Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5a178e873b...c5.exe

windows7-x64

8

5a178e873b...c5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/11/2022, 18:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5a178e873bea63aa2c0c4c05c2fab788cf3e18bbeeeb94cdc921b77c2c5584c5.exe

  • Size

    1.0MB

  • MD5

    27fe66f32b3bdad4fb04a0b15701f7e3

  • SHA1

    a1a97813c5be852a63526d81254cd4f75e5da3ae

  • SHA256

    5a178e873bea63aa2c0c4c05c2fab788cf3e18bbeeeb94cdc921b77c2c5584c5

  • SHA512

    2a935a04e1b2d968219e2a9e1393ca11fe1dd324693040a72ee06f0d49ce387d0b6a763476be4dde6c1015e1c9145d12bfeef6c101fe3b899f3a3de60a2d7266

  • SSDEEP

    24576:mt24vqVnszwQ28Qcuc+OSgLphaZ3etWrJ:sXwQ2jbD8hm3vJ

Score
10/10
imminentpersistencespywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5a178e873bea63aa2c0c4c05c2fab788cf3e18bbeeeb94cdc921b77c2c5584c5.exe
    "C:\Users\Admin\AppData\Local\Temp\5a178e873bea63aa2c0c4c05c2fab788cf3e18bbeeeb94cdc921b77c2c5584c5.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4700
    • C:\Users\Admin\AppData\Roaming\uueea\jnotg.com
      "C:\Users\Admin\AppData\Roaming\uueea\jnotg.com" egwlg.plw
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Users\Admin\AppData\Roaming\uueea\jnotg.com
        C:\Users\Admin\AppData\Roaming\uueea\jnotg.com C:\Users\Admin\AppData\Roaming\uueea\TLIST
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:240
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
          4⤵
          • Drops desktop.ini file(s)
          • Drops file in Windows directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3952

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\uueea\TLIST
    Filesize

    118KB

    MD5

    c346f5cd7684d742e218dc717b47c027

    SHA1

    c1486531db25d3c7f86e6a0031342885bd8580b5

    SHA256

    f4277a31ceba382ca8de4d8771e9d12e67dac07c421edbb9dc38be4d843bcb63

    SHA512

    90548e009e967c0151b3330c5070352a5de2e227d61a0695044ebaddad492d2a95a05fbeddb7155b959320ffbfbb0866f091348f8e7927a5810aa8ec2344edaf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\uueea\YMQGIX
    Filesize

    30KB

    MD5

    a500068edd85d9eb32b9f3f72be05243

    SHA1

    80646209a2639306075d6090767fc8f33208cfbb

    SHA256

    5921af928a8577b129ae3a1ba8a29b7f7763e9a4aa2870429c5b6ee35490c28b

    SHA512

    704384f8b83c837a34d4eda349e64cb68ce3c05a98c0b8615c3286002c95b7579126f68b3091d459e21fbfce6896d7ae6218e906b18636706c86f3aba5d0e018

    Download Submit

  • C:\Users\Admin\AppData\Roaming\uueea\egwlg.plw
    Filesize

    127KB

    MD5

    d598e742d1aa8ff9de5eae06207552d4

    SHA1

    f623c13916ecd450cb8c090dd65226c40a5d1a8e

    SHA256

    e12b30f79ad7cf4b71d5aaf2eb5b1d2b0971a5d460f526406ce2def601c4f3df

    SHA512

    3efc8bc8a7b562c21127732d8bb6e1f3ed70f702edc2b1a99f624f13b92de054accb09014ebf8d32eb82a64c7d0a4c7ac441b951170a6da8152c64be75f59364

    Download Submit

  • C:\Users\Admin\AppData\Roaming\uueea\hllwp
    Filesize

    277KB

    MD5

    6a637d94198ddffcbc6bb0c5f7d1f9fa

    SHA1

    62dc7ae5444a2a31d8ea4160851e89c327e0a8ff

    SHA256

    7ef88c8ffd41bacbb7cdf540dd1e4cac7df32881cb8dfb0aaab3339bb120bf8c

    SHA512

    ac1dcabf380917a24ffce1c72c74cd52514dc4aaf15b263114096740dfe16c42d3e128b4d04649b3a0b518ee8a378ab8e26050a9bebf258dd914182c6a316317

    Download Submit

  • C:\Users\Admin\AppData\Roaming\uueea\jnotg.com
    Filesize

    732KB

    MD5

    71d8f6d5dc35517275bc38ebcc815f9f

    SHA1

    cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

    SHA256

    fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

    SHA512

    4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

    Download Submit

  • C:\Users\Admin\AppData\Roaming\uueea\jnotg.com
    Filesize

    732KB

    MD5

    71d8f6d5dc35517275bc38ebcc815f9f

    SHA1

    cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

    SHA256

    fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

    SHA512

    4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

    Download Submit

  • C:\Users\Admin\AppData\Roaming\uueea\jnotg.com
    Filesize

    732KB

    MD5

    71d8f6d5dc35517275bc38ebcc815f9f

    SHA1

    cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

    SHA256

    fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

    SHA512

    4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

    Download Submit

  • C:\Users\Admin\AppData\Roaming\uueea\pfxif.wte
    Filesize

    118KB

    MD5

    f6e15c6d7f0c9520825cb0f0b792153f

    SHA1

    337135a46591e4139300775cf0acee39e87d961e

    SHA256

    b84f15965a8afe578a1a138e6bf194fc283d76e7131a013ea5c3a996a5173af4

    SHA512

    d196fc316d2c2e9fdc4e58aa432a29cd7bbd54b03a6f71bb7dbe1832d750194caccddf441677fd975d3a5d094ed86cfcab618bbf05d0e9866ccf32b570291920

    Download Submit

  • memory/3952-143-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3952-144-0x00000000740F0000-0x00000000746A1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3952-145-0x00000000740F0000-0x00000000746A1000-memory.dmp

    Filesize

    5.7MB

    Download