Overview

overview

10

Static

static

a3f677854b...60.exe

windows7-x64

10

a3f677854b...60.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 09:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a3f677854bb917665d8510182ad7d8fbb1c24415cbe86ac0ab62199eb5fa7360.exe

  • Size

    397KB

  • MD5

    f3aef02210475782657d7a7f222c8526

  • SHA1

    382a626c3861dc917eccc62bbae9afbd24da4463

  • SHA256

    a3f677854bb917665d8510182ad7d8fbb1c24415cbe86ac0ab62199eb5fa7360

  • SHA512

    e3fe3e92f5ca375987c693cbb2f9ffc664fddf0c5932efe06982ca3cc0d7ff15745d45a7148f6a01c3c77ac4d451b75b36a2ede5d3215a1a1845e39bff224691

  • SSDEEP

    12288:riBbj0vw18IG5SJDGMOtNixEpNDtyT+kJT:2Bd1Q0BGMOzimpCiQ

Score
10/10
imminentpersistencespywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3f677854bb917665d8510182ad7d8fbb1c24415cbe86ac0ab62199eb5fa7360.exe
    "C:\Users\Admin\AppData\Local\Temp\a3f677854bb917665d8510182ad7d8fbb1c24415cbe86ac0ab62199eb5fa7360.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Users\Admin\AppData\Local\Temp\a3f677854bb917665d8510182ad7d8fbb1c24415cbe86ac0ab62199eb5fa7360.exe
      "C:\Users\Admin\AppData\Local\Temp\a3f677854bb917665d8510182ad7d8fbb1c24415cbe86ac0ab62199eb5fa7360.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/892-55-0x0000000000400000-0x000000000044A000-memory.dmp
    Filesize

    296KB

    Download
  • memory/892-56-0x0000000000400000-0x000000000044A000-memory.dmp
    Filesize

    296KB

    Download
  • memory/892-58-0x0000000000400000-0x000000000044A000-memory.dmp
    Filesize

    296KB

    Download
  • memory/892-60-0x0000000000400000-0x000000000044A000-memory.dmp
    Filesize

    296KB

    Download
  • memory/892-62-0x0000000000400000-0x000000000044A000-memory.dmp
    Filesize

    296KB

    Download
  • memory/892-64-0x00000000004452BE-mapping.dmp
    Download
  • memory/892-66-0x0000000000400000-0x000000000044A000-memory.dmp
    Filesize

    296KB

    Download
  • memory/892-68-0x0000000000400000-0x000000000044A000-memory.dmp
    Filesize

    296KB

    Download
  • memory/892-71-0x00000000745A0000-0x0000000074B4B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/892-72-0x00000000745A0000-0x0000000074B4B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2036-54-0x0000000075521000-0x0000000075523000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2036-70-0x00000000745A0000-0x0000000074B4B000-memory.dmp
    Filesize

    5.7MB

    Download