
      "C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe"
      2⤵
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4668
    • C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe
      "C:\Users\Admin\AppData\Local\Temp\0b42161e889ed181ad0b0a7b0240208cf10c23452b33f170c60734a5ab52b2af.exe"
      2⤵
        PID:3896
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1240

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\TempCSGO Client.exe
        Filesize

        151KB

        MD5

        5f05e7130bc6dc523faa9cf537157af1

        SHA1

        c63fe5480dbed5a2b0d40426160d5892a8c9130f

        SHA256

        ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa

        SHA512

        dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac

        Download Submit

      • C:\Users\Admin\AppData\Local\TempCSGO Client.exe
        Filesize

        151KB

        MD5

        5f05e7130bc6dc523faa9cf537157af1

        SHA1

        c63fe5480dbed5a2b0d40426160d5892a8c9130f

        SHA256

        ab2399f8c2e7ef0eac6ed6697d17471bd170b093ac3aab9a9af4a1b9a4b39efa

        SHA512

        dea6b35d0164046adf661557c68a7fb1a7f643cbc671f216469db8f8c3af5cfceb11e72982910cbcf3a0ddabdfa39d042ef837ef1f5cac3dfd863273650c42ac

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\81.bat
        Filesize

        188B

        MD5

        af53a4743e592c6cee1e5e2151651890

        SHA1

        28bfc771c1c9678f07ddcf80509813fc6437d4e9

        SHA256

        cd99268267e660f69a13a4fdd1b90d89a5011a7a4a14f85050aa6cb9d081832f

        SHA512

        de14b10327a4d3dbe9cf0ba194ffa9d76b5a2ea731beaca8842e3cb319eed1fa88462160b0df45b0d1e30d630b201bef5497a632ac980e7f106f7bf0a82ab954

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\831626
        Filesize

        18KB

        MD5

        ba7ed704ea46ad6efe082e5ff4e373ee

        SHA1

        f77c50c318e5b65c06ef07b466fbf49fa477fc34

        SHA256

        b6725014e644232a901aa4bf9546fa02a77e163d32c15b6843d0147826d11b30

        SHA512

        b6e94cc31608bda8299285d6f58935ed2ccb817faad96d42a6e35db82fa11a97b6e6457ded75550aea7786f522f743b16028ee6723623e0b83fa94f2423859bb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe
        Filesize

        1.6MB

        MD5

        ca31b9b62cd0e6d2c306076283058574

        SHA1

        9fb108cc95deff0ca4f75eac7ec4dfa3c363d927

        SHA256

        21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b

        SHA512

        84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe
        Filesize

        1.6MB

        MD5

        ca31b9b62cd0e6d2c306076283058574

        SHA1

        9fb108cc95deff0ca4f75eac7ec4dfa3c363d927

        SHA256

        21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b

        SHA512

        84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\yEKHa3tzYCdwZpUF.exe
        Filesize

        1.6MB

        MD5

        ca31b9b62cd0e6d2c306076283058574

        SHA1

        9fb108cc95deff0ca4f75eac7ec4dfa3c363d927

        SHA256

        21923cda960ce09c6eba5863525154d60eb7f9d80ca4021f61cf6c86dd721b6b

        SHA512

        84363cb72b6025eed6108529dda6847341d89e289f9711f8ff39060c0553d07ee1e0164dabc7c3c2f8d66567059e55f82dcb731c63bed80f457a18dfab04d191

        Download Submit

      • memory/2540-147-0x00007FF893090000-0x00007FF893AC6000-memory.dmp

        Filesize

        10.2MB

        Download

      • memory/3896-143-0x0000000074C60000-0x0000000075211000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/3896-142-0x0000000074C60000-0x0000000075211000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4668-141-0x0000000074C60000-0x0000000075211000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4668-138-0x0000000000400000-0x000000000044A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/4668-154-0x0000000074C60000-0x0000000075211000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4760-132-0x0000000074C60000-0x0000000075211000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4760-133-0x0000000074C60000-0x0000000075211000-memory.dmp

        Filesize

        5.7MB

        Download