Analysis

  • max time kernel
    158s
  • max time network
    185s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-10-2022 14:42

General

  • Target

    e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe

  • Size

    288KB

  • MD5

    e8b9822f038f6493b75f7406c3d9c034

  • SHA1

    64dec7efb1ac73a3fc8070f8f8cc4f643bc1ac7a

  • SHA256

    e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e

  • SHA512

    948c132dcff502b817a85a8115893197c086d5ced73dbeec12e95f4fb60888694cd5172b2ebb341608070d81aaf1926861290a9329150363a170c2f512502171

  • SSDEEP

    6144:whwxaxI9sBV1wbDmi5KblR0QJJuhDu5qcCvKhVVncAX1L:wyxXK1Ymi5sR0MqqLCvs6A

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe
    "C:\Users\Admin\AppData\Local\Temp\e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:552
    • \??\c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe
      "c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe"
      2⤵
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4916
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1312
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\fuckyounod32.vbs"
        3⤵
        • Adds Run key to start application
        PID:3008

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\fuckyounod32.vbs

    Filesize

    219B

    MD5

    f03812089f155d3e548e470fcf70f8d7

    SHA1

    a3668fcead6b9079c4962ffbec8ea81fb8120d48

    SHA256

    9c0cfffb385fb4d93f81b0f1fa599545900328a6b948eba2a7f35acfba2cd5a2

    SHA512

    1fa023f31178cb63208dfb9b098fc664ef0628c987c92c7c209a5dcf8af66253d9ce8720fe9af64d4b61159353056266ea3e5eb3842396806200164c61cd6e46

  • memory/552-132-0x00000000750D0000-0x0000000075681000-memory.dmp

    Filesize

    5.7MB

  • memory/552-139-0x00000000750D0000-0x0000000075681000-memory.dmp

    Filesize

    5.7MB

  • memory/1312-135-0x0000000000000000-mapping.dmp

  • memory/3008-137-0x0000000000000000-mapping.dmp

  • memory/4916-133-0x0000000000000000-mapping.dmp

  • memory/4916-134-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

  • memory/4916-138-0x00000000750D0000-0x0000000075681000-memory.dmp

    Filesize

    5.7MB

  • memory/4916-140-0x00000000750D0000-0x0000000075681000-memory.dmp

    Filesize

    5.7MB