Overview

overview

10

Static

static

402d6e6860...5c.exe

windows7-x64

10

402d6e6860...5c.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    71s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 14:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe

  • Size

    271KB

  • MD5

    c238b0d3cdd6ca72003e01b29bf3ddf7

  • SHA1

    26ebb8833981cadd288f579fc0a75d24a9faecaf

  • SHA256

    402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c

  • SHA512

    d406a5bf8c19d7b82c9610639254fc40a224156c81e9fee2de34af9731648436291a8cb3b1769706b58d0744e23b30cf1b156214380ad177b67bccece4a5246d

  • SSDEEP

    6144:ErL9IN25Y5iBsxchLMQq3BdqpIfnquBIK2l/3Hctlff:EL9IkUms6FnqRiuSl/XIff

Score
10/10
imminentpersistencespywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe
    "C:\Users\Admin\AppData\Local\Temp\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1436
    • C:\Users\Admin\AppData\Local\Temp\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe
      "C:\Users\Admin\AppData\Local\Temp\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\SysWOW64\taskmgr.exe
        "C:\Windows\System32\taskmgr.exe"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1768
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:688
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 1000
        3⤵
        • Runs ping.exe
        PID:1888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    61KB

    MD5

    3dcf580a93972319e82cafbc047d34d5

    SHA1

    8528d2a1363e5de77dc3b1142850e51ead0f4b6b

    SHA256

    40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

    SHA512

    98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    519f7748478f4c3088c2c09cda264d41

    SHA1

    b3c0139aacc9b1fe71f6213268fb8ee8b5ac41f1

    SHA256

    f0c2f15af471d167f9938109d878cda70a00ed384193021996ea108ea71afc55

    SHA512

    393ce69062faa42fd5c9db266f591331a06d6011825338b9c75e088364175a4036e569992283d299f235e183c9e818cb9bf5abac7d4c2599285b7d4fd251217a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe
    Filesize

    271KB

    MD5

    c238b0d3cdd6ca72003e01b29bf3ddf7

    SHA1

    26ebb8833981cadd288f579fc0a75d24a9faecaf

    SHA256

    402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c

    SHA512

    d406a5bf8c19d7b82c9610639254fc40a224156c81e9fee2de34af9731648436291a8cb3b1769706b58d0744e23b30cf1b156214380ad177b67bccece4a5246d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe
    Filesize

    271KB

    MD5

    c238b0d3cdd6ca72003e01b29bf3ddf7

    SHA1

    26ebb8833981cadd288f579fc0a75d24a9faecaf

    SHA256

    402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c

    SHA512

    d406a5bf8c19d7b82c9610639254fc40a224156c81e9fee2de34af9731648436291a8cb3b1769706b58d0744e23b30cf1b156214380ad177b67bccece4a5246d

    Download Submit
  • \Users\Admin\AppData\Local\Temp\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe
    Filesize

    271KB

    MD5

    c238b0d3cdd6ca72003e01b29bf3ddf7

    SHA1

    26ebb8833981cadd288f579fc0a75d24a9faecaf

    SHA256

    402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c

    SHA512

    d406a5bf8c19d7b82c9610639254fc40a224156c81e9fee2de34af9731648436291a8cb3b1769706b58d0744e23b30cf1b156214380ad177b67bccece4a5246d

    Download Submit
  • \Users\Admin\AppData\Local\Temp\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe
    Filesize

    271KB

    MD5

    c238b0d3cdd6ca72003e01b29bf3ddf7

    SHA1

    26ebb8833981cadd288f579fc0a75d24a9faecaf

    SHA256

    402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c

    SHA512

    d406a5bf8c19d7b82c9610639254fc40a224156c81e9fee2de34af9731648436291a8cb3b1769706b58d0744e23b30cf1b156214380ad177b67bccece4a5246d

    Download Submit
  • \Users\Admin\AppData\Local\Temp\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe
    Filesize

    271KB

    MD5

    c238b0d3cdd6ca72003e01b29bf3ddf7

    SHA1

    26ebb8833981cadd288f579fc0a75d24a9faecaf

    SHA256

    402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c

    SHA512

    d406a5bf8c19d7b82c9610639254fc40a224156c81e9fee2de34af9731648436291a8cb3b1769706b58d0744e23b30cf1b156214380ad177b67bccece4a5246d

    Download Submit
  • \Users\Admin\AppData\Local\Temp\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c\402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c.exe
    Filesize

    271KB

    MD5

    c238b0d3cdd6ca72003e01b29bf3ddf7

    SHA1

    26ebb8833981cadd288f579fc0a75d24a9faecaf

    SHA256

    402d6e68600b71eadd5fde2239363287962525935c0639f0a149bf6a9e04945c

    SHA512

    d406a5bf8c19d7b82c9610639254fc40a224156c81e9fee2de34af9731648436291a8cb3b1769706b58d0744e23b30cf1b156214380ad177b67bccece4a5246d

    Download Submit
  • memory/688-64-0x0000000000000000-mapping.dmp
    Download
  • memory/1436-66-0x0000000074C10000-0x00000000751BB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1436-55-0x0000000074C10000-0x00000000751BB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1436-54-0x0000000075711000-0x0000000075713000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1684-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1684-69-0x0000000074C10000-0x00000000751BB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1684-72-0x0000000074C10000-0x00000000751BB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1768-67-0x0000000000000000-mapping.dmp
    Download
  • memory/1888-65-0x0000000000000000-mapping.dmp
    Download