Overview

overview

10

Static

static

5

55c7d069d8...9d.exe

windows7-x64

10

55c7d069d8...9d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    232s
  • max time network
    333s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 21:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    55c7d069d8562f7842086f4a566dbfc9ee92f8d70d4ec8115fa0aba5dd6ac19d.exe

  • Size

    1.1MB

  • MD5

    c365825016e073c7ee4f601acaaad2ab

  • SHA1

    e816c69c7aab15fb568c8d0189c7c728a81b5456

  • SHA256

    55c7d069d8562f7842086f4a566dbfc9ee92f8d70d4ec8115fa0aba5dd6ac19d

  • SHA512

    61d5e81624603a7bb51ea2f11d2c66ceafb614b836de45596acff1b23e3be162a64f889dd3c0c2f2558194f0d318fbdbc93f200a6585eba2944853a104b861be

  • SSDEEP

    24576:4tb20pkaCqT5TBWgNQ7aq/epWpPVlbUMxc6A:BVg5tQ7aq20pPTG5

Score
10/10
imminentpersistencespywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\55c7d069d8562f7842086f4a566dbfc9ee92f8d70d4ec8115fa0aba5dd6ac19d.exe
    "C:\Users\Admin\AppData\Local\Temp\55c7d069d8562f7842086f4a566dbfc9ee92f8d70d4ec8115fa0aba5dd6ac19d.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Users\Admin\AppData\Roaming\install2.exe
      "C:\Users\Admin\AppData\Roaming\install2.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1176
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1668
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\83.bat
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 0127.0.0.1
        3⤵
        • Runs ping.exe
        PID:368

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\83.bat
    Filesize

    312B

    MD5

    28a5c7afa2c4000bbd775b6190453731

    SHA1

    15ca70afe7c63190ae3fb87687d2f614671ceef7

    SHA256

    7a242d092d64973a6e1df0bea4b5a514961ce493c0a17f1b75b47772f32f1b04

    SHA512

    6f7adfca2c8da71c0a0f34e1ec233af1cb24524a0321d910d7862e3c39dfe7096cd09707780325b69b6f29c29543981155b5b8c5ab703474a16cc442f8fe14ad

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\incl1
    Filesize

    12KB

    MD5

    a2734a383723c2620e506dcbc57a4067

    SHA1

    fbe4aa08bfb49163d59d7d07cae6b8ced14d4d52

    SHA256

    831aefdf6c0acd5824f4c8bf7d544a100dbe77f485327011635b0a5d0fbf32b5

    SHA512

    79e5af88531cb5c28740e777643abedde47fe1471f4e4a02cb0e902708cc87ac56c7490ed42d0dbf33fc471fef73f5da13ca6675f4dbe1af1322b7929668141a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\install2.exe
    Filesize

    1.1MB

    MD5

    c365825016e073c7ee4f601acaaad2ab

    SHA1

    e816c69c7aab15fb568c8d0189c7c728a81b5456

    SHA256

    55c7d069d8562f7842086f4a566dbfc9ee92f8d70d4ec8115fa0aba5dd6ac19d

    SHA512

    61d5e81624603a7bb51ea2f11d2c66ceafb614b836de45596acff1b23e3be162a64f889dd3c0c2f2558194f0d318fbdbc93f200a6585eba2944853a104b861be

    Download Submit

  • C:\Users\Admin\AppData\Roaming\install2.exe
    Filesize

    1.1MB

    MD5

    c365825016e073c7ee4f601acaaad2ab

    SHA1

    e816c69c7aab15fb568c8d0189c7c728a81b5456

    SHA256

    55c7d069d8562f7842086f4a566dbfc9ee92f8d70d4ec8115fa0aba5dd6ac19d

    SHA512

    61d5e81624603a7bb51ea2f11d2c66ceafb614b836de45596acff1b23e3be162a64f889dd3c0c2f2558194f0d318fbdbc93f200a6585eba2944853a104b861be

    Download Submit

  • \Users\Admin\AppData\Roaming\install2.exe
    Filesize

    1.1MB

    MD5

    c365825016e073c7ee4f601acaaad2ab

    SHA1

    e816c69c7aab15fb568c8d0189c7c728a81b5456

    SHA256

    55c7d069d8562f7842086f4a566dbfc9ee92f8d70d4ec8115fa0aba5dd6ac19d

    SHA512

    61d5e81624603a7bb51ea2f11d2c66ceafb614b836de45596acff1b23e3be162a64f889dd3c0c2f2558194f0d318fbdbc93f200a6585eba2944853a104b861be

    Download Submit

  • \Users\Admin\AppData\Roaming\install2.exe
    Filesize

    1.1MB

    MD5

    c365825016e073c7ee4f601acaaad2ab

    SHA1

    e816c69c7aab15fb568c8d0189c7c728a81b5456

    SHA256

    55c7d069d8562f7842086f4a566dbfc9ee92f8d70d4ec8115fa0aba5dd6ac19d

    SHA512

    61d5e81624603a7bb51ea2f11d2c66ceafb614b836de45596acff1b23e3be162a64f889dd3c0c2f2558194f0d318fbdbc93f200a6585eba2944853a104b861be

    Download Submit

  • \Users\Admin\AppData\Roaming\install2.exe
    Filesize

    1.1MB

    MD5

    c365825016e073c7ee4f601acaaad2ab

    SHA1

    e816c69c7aab15fb568c8d0189c7c728a81b5456

    SHA256

    55c7d069d8562f7842086f4a566dbfc9ee92f8d70d4ec8115fa0aba5dd6ac19d

    SHA512

    61d5e81624603a7bb51ea2f11d2c66ceafb614b836de45596acff1b23e3be162a64f889dd3c0c2f2558194f0d318fbdbc93f200a6585eba2944853a104b861be

    Download Submit

  • \Users\Admin\AppData\Roaming\install2.exe
    Filesize

    1.1MB

    MD5

    c365825016e073c7ee4f601acaaad2ab

    SHA1

    e816c69c7aab15fb568c8d0189c7c728a81b5456

    SHA256

    55c7d069d8562f7842086f4a566dbfc9ee92f8d70d4ec8115fa0aba5dd6ac19d

    SHA512

    61d5e81624603a7bb51ea2f11d2c66ceafb614b836de45596acff1b23e3be162a64f889dd3c0c2f2558194f0d318fbdbc93f200a6585eba2944853a104b861be

    Download Submit

  • memory/1668-67-0x0000000000080000-0x00000000000CA000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1668-69-0x0000000000080000-0x00000000000CA000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1668-72-0x0000000000080000-0x00000000000CA000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1668-74-0x0000000000080000-0x00000000000CA000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1668-75-0x0000000000440000-0x0000000000450000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1668-76-0x0000000004E40000-0x0000000004EE0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1668-77-0x00000000020B0000-0x00000000020D8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1668-78-0x0000000000570000-0x000000000057E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1668-80-0x0000000000560000-0x0000000000576000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1872-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

    Filesize

    8KB

    Download