Overview

overview

10

Static

static

a60c8f0490...9d.exe

windows7-x64

10

a60c8f0490...9d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    287s
  • max time network
    336s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 16:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a60c8f0490534472a789ebd6a3d9646b0c4508af4c4004a3717a4c0405be269d.exe

  • Size

    780KB

  • MD5

    1e85709c537a55ca4816aad062848fd7

  • SHA1

    c5e1bc1c8b77148130832cd5127a1f5ffd31d789

  • SHA256

    a60c8f0490534472a789ebd6a3d9646b0c4508af4c4004a3717a4c0405be269d

  • SHA512

    f36f6fa98b7ce75424d45638f9353cadb753b6df0000cd973ebe6c7317ff7cc1c934416e426d3f4339fb1b97426e60ac8734d320da94bcae77af62f061147917

  • SSDEEP

    12288:0q+oM6kHhiITgsJxhk51g7Cd7wdqTxuCi+7zXHYDe0vSvqINrsfo:0JVhRJx62767j9i2GaLj

Score
10/10
imminentpersistencespywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a60c8f0490534472a789ebd6a3d9646b0c4508af4c4004a3717a4c0405be269d.exe
    "C:\Users\Admin\AppData\Local\Temp\a60c8f0490534472a789ebd6a3d9646b0c4508af4c4004a3717a4c0405be269d.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:436
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:748
      • C:\Windows\SysWOW64\wscript.exe
        wscript.exe "C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1596
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat" "
          4⤵
          • Drops startup file
          PID:684
    • C:\Users\Admin\AppData\Local\Temp\sfdfdfds .exe
      "C:\Users\Admin\AppData\Local\Temp\sfdfdfds .exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1016
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\stres.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:340
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 60
        3⤵
        • Delays execution with timeout.exe
        PID:1336
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /nh /fi "imagename eq sfdfdfds .exe"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:1156
      • C:\Windows\SysWOW64\find.exe
        find /i "sfdfdfds .exe"
        3⤵
          PID:652
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 60
          3⤵
          • Delays execution with timeout.exe
          PID:1572

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\FolderName\file.exe
      Filesize

      780KB

      MD5

      1e85709c537a55ca4816aad062848fd7

      SHA1

      c5e1bc1c8b77148130832cd5127a1f5ffd31d789

      SHA256

      a60c8f0490534472a789ebd6a3d9646b0c4508af4c4004a3717a4c0405be269d

      SHA512

      f36f6fa98b7ce75424d45638f9353cadb753b6df0000cd973ebe6c7317ff7cc1c934416e426d3f4339fb1b97426e60ac8734d320da94bcae77af62f061147917

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs
      Filesize

      78B

      MD5

      c578d9653b22800c3eb6b6a51219bbb8

      SHA1

      a97aa251901bbe179a48dbc7a0c1872e163b1f2d

      SHA256

      20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

      SHA512

      3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
      Filesize

      69B

      MD5

      c96a3b31fc4a115c977ce5d8a3256f4f

      SHA1

      8c71b0d75099af30ac1fe33266e3970b47ba716d

      SHA256

      a5b672a4863abcf46556d2e606b2833e8897a3206e554ad93043a82a792df49e

      SHA512

      f4337e85ca0b3c0242c35a09f1ff7154c9e37ea3c7de3c2337385fb4b57e25a8550877ce2f37d023c94a3fa69b2b4e003207790297879d29a5bbe4856d0a0f48

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat
      Filesize

      176B

      MD5

      b77f8e41f69f39412b204cc781212baa

      SHA1

      38d70fce7d44d1935955cf4b519664c7969d5989

      SHA256

      05ebddcab0758b634954345905825e611eed207bbbb989e6dded1e3476e5deab

      SHA512

      8b404359b8c854822fb97262c55dad5293a75d353ba2a2210840c9fbbea96e3ff985856601bb6ca4d10bc21effb3af33558e0c2d9c90128133ae35fe09dccb61

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\FolderName\rundll11-.txt
      Filesize

      780KB

      MD5

      1e85709c537a55ca4816aad062848fd7

      SHA1

      c5e1bc1c8b77148130832cd5127a1f5ffd31d789

      SHA256

      a60c8f0490534472a789ebd6a3d9646b0c4508af4c4004a3717a4c0405be269d

      SHA512

      f36f6fa98b7ce75424d45638f9353cadb753b6df0000cd973ebe6c7317ff7cc1c934416e426d3f4339fb1b97426e60ac8734d320da94bcae77af62f061147917

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\FolderName\stres.bat
      Filesize

      212B

      MD5

      25293cb5844f3cd3baa09eaac5388180

      SHA1

      3c7cd847f5b8d115f48b17b0e63458348da12989

      SHA256

      92cadcd4e6f72a3b7754b592bd282c869be692c50bc136498df9a24982cb9258

      SHA512

      edcedcc74b4a1af4d6364fefd8c419ebac9c3d39f08f0bc6b697d655fd973ab88baa3afb3042b12296600206a65b8ebd5fb6966a7162274aacb7f0cf2691bf04

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sfdfdfds .exe
      Filesize

      52KB

      MD5

      278edbd499374bf73621f8c1f969d894

      SHA1

      a81170af14747781c5f5f51bb1215893136f0bc0

      SHA256

      c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

      SHA512

      93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sfdfdfds .exe
      Filesize

      52KB

      MD5

      278edbd499374bf73621f8c1f969d894

      SHA1

      a81170af14747781c5f5f51bb1215893136f0bc0

      SHA256

      c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

      SHA512

      93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

      Download Submit

    • \Users\Admin\AppData\Local\Temp\sfdfdfds .exe
      Filesize

      52KB

      MD5

      278edbd499374bf73621f8c1f969d894

      SHA1

      a81170af14747781c5f5f51bb1215893136f0bc0

      SHA256

      c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

      SHA512

      93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

      Download Submit

    • memory/436-85-0x0000000074260000-0x000000007480B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/436-54-0x0000000075831000-0x0000000075833000-memory.dmp

      Filesize

      8KB

      Download

    • memory/436-55-0x0000000074260000-0x000000007480B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/436-79-0x0000000074260000-0x000000007480B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1016-75-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB

      Download

    • memory/1016-78-0x0000000074260000-0x000000007480B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1016-72-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB

      Download

    • memory/1016-80-0x0000000074260000-0x000000007480B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1016-62-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB

      Download

    • memory/1016-63-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB

      Download

    • memory/1016-60-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB

      Download

    • memory/1016-59-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB

      Download