Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
200s -
max time network
209s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
26/11/2022, 21:26
General
-
Target
d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe
-
Size
272KB
-
MD5
a374384e1b398b929e3ff31be5579c80
-
SHA1
921f79049cc4c23304cdfefdd844b84aeeed87a1
-
SHA256
d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba
-
SHA512
7d81967fb224ccaa379763d649b15d78292c6a8cc6cc588607418a3b0c1e6afa7526eb02e99e74f623a9280b5531cd206928bc788462aab931f2aafd08d4c57e
-
SSDEEP
6144:6MrGiRoPEsoIQX/S+uCl+s9tCvacVOqgOBCctl+m:nrzC8s1kl+s9tsaWOqgOYIn
Malware Config
Signatures
-
Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe"C:\Users\Admin\AppData\Local\Temp\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe"C:\Users\Admin\AppData\Local\Temp\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- Runs ping.exe
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272KB
MD5a374384e1b398b929e3ff31be5579c80
SHA1921f79049cc4c23304cdfefdd844b84aeeed87a1
SHA256d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba
SHA5127d81967fb224ccaa379763d649b15d78292c6a8cc6cc588607418a3b0c1e6afa7526eb02e99e74f623a9280b5531cd206928bc788462aab931f2aafd08d4c57e
-
Filesize
272KB
MD5a374384e1b398b929e3ff31be5579c80
SHA1921f79049cc4c23304cdfefdd844b84aeeed87a1
SHA256d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba
SHA5127d81967fb224ccaa379763d649b15d78292c6a8cc6cc588607418a3b0c1e6afa7526eb02e99e74f623a9280b5531cd206928bc788462aab931f2aafd08d4c57e
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB