Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2022, 18:09

General

  • Target

    d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe

  • Size

    478KB

  • MD5

    f7e1a441315a80328596c03da48d1778

  • SHA1

    892ec2afe8549bc85d323ce9cfef1e08873ae7a0

  • SHA256

    d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30

  • SHA512

    ee03790b38b8986739cfda71d4cd12fee0802ae13cb11aeb59c5bdbc249aa363e281014a3da8a2f36615c34f7d6559d82035dc3432145e01e354d64f75063ab4

  • SSDEEP

    6144:0APTi7C55DbmAs2X/4UYPOHfDLmmhDOnzYMvDfDllEVMSjFd+v:7WK5/aq4UYPOugOnEADf7g

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe
    "C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3172
    • C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe
      "C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2084
      • C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe
        "C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4180
        • C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe
          "C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops desktop.ini file(s)
          • Drops file in Windows directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4224
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4888
        • C:\Windows\SysWOW64\PING.EXE
          ping 1.1.1.1 -n 1 -w 1000
          4⤵
          • Runs ping.exe
          PID:764

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe.log

    Filesize

    224B

    MD5

    c19eb8c8e7a40e6b987f9d2ee952996e

    SHA1

    6fc3049855bc9100643e162511673c6df0f28bfb

    SHA256

    677e9e30350df17e2bc20fa9f7d730e9f7cc6e870d6520a345f5f7dc5b31f58a

    SHA512

    860713b4a787c2189ed12a47d4b68b60ac00c7a253cae52dd4eb9276dacafeae3a81906b6d0742c8ecfdfaa255777c445beb7c2a532f3c677a9903237ac97596

  • C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe

    Filesize

    478KB

    MD5

    f7e1a441315a80328596c03da48d1778

    SHA1

    892ec2afe8549bc85d323ce9cfef1e08873ae7a0

    SHA256

    d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30

    SHA512

    ee03790b38b8986739cfda71d4cd12fee0802ae13cb11aeb59c5bdbc249aa363e281014a3da8a2f36615c34f7d6559d82035dc3432145e01e354d64f75063ab4

  • C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe

    Filesize

    478KB

    MD5

    f7e1a441315a80328596c03da48d1778

    SHA1

    892ec2afe8549bc85d323ce9cfef1e08873ae7a0

    SHA256

    d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30

    SHA512

    ee03790b38b8986739cfda71d4cd12fee0802ae13cb11aeb59c5bdbc249aa363e281014a3da8a2f36615c34f7d6559d82035dc3432145e01e354d64f75063ab4

  • C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe

    Filesize

    478KB

    MD5

    f7e1a441315a80328596c03da48d1778

    SHA1

    892ec2afe8549bc85d323ce9cfef1e08873ae7a0

    SHA256

    d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30

    SHA512

    ee03790b38b8986739cfda71d4cd12fee0802ae13cb11aeb59c5bdbc249aa363e281014a3da8a2f36615c34f7d6559d82035dc3432145e01e354d64f75063ab4

  • memory/2084-142-0x0000000074B10000-0x00000000750C1000-memory.dmp

    Filesize

    5.7MB

  • memory/2084-134-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

  • memory/2084-137-0x0000000074B10000-0x00000000750C1000-memory.dmp

    Filesize

    5.7MB

  • memory/3172-136-0x0000000074B10000-0x00000000750C1000-memory.dmp

    Filesize

    5.7MB

  • memory/3172-132-0x0000000074B10000-0x00000000750C1000-memory.dmp

    Filesize

    5.7MB

  • memory/4180-144-0x0000000074B10000-0x00000000750C1000-memory.dmp

    Filesize

    5.7MB

  • memory/4180-148-0x0000000074B10000-0x00000000750C1000-memory.dmp

    Filesize

    5.7MB

  • memory/4224-149-0x0000000074B10000-0x00000000750C1000-memory.dmp

    Filesize

    5.7MB

  • memory/4224-150-0x0000000074B10000-0x00000000750C1000-memory.dmp

    Filesize

    5.7MB