Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    200s
  • max time network
    209s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/11/2022, 21:26

General

  • Target

    d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe

  • Size

    272KB

  • MD5

    a374384e1b398b929e3ff31be5579c80

  • SHA1

    921f79049cc4c23304cdfefdd844b84aeeed87a1

  • SHA256

    d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba

  • SHA512

    7d81967fb224ccaa379763d649b15d78292c6a8cc6cc588607418a3b0c1e6afa7526eb02e99e74f623a9280b5531cd206928bc788462aab931f2aafd08d4c57e

  • SSDEEP

    6144:6MrGiRoPEsoIQX/S+uCl+s9tCvacVOqgOBCctl+m:nrzC8s1kl+s9tsaWOqgOYIn

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe
    "C:\Users\Admin\AppData\Local\Temp\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3240
    • C:\Users\Admin\AppData\Local\Temp\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe
      "C:\Users\Admin\AppData\Local\Temp\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3104
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3428
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 1000
        3⤵
        • Runs ping.exe
        PID:1832

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe

    Filesize

    272KB

    MD5

    a374384e1b398b929e3ff31be5579c80

    SHA1

    921f79049cc4c23304cdfefdd844b84aeeed87a1

    SHA256

    d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba

    SHA512

    7d81967fb224ccaa379763d649b15d78292c6a8cc6cc588607418a3b0c1e6afa7526eb02e99e74f623a9280b5531cd206928bc788462aab931f2aafd08d4c57e

  • C:\Users\Admin\AppData\Local\Temp\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba\d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba.exe

    Filesize

    272KB

    MD5

    a374384e1b398b929e3ff31be5579c80

    SHA1

    921f79049cc4c23304cdfefdd844b84aeeed87a1

    SHA256

    d0ad43c1114c175dcc0480f6fc9965a6356d927957474c7d9a9f5ca0ae5e15ba

    SHA512

    7d81967fb224ccaa379763d649b15d78292c6a8cc6cc588607418a3b0c1e6afa7526eb02e99e74f623a9280b5531cd206928bc788462aab931f2aafd08d4c57e

  • memory/3104-137-0x0000000074E50000-0x0000000075401000-memory.dmp

    Filesize

    5.7MB

  • memory/3104-141-0x0000000074E50000-0x0000000075401000-memory.dmp

    Filesize

    5.7MB

  • memory/3240-132-0x0000000074E50000-0x0000000075401000-memory.dmp

    Filesize

    5.7MB

  • memory/3240-133-0x0000000074E50000-0x0000000075401000-memory.dmp

    Filesize

    5.7MB

  • memory/3240-140-0x0000000074E50000-0x0000000075401000-memory.dmp

    Filesize

    5.7MB