Overview

overview

10

Static

static

32d2b33067...7e.exe

windows7-x64

10

32d2b33067...7e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    187s
  • max time network
    226s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 20:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    32d2b33067419d6dab4410e787f3f886de2b7571017879fe7280e11cf3455c7e.exe

  • Size

    685KB

  • MD5

    ac4959f40f22a11ee528ef90e22db442

  • SHA1

    e20043be99033f6d47b18393f67ac8753427ed5d

  • SHA256

    32d2b33067419d6dab4410e787f3f886de2b7571017879fe7280e11cf3455c7e

  • SHA512

    12c824f695f01d6fd227d1c087ca5494ea190f7c30c3e668b8c2705e39c4ce123dc7c12a5e0bd672f85a6e1edc4fd775ee41379d7f0416a3d708e64188794848

  • SSDEEP

    12288:+F6kN+Db1SIsf8rG8fv+epDbyk0nLi1fxIBxixny:+F6kcnUIA8rvv+cPyk0nG5OYy

Score
10/10
imminentmodiloaderpersistencespywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 4 IoCs
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\32d2b33067419d6dab4410e787f3f886de2b7571017879fe7280e11cf3455c7e.exe
    "C:\Users\Admin\AppData\Local\Temp\32d2b33067419d6dab4410e787f3f886de2b7571017879fe7280e11cf3455c7e.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3888
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4816
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchost.exe
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchost.exe
        3⤵
        • Executes dropped EXE
        PID:3104
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\WindowsUpdate.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1504
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\WindowsUpdate.exe
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\WindowsUpdate.exe
        3⤵
        • Executes dropped EXE
        • Drops desktop.ini file(s)
        • Drops file in Windows directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1664

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\WindowsUpdate.exe
    Filesize

    423KB

    MD5

    f075a14d46a1faf9e7a520e083e62281

    SHA1

    f287846c5da6771d8f81e540e2c3265130ec4437

    SHA256

    0f90eda8458508b2a054636e8dfb97a852f527e0020f5f83ffc974441c8261b0

    SHA512

    69238a7628d97c6e131ff298cc91c14b0e1159786c7ff857008c1f9b6818fd9a0098a26f5e77cfd1bd165f3358b9e6f1e47b1f6c44332650515fcc45b459f012

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\WindowsUpdate.exe
    Filesize

    423KB

    MD5

    f075a14d46a1faf9e7a520e083e62281

    SHA1

    f287846c5da6771d8f81e540e2c3265130ec4437

    SHA256

    0f90eda8458508b2a054636e8dfb97a852f527e0020f5f83ffc974441c8261b0

    SHA512

    69238a7628d97c6e131ff298cc91c14b0e1159786c7ff857008c1f9b6818fd9a0098a26f5e77cfd1bd165f3358b9e6f1e47b1f6c44332650515fcc45b459f012

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\WindowsUpdate.exe
    Filesize

    423KB

    MD5

    f075a14d46a1faf9e7a520e083e62281

    SHA1

    f287846c5da6771d8f81e540e2c3265130ec4437

    SHA256

    0f90eda8458508b2a054636e8dfb97a852f527e0020f5f83ffc974441c8261b0

    SHA512

    69238a7628d97c6e131ff298cc91c14b0e1159786c7ff857008c1f9b6818fd9a0098a26f5e77cfd1bd165f3358b9e6f1e47b1f6c44332650515fcc45b459f012

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchost.exe
    Filesize

    108KB

    MD5

    8720989d03e41d8d412ba8c51c28ceab

    SHA1

    90f59979598b5b0f693fa94e86bfd50c2a5cc280

    SHA256

    e7efc92fc188aa58b90a1a37cb7c121a4cdba591b20cb33566eecde77ce0ec1b

    SHA512

    fea81ea5c2bb17d7ac720d469626fcfb7947bae7c24728937828cdca5d6e3b3deab2e144f77cc039e4d68ef2783f1abfe5475c9555a0cf82a8b080e62d6cbea0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchost.exe
    Filesize

    108KB

    MD5

    8720989d03e41d8d412ba8c51c28ceab

    SHA1

    90f59979598b5b0f693fa94e86bfd50c2a5cc280

    SHA256

    e7efc92fc188aa58b90a1a37cb7c121a4cdba591b20cb33566eecde77ce0ec1b

    SHA512

    fea81ea5c2bb17d7ac720d469626fcfb7947bae7c24728937828cdca5d6e3b3deab2e144f77cc039e4d68ef2783f1abfe5475c9555a0cf82a8b080e62d6cbea0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchost.exe
    Filesize

    108KB

    MD5

    8720989d03e41d8d412ba8c51c28ceab

    SHA1

    90f59979598b5b0f693fa94e86bfd50c2a5cc280

    SHA256

    e7efc92fc188aa58b90a1a37cb7c121a4cdba591b20cb33566eecde77ce0ec1b

    SHA512

    fea81ea5c2bb17d7ac720d469626fcfb7947bae7c24728937828cdca5d6e3b3deab2e144f77cc039e4d68ef2783f1abfe5475c9555a0cf82a8b080e62d6cbea0

    Download Submit

  • memory/1504-148-0x0000000073410000-0x00000000739C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1504-152-0x0000000073410000-0x00000000739C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1504-147-0x0000000073410000-0x00000000739C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1504-144-0x0000000000000000-mapping.dmp

    Download

  • memory/1664-150-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1664-149-0x0000000000000000-mapping.dmp

    Download

  • memory/1664-153-0x0000000073410000-0x00000000739C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3104-137-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3104-142-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3104-140-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3104-139-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3104-136-0x0000000000000000-mapping.dmp

    Download

  • memory/4816-143-0x0000000073410000-0x00000000739C1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4816-132-0x0000000000000000-mapping.dmp

    Download

  • memory/4816-135-0x0000000073410000-0x00000000739C1000-memory.dmp

    Filesize

    5.7MB

    Download