Analysis

  • max time kernel
    188s
  • max time network
    194s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-10-2022 12:43

General

  • Target

    e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe

  • Size

    292KB

  • MD5

    4214abf5fd8ede6d3d9d03b9f55713f5

  • SHA1

    a2360c5577a67315fa5782f35c3bf97dc24089e9

  • SHA256

    e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229

  • SHA512

    2c96cd0b65e350233459617b6a15b91142b08dce328b1f04d895c40701f3a57d0212c0554c60c57d1b6585dc973986ef58fd0832e05d313ddbd42263c875fe8a

  • SSDEEP

    6144:/CXnomEpWJmo2+gu5KFOPO3pZSytbAH0WJ0IgMbDMRlsQpOm:mofpWJmo2vuIeOZZSobAH0ZIx6CQpOm

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe
    "C:\Users\Admin\AppData\Local\Temp\e7c90a88de446654da0f5506f2b7590d9816095a864fe12e7997909d576e8229.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5112
    • \??\c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe
      "c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe"
      2⤵
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4548
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4092
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\fuckyounod32.vbs"
        3⤵
        • Adds Run key to start application
        PID:3484

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\fuckyounod32.vbs

    Filesize

    219B

    MD5

    a65f94d737d307f65def620728688123

    SHA1

    ba22cfd98fa6aa8a28de32b3eac5f20fbf0843d8

    SHA256

    3564dcda92b3ec106f0f9a2710a795a8eada973a9d50511c68cdaea5ec12f87e

    SHA512

    fa008d1fa740bad8496f6678cb8345d4894afc0385b6abe86577c3f48dbdd1acee5a9ded9fa4e47a879592a1d4bdf8f491362279a94299b2473917d0f57c1847

  • memory/3484-139-0x0000000000000000-mapping.dmp

  • memory/4092-136-0x0000000000000000-mapping.dmp

  • memory/4548-134-0x0000000000000000-mapping.dmp

  • memory/4548-135-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

  • memory/4548-137-0x0000000075100000-0x00000000756B1000-memory.dmp

    Filesize

    5.7MB

  • memory/4548-141-0x0000000075100000-0x00000000756B1000-memory.dmp

    Filesize

    5.7MB

  • memory/5112-132-0x0000000075100000-0x00000000756B1000-memory.dmp

    Filesize

    5.7MB

  • memory/5112-133-0x0000000075100000-0x00000000756B1000-memory.dmp

    Filesize

    5.7MB

  • memory/5112-140-0x0000000075100000-0x00000000756B1000-memory.dmp

    Filesize

    5.7MB