Overview

overview

10

Static

static

532b5b5b31...02.exe

windows7-x64

1

532b5b5b31...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 16:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    532b5b5b312f848f106da7717877c9f287050879f79952d32fff3952ac21e602.exe

  • Size

    5.5MB

  • MD5

    17729246d4489d4c70d55e34d8b33914

  • SHA1

    05f2888db4c53e4fc0864a15b17c21876bb77e55

  • SHA256

    532b5b5b312f848f106da7717877c9f287050879f79952d32fff3952ac21e602

  • SHA512

    113e98bbd04929bc0de80a5f41182dca992b2e1a45b8917267c77419f0c42cb314d1848418aef00138fed1e20614b8f581e25c0fbbc48d88b2000694bb7dffbe

  • SSDEEP

    12288:N615aFdqQf3gmm3LOBID0wCt266fD4EMBm+56j5rVQkC:QIFdqynuOBID0V2PL4EMBm+O5rVE

Score
10/10
imminentpersistencespywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\532b5b5b312f848f106da7717877c9f287050879f79952d32fff3952ac21e602.exe
    "C:\Users\Admin\AppData\Local\Temp\532b5b5b312f848f106da7717877c9f287050879f79952d32fff3952ac21e602.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3560
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\YFWMCAFNIN\WUdCwgKVGP.exe,explorer.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1676
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\YFWMCAFNIN\WUdCwgKVGP.exe,explorer.exe"
        3⤵
        • Modifies WinLogon for persistence
        PID:344
    • C:\Users\Admin\AppData\Local\Temp\532b5b5b312f848f106da7717877c9f287050879f79952d32fff3952ac21e602.exe
      "C:\Users\Admin\AppData\Local\Temp\532b5b5b312f848f106da7717877c9f287050879f79952d32fff3952ac21e602.exe"
      2⤵
      • Executes dropped EXE
      PID:228
    • C:\Users\Admin\AppData\Local\Temp\532b5b5b312f848f106da7717877c9f287050879f79952d32fff3952ac21e602.exe
      "C:\Users\Admin\AppData\Local\Temp\532b5b5b312f848f106da7717877c9f287050879f79952d32fff3952ac21e602.exe"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:316

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\532b5b5b312f848f106da7717877c9f287050879f79952d32fff3952ac21e602.exe
    Filesize

    5.5MB

    MD5

    17729246d4489d4c70d55e34d8b33914

    SHA1

    05f2888db4c53e4fc0864a15b17c21876bb77e55

    SHA256

    532b5b5b312f848f106da7717877c9f287050879f79952d32fff3952ac21e602

    SHA512

    113e98bbd04929bc0de80a5f41182dca992b2e1a45b8917267c77419f0c42cb314d1848418aef00138fed1e20614b8f581e25c0fbbc48d88b2000694bb7dffbe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\532b5b5b312f848f106da7717877c9f287050879f79952d32fff3952ac21e602.exe
    Filesize

    5.5MB

    MD5

    17729246d4489d4c70d55e34d8b33914

    SHA1

    05f2888db4c53e4fc0864a15b17c21876bb77e55

    SHA256

    532b5b5b312f848f106da7717877c9f287050879f79952d32fff3952ac21e602

    SHA512

    113e98bbd04929bc0de80a5f41182dca992b2e1a45b8917267c77419f0c42cb314d1848418aef00138fed1e20614b8f581e25c0fbbc48d88b2000694bb7dffbe

    Download Submit

  • memory/316-140-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/316-142-0x0000000075360000-0x0000000075911000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/316-143-0x0000000075360000-0x0000000075911000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3560-133-0x0000000075360000-0x0000000075911000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3560-134-0x0000000075360000-0x0000000075911000-memory.dmp

    Filesize

    5.7MB

    Download