Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

a60c8f0490...9d.exe

windows7-x64

10

a60c8f0490...9d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    212s
  • max time network
    220s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/11/2022, 16:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a60c8f0490534472a789ebd6a3d9646b0c4508af4c4004a3717a4c0405be269d.exe

  • Size

    780KB

  • MD5

    1e85709c537a55ca4816aad062848fd7

  • SHA1

    c5e1bc1c8b77148130832cd5127a1f5ffd31d789

  • SHA256

    a60c8f0490534472a789ebd6a3d9646b0c4508af4c4004a3717a4c0405be269d

  • SHA512

    f36f6fa98b7ce75424d45638f9353cadb753b6df0000cd973ebe6c7317ff7cc1c934416e426d3f4339fb1b97426e60ac8734d320da94bcae77af62f061147917

  • SSDEEP

    12288:0q+oM6kHhiITgsJxhk51g7Cd7wdqTxuCi+7zXHYDe0vSvqINrsfo:0JVhRJx62767j9i2GaLj

Score
10/10
imminentpersistencespywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a60c8f0490534472a789ebd6a3d9646b0c4508af4c4004a3717a4c0405be269d.exe
    "C:\Users\Admin\AppData\Local\Temp\a60c8f0490534472a789ebd6a3d9646b0c4508af4c4004a3717a4c0405be269d.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:620
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3492
      • C:\Windows\SysWOW64\wscript.exe
        wscript.exe "C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:760
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat" "
          4⤵
          • Drops startup file
          PID:4084
    • C:\Users\Admin\AppData\Local\Temp\sfdfdfds .exe
      "C:\Users\Admin\AppData\Local\Temp\sfdfdfds .exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4292
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\stres.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3432
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 60
        3⤵
        • Delays execution with timeout.exe
        PID:3436
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /nh /fi "imagename eq sfdfdfds .exe"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:3888
      • C:\Windows\SysWOW64\find.exe
        find /i "sfdfdfds .exe"
        3⤵
          PID:2164
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 60
          3⤵
          • Delays execution with timeout.exe
          PID:1248

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\FolderName\file.exe
      Filesize

      780KB

      MD5

      1e85709c537a55ca4816aad062848fd7

      SHA1

      c5e1bc1c8b77148130832cd5127a1f5ffd31d789

      SHA256

      a60c8f0490534472a789ebd6a3d9646b0c4508af4c4004a3717a4c0405be269d

      SHA512

      f36f6fa98b7ce75424d45638f9353cadb753b6df0000cd973ebe6c7317ff7cc1c934416e426d3f4339fb1b97426e60ac8734d320da94bcae77af62f061147917

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs
      Filesize

      78B

      MD5

      c578d9653b22800c3eb6b6a51219bbb8

      SHA1

      a97aa251901bbe179a48dbc7a0c1872e163b1f2d

      SHA256

      20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

      SHA512

      3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
      Filesize

      69B

      MD5

      c96a3b31fc4a115c977ce5d8a3256f4f

      SHA1

      8c71b0d75099af30ac1fe33266e3970b47ba716d

      SHA256

      a5b672a4863abcf46556d2e606b2833e8897a3206e554ad93043a82a792df49e

      SHA512

      f4337e85ca0b3c0242c35a09f1ff7154c9e37ea3c7de3c2337385fb4b57e25a8550877ce2f37d023c94a3fa69b2b4e003207790297879d29a5bbe4856d0a0f48

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat
      Filesize

      176B

      MD5

      b77f8e41f69f39412b204cc781212baa

      SHA1

      38d70fce7d44d1935955cf4b519664c7969d5989

      SHA256

      05ebddcab0758b634954345905825e611eed207bbbb989e6dded1e3476e5deab

      SHA512

      8b404359b8c854822fb97262c55dad5293a75d353ba2a2210840c9fbbea96e3ff985856601bb6ca4d10bc21effb3af33558e0c2d9c90128133ae35fe09dccb61

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\FolderName\rundll11-.txt
      Filesize

      780KB

      MD5

      1e85709c537a55ca4816aad062848fd7

      SHA1

      c5e1bc1c8b77148130832cd5127a1f5ffd31d789

      SHA256

      a60c8f0490534472a789ebd6a3d9646b0c4508af4c4004a3717a4c0405be269d

      SHA512

      f36f6fa98b7ce75424d45638f9353cadb753b6df0000cd973ebe6c7317ff7cc1c934416e426d3f4339fb1b97426e60ac8734d320da94bcae77af62f061147917

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\FolderName\stres.bat
      Filesize

      212B

      MD5

      25293cb5844f3cd3baa09eaac5388180

      SHA1

      3c7cd847f5b8d115f48b17b0e63458348da12989

      SHA256

      92cadcd4e6f72a3b7754b592bd282c869be692c50bc136498df9a24982cb9258

      SHA512

      edcedcc74b4a1af4d6364fefd8c419ebac9c3d39f08f0bc6b697d655fd973ab88baa3afb3042b12296600206a65b8ebd5fb6966a7162274aacb7f0cf2691bf04

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sfdfdfds .exe
      Filesize

      52KB

      MD5

      a64daca3cfbcd039df3ec29d3eddd001

      SHA1

      eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

      SHA256

      403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

      SHA512

      b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sfdfdfds .exe
      Filesize

      52KB

      MD5

      a64daca3cfbcd039df3ec29d3eddd001

      SHA1

      eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

      SHA256

      403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

      SHA512

      b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

      Download Submit

    • memory/620-141-0x00000000748F0000-0x0000000074EA1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/620-132-0x00000000748F0000-0x0000000074EA1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/620-151-0x00000000748F0000-0x0000000074EA1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4292-146-0x00000000748F0000-0x0000000074EA1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4292-145-0x00000000748F0000-0x0000000074EA1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4292-143-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB

      Download