Overview

overview

10

Static

static

e7640b3fc1...c3.exe

windows7-x64

10

e7640b3fc1...c3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 21:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e7640b3fc1d0fa4b85f75510672bbf5e4445d5029573642bf58ba962cee2c7c3.exe

  • Size

    501KB

  • MD5

    93d9237d8a6aa1bf4012e4ee9d2954c8

  • SHA1

    08e10e336b6c8fdd2ccd67cc3eeea06dd1599c65

  • SHA256

    e7640b3fc1d0fa4b85f75510672bbf5e4445d5029573642bf58ba962cee2c7c3

  • SHA512

    24ad60703732de52a65a58039b1b72be660acc9fd8d765e41d83be037ba888b0a9840c14dc94a90b9b399162db6ea64402f4fb3dcb32cbc71d7358b5573e65db

  • SSDEEP

    12288:H4ZVq+aPYETWX9cfqrk1Y9ykRWdgYCYktspGzbgdVWuJdlIrW:HPcIeyqrk1Y99CpGO7aW

Score
10/10
imminentpersistencespywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7640b3fc1d0fa4b85f75510672bbf5e4445d5029573642bf58ba962cee2c7c3.exe
    "C:\Users\Admin\AppData\Local\Temp\e7640b3fc1d0fa4b85f75510672bbf5e4445d5029573642bf58ba962cee2c7c3.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Drops file in Windows directory
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\e7640b3fc1d0fa4b85f75510672bbf5e4445d5029573642bf58ba962cee2c7c3.exe":ZONE.identifier & exit
      2⤵
      • NTFS ADS
      PID:5116
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Update\Windows" /XML "C:\Users\Admin\AppData\Local\Temp\1798089863.xml"
      2⤵
      • Creates scheduled task(s)
      PID:1668
    • C:\Users\Admin\AppData\Roaming\csrss.exe
      "C:\Users\Admin\AppData\Roaming\csrss.exe" -keyhide -prochide 1260 -reg C:\Users\Admin\AppData\Local\Temp\e7640b3fc1d0fa4b85f75510672bbf5e4445d5029573642bf58ba962cee2c7c3.exe -proc 1260 C:\Users\Admin\AppData\Local\Temp\e7640b3fc1d0fa4b85f75510672bbf5e4445d5029573642bf58ba962cee2c7c3.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2880

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1798089863.xml
    Filesize

    1KB

    MD5

    fb1a493a5434912610622526455e81bb

    SHA1

    06e5d56dd17ddf1d78100f0f2f87961e9bcc2d48

    SHA256

    63dbccf2f878bea0fc9f3f7fc9757e0e94f480804e2c364daa3c3bacb49c1a14

    SHA512

    5d21ccdc8901c0003e6d43b60d452c242e2d17c178dd96633577d91b93c3c94ff7b4475cca606faf699bc3b6feb26e1a147beb4d2c8fc795a8c53f4c467fdbe7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\e7640b3fc1d0fa4b85f75510672bbf5e4445d5029573642bf58ba962cee2c7c3.exe
    Filesize

    501KB

    MD5

    93d9237d8a6aa1bf4012e4ee9d2954c8

    SHA1

    08e10e336b6c8fdd2ccd67cc3eeea06dd1599c65

    SHA256

    e7640b3fc1d0fa4b85f75510672bbf5e4445d5029573642bf58ba962cee2c7c3

    SHA512

    24ad60703732de52a65a58039b1b72be660acc9fd8d765e41d83be037ba888b0a9840c14dc94a90b9b399162db6ea64402f4fb3dcb32cbc71d7358b5573e65db

    Download Submit

  • C:\Users\Admin\AppData\Roaming\csrss.exe
    Filesize

    501KB

    MD5

    93d9237d8a6aa1bf4012e4ee9d2954c8

    SHA1

    08e10e336b6c8fdd2ccd67cc3eeea06dd1599c65

    SHA256

    e7640b3fc1d0fa4b85f75510672bbf5e4445d5029573642bf58ba962cee2c7c3

    SHA512

    24ad60703732de52a65a58039b1b72be660acc9fd8d765e41d83be037ba888b0a9840c14dc94a90b9b399162db6ea64402f4fb3dcb32cbc71d7358b5573e65db

    Download Submit

  • C:\Users\Admin\AppData\Roaming\csrss.exe
    Filesize

    501KB

    MD5

    93d9237d8a6aa1bf4012e4ee9d2954c8

    SHA1

    08e10e336b6c8fdd2ccd67cc3eeea06dd1599c65

    SHA256

    e7640b3fc1d0fa4b85f75510672bbf5e4445d5029573642bf58ba962cee2c7c3

    SHA512

    24ad60703732de52a65a58039b1b72be660acc9fd8d765e41d83be037ba888b0a9840c14dc94a90b9b399162db6ea64402f4fb3dcb32cbc71d7358b5573e65db

    Download Submit

  • memory/1260-132-0x0000000074C60000-0x0000000075211000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1260-133-0x0000000074C60000-0x0000000075211000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2880-141-0x0000000074C60000-0x0000000075211000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2880-142-0x0000000074C60000-0x0000000075211000-memory.dmp

    Filesize

    5.7MB

    Download