Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    160s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/11/2022, 19:55

General

  • Target

    7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe

  • Size

    916KB

  • MD5

    7e01aac13f28affd9c5d1b72d50fbfed

  • SHA1

    2a6d8e4a3c28cec8043c7e4fba89bf01043eb065

  • SHA256

    7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3

  • SHA512

    b5e7307962ba7ff410541e015a7fe0ca30d5b0ee3baa865a926db2c6b238e6d12891de1ac3eddd503f2e298d57edbb436bc8bb41494d145480133e8f30f848a4

  • SSDEEP

    12288:GnDs62f6fw3H5jRtuPhgsK/aex1fVnXHp1lCi6qVNb55aJ6ahco6WZN1vTwG8VsR:GnD2f/yUa8fVn3DlCt6o1R5Y

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe
    "C:\Users\Admin\AppData\Local\Temp\7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Users\Admin\AppData\Local\Temp\7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe
      "C:\Users\Admin\AppData\Local\Temp\7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe"
      2⤵
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4108

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe.log

    Filesize

    319B

    MD5

    a4da81a3544d9cd85f257967c0a431fe

    SHA1

    ba6f59ae5c6a2674a1fda758b5ded92f76d5edb3

    SHA256

    ad372efe5e610b9c2a331ac8f17f83542ef78b92c875c206d76c84e158fb271e

    SHA512

    12348d4cb4b6534a43f122d18fc7276c524c5b7e8f242f446eefb4d2ffea8018aed53a854cb840b2f30669caf74d14daff4276c6676a15221c58c84b210d393f

  • memory/1680-132-0x0000000074E20000-0x00000000753D1000-memory.dmp

    Filesize

    5.7MB

  • memory/1680-136-0x0000000074E20000-0x00000000753D1000-memory.dmp

    Filesize

    5.7MB

  • memory/4108-134-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

  • memory/4108-137-0x0000000074E20000-0x00000000753D1000-memory.dmp

    Filesize

    5.7MB

  • memory/4108-138-0x0000000074E20000-0x00000000753D1000-memory.dmp

    Filesize

    5.7MB