Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    156s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/11/2022, 18:51

General

  • Target

    2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe

  • Size

    292KB

  • MD5

    2bec47844b2158b8971395794301e712

  • SHA1

    85e9fe6a3118fa5bf352fef7ecf8b711a45a3968

  • SHA256

    2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809

  • SHA512

    e0d492b85856f4a7e675fe30fbc223573dd214e12dd7b043ac84f10098477181ae59f04aa44a389159f39c91820268e02dc9d4a79910846d0da92241023c277a

  • SSDEEP

    6144:UwcYntNJbzX8qhqEIJHqvzRb8zCgoniL2L0U1wer6:UwcYLJ///IJydbXqU1Bm

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe
    "C:\Users\Admin\AppData\Local\Temp\2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4184
    • \??\c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe
      "c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe"
      2⤵
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1824
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\fuckyounod32.vbs"
        3⤵
        • Adds Run key to start application
        PID:2196

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\fuckyounod32.vbs

    Filesize

    219B

    MD5

    b559ac384267491c0796d801b39e4979

    SHA1

    6762fd6ee2849c743dfd2e3d6743b3f26bc32b9d

    SHA256

    85f64caab11088c4fa85d0caebc9086178eeef9e322be7034311cf466430302e

    SHA512

    292df546edec7225fca39816d4171924ced925ca00d316d7694ecfb00a2cb4d81315493e2af759121795413a5e0116abcd11b5003e332fec3a5dcf40fc24de7e

  • memory/1824-134-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

  • memory/1824-136-0x0000000074FC0000-0x0000000075571000-memory.dmp

    Filesize

    5.7MB

  • memory/1824-140-0x0000000074FC0000-0x0000000075571000-memory.dmp

    Filesize

    5.7MB

  • memory/4184-132-0x0000000074FC0000-0x0000000075571000-memory.dmp

    Filesize

    5.7MB

  • memory/4184-139-0x0000000074FC0000-0x0000000075571000-memory.dmp

    Filesize

    5.7MB