Analysis
-
max time kernel
155s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
26-11-2022 17:57
General
-
Target
04aba42c129f4795fa32a85175571635007db000723d4f983e1bccae3a1eec94.exe
-
Size
532KB
-
MD5
85925b5131a1e454625a34f8c69a78a0
-
SHA1
9f643052bfdffbf1dc3283f367e06f378e66c3f5
-
SHA256
04aba42c129f4795fa32a85175571635007db000723d4f983e1bccae3a1eec94
-
SHA512
e2d6b086ab1ab431171bdd2469cb3cd47820e660d8412c674247c6d15d99bf83de984e21b1bd3bce1988e9b808191d88ad2cafa1d9a33d7156c41480c90b3d1f
-
SSDEEP
6144:TUzGE4pm3JDS83IwQ6BLgy8UlxIxE7y/x17p/UUvapaK6wtSBbMp0VUprkL1z2L7:TUN2Oy8Uy8U02+/vt/2cUctUw1C8Um
Malware Config
Signatures
-
Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s) 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\04aba42c129f4795fa32a85175571635007db000723d4f983e1bccae3a1eec94.exe"C:\Users\Admin\AppData\Local\Temp\04aba42c129f4795fa32a85175571635007db000723d4f983e1bccae3a1eec94.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\rasphone.exe"C:\Users\Admin\AppData\Roaming\rasphone.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe" -reg "explorer.exe, C:\Users\Admin\AppData\Roaming\rasphone.exe" -proc 1460 C:\Users\Admin\AppData\Roaming\rasphone.exe3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
532KB
MD585925b5131a1e454625a34f8c69a78a0
SHA19f643052bfdffbf1dc3283f367e06f378e66c3f5
SHA25604aba42c129f4795fa32a85175571635007db000723d4f983e1bccae3a1eec94
SHA512e2d6b086ab1ab431171bdd2469cb3cd47820e660d8412c674247c6d15d99bf83de984e21b1bd3bce1988e9b808191d88ad2cafa1d9a33d7156c41480c90b3d1f
-
Filesize
532KB
MD585925b5131a1e454625a34f8c69a78a0
SHA19f643052bfdffbf1dc3283f367e06f378e66c3f5
SHA25604aba42c129f4795fa32a85175571635007db000723d4f983e1bccae3a1eec94
SHA512e2d6b086ab1ab431171bdd2469cb3cd47820e660d8412c674247c6d15d99bf83de984e21b1bd3bce1988e9b808191d88ad2cafa1d9a33d7156c41480c90b3d1f
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB