Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-10-2022 14:59

General

  • Target

    a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe

  • Size

    475KB

  • MD5

    4473bc09f2f358973b05ab262aa80650

  • SHA1

    1fcb71d2f5a3d8ac397827b1db17a9a24a0fac73

  • SHA256

    a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a

  • SHA512

    b535af19233cf9553d08f1830959b6773dc3191865def29b5d814ae31831bc9da86d168d2b5459664aacea33945cdf53e8f192b8d7c7078df54962b2791e015f

  • SSDEEP

    6144:HjmQ2sdoE4duLm3P2g5KYuxvWJH5ogtpLAKXDU89ZEs9UctljtdduYWfYXPLtMp:HjmQ2vSLy2NVwZogLLDB5UIjdnH

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe
    "C:\Users\Admin\AppData\Local\Temp\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3536
    • C:\Users\Admin\AppData\Local\Temp\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe
      "C:\Users\Admin\AppData\Local\Temp\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4668
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4240
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 1000
        3⤵
        • Runs ping.exe
        PID:1368

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe

    Filesize

    475KB

    MD5

    4473bc09f2f358973b05ab262aa80650

    SHA1

    1fcb71d2f5a3d8ac397827b1db17a9a24a0fac73

    SHA256

    a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a

    SHA512

    b535af19233cf9553d08f1830959b6773dc3191865def29b5d814ae31831bc9da86d168d2b5459664aacea33945cdf53e8f192b8d7c7078df54962b2791e015f

  • C:\Users\Admin\AppData\Local\Temp\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a\a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a.exe

    Filesize

    475KB

    MD5

    4473bc09f2f358973b05ab262aa80650

    SHA1

    1fcb71d2f5a3d8ac397827b1db17a9a24a0fac73

    SHA256

    a803afe93e3bd05372453458b16b107373804eb9c620eef062e5d099d80c4f4a

    SHA512

    b535af19233cf9553d08f1830959b6773dc3191865def29b5d814ae31831bc9da86d168d2b5459664aacea33945cdf53e8f192b8d7c7078df54962b2791e015f

  • memory/1368-139-0x0000000000000000-mapping.dmp

  • memory/3536-132-0x00000000753C0000-0x0000000075971000-memory.dmp

    Filesize

    5.7MB

  • memory/3536-137-0x00000000753C0000-0x0000000075971000-memory.dmp

    Filesize

    5.7MB

  • memory/4240-136-0x0000000000000000-mapping.dmp

  • memory/4668-133-0x0000000000000000-mapping.dmp

  • memory/4668-138-0x00000000753C0000-0x0000000075971000-memory.dmp

    Filesize

    5.7MB

  • memory/4668-140-0x00000000753C0000-0x0000000075971000-memory.dmp

    Filesize

    5.7MB