Overview

overview

10

Static

static

5

853b532081...6f.exe

windows7-x64

10

853b532081...6f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    167s
  • max time network
    69s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 18:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    853b532081ea4cb76aa086634bd5d07ca095bebbad7258fb5fb9ef6fb9a2746f.exe

  • Size

    1.3MB

  • MD5

    55247e810afac66a7de437793bede516

  • SHA1

    41261fddbd211b9032a17b83f0a5130f2a2a3050

  • SHA256

    853b532081ea4cb76aa086634bd5d07ca095bebbad7258fb5fb9ef6fb9a2746f

  • SHA512

    a2e4a9c2e864231fa40b0d08df6ed47683036f295df5b5f0de95b2611a77e975398938b5c8fe7b53400b8122e50c5093af5b9051b60e44a610f531bf12a36585

  • SSDEEP

    24576:Ntb20pkaCqT5TBWgNQ7a2Ikh9mR87qoz16A:+Vg5tQ7a2Ik7moR5

Score
10/10
imminentpersistencespywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\853b532081ea4cb76aa086634bd5d07ca095bebbad7258fb5fb9ef6fb9a2746f.exe
    "C:\Users\Admin\AppData\Local\Temp\853b532081ea4cb76aa086634bd5d07ca095bebbad7258fb5fb9ef6fb9a2746f.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Local\Tempjavacontroller.exe
      "C:\Users\Admin\AppData\Local\Tempjavacontroller.exe"
      2⤵
      • Executes dropped EXE
      PID:1108
    • C:\Users\Admin\AppData\Local\Temp\853b532081ea4cb76aa086634bd5d07ca095bebbad7258fb5fb9ef6fb9a2746f.exe
      C:\Users\Admin\AppData\Local\Temp\853b532081ea4cb76aa086634bd5d07ca095bebbad7258fb5fb9ef6fb9a2746f.exe /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\b" "C:\Users\Admin\AppData\Local\Temp\853b532081ea4cb76aa086634bd5d07ca095bebbad7258fb5fb9ef6fb9a2746f.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:472
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        3⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1144
        • C:\Windows\SysWOW64\taskmgr.exe
          "C:\Windows\System32\taskmgr.exe"
          4⤵
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:1160

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\b
    Filesize

    18KB

    MD5

    bfd6856090dde147316faa457b740dda

    SHA1

    bce44b153e3412703d8f9157740a7ef500dcb0ca

    SHA256

    8d7a4b756a7651913c5cd614a5b722d7db80f3ff082222ee80a19837e42588cd

    SHA512

    c549b5285e66d90aa35e7fad0c8072a2ff1c2320c4a3b3167808fd95aa6e86d6c8799cf8bd85b3059926b731e249f8181e1788f0a35540b6f5aa8764b9b4f056

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\incl1
    Filesize

    12KB

    MD5

    2ca76a6543e1e644d5eec2a8620149d2

    SHA1

    42a03dfd435742c27da9997f71df44f7ab7d3c8d

    SHA256

    4ed7f61d00ca189aa15394ddbbee18afb8196509b23ce736646dbca8a84d9f37

    SHA512

    247d42a210e6c1d5185e96e94942871a76df598f8faf07ee59bd7c40349210a07fe492865d9dbefd27965828d2deed50af0dd6a17e30c93196a43dccc3a01761

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\incl2
    Filesize

    272KB

    MD5

    ac789c4f220f9c698c12e46c003d4d1a

    SHA1

    fd15c2413d0da384a9dad009068d6732c6a94215

    SHA256

    0c12b95b8d635c5e0c3ce9294a6a9de14d00f8f13b1ef86cf08d83b09e50d6ae

    SHA512

    5df3f57407a3f5a836f105eb22f9ef668a811dd74e706bc494c47915a97e19e96073ca5447898f9d7a0bd3aef13665ff0a39df5a1149ce464b6d187d1797843b

    Download Submit

  • C:\Users\Admin\AppData\Local\Tempjavacontroller.exe
    Filesize

    56KB

    MD5

    5ff6df9ebd3e8a21b5fd48be336846ee

    SHA1

    5bfdb145ea63874a70c8a3a2ba39e8dd826114bb

    SHA256

    af76777bbc3d2ea3e0e02c6dbe717e4d5d5458ecd1bb0baa2ce9367771d3fcab

    SHA512

    431c527e5426bd985eec15d385fbf195901e0e98815d35563c732d97497e19bf3d3d06e82be3509a9961be60a53d5d4ab227259ea839c6cb253e7449883492e9

    Download Submit

  • C:\Users\Admin\AppData\Local\Tempjavacontroller.exe
    Filesize

    56KB

    MD5

    5ff6df9ebd3e8a21b5fd48be336846ee

    SHA1

    5bfdb145ea63874a70c8a3a2ba39e8dd826114bb

    SHA256

    af76777bbc3d2ea3e0e02c6dbe717e4d5d5458ecd1bb0baa2ce9367771d3fcab

    SHA512

    431c527e5426bd985eec15d385fbf195901e0e98815d35563c732d97497e19bf3d3d06e82be3509a9961be60a53d5d4ab227259ea839c6cb253e7449883492e9

    Download Submit

  • \Users\Admin\AppData\Local\Temp\853b532081ea4cb76aa086634bd5d07ca095bebbad7258fb5fb9ef6fb9a2746f.exe
    Filesize

    1.3MB

    MD5

    55247e810afac66a7de437793bede516

    SHA1

    41261fddbd211b9032a17b83f0a5130f2a2a3050

    SHA256

    853b532081ea4cb76aa086634bd5d07ca095bebbad7258fb5fb9ef6fb9a2746f

    SHA512

    a2e4a9c2e864231fa40b0d08df6ed47683036f295df5b5f0de95b2611a77e975398938b5c8fe7b53400b8122e50c5093af5b9051b60e44a610f531bf12a36585

    Download Submit

  • \Users\Admin\AppData\Local\Temp\853b532081ea4cb76aa086634bd5d07ca095bebbad7258fb5fb9ef6fb9a2746f.exe
    Filesize

    1.3MB

    MD5

    55247e810afac66a7de437793bede516

    SHA1

    41261fddbd211b9032a17b83f0a5130f2a2a3050

    SHA256

    853b532081ea4cb76aa086634bd5d07ca095bebbad7258fb5fb9ef6fb9a2746f

    SHA512

    a2e4a9c2e864231fa40b0d08df6ed47683036f295df5b5f0de95b2611a77e975398938b5c8fe7b53400b8122e50c5093af5b9051b60e44a610f531bf12a36585

    Download Submit

  • \Users\Admin\AppData\Local\Tempjavacontroller.exe
    Filesize

    56KB

    MD5

    5ff6df9ebd3e8a21b5fd48be336846ee

    SHA1

    5bfdb145ea63874a70c8a3a2ba39e8dd826114bb

    SHA256

    af76777bbc3d2ea3e0e02c6dbe717e4d5d5458ecd1bb0baa2ce9367771d3fcab

    SHA512

    431c527e5426bd985eec15d385fbf195901e0e98815d35563c732d97497e19bf3d3d06e82be3509a9961be60a53d5d4ab227259ea839c6cb253e7449883492e9

    Download Submit

  • \Users\Admin\AppData\Local\Tempjavacontroller.exe
    Filesize

    56KB

    MD5

    5ff6df9ebd3e8a21b5fd48be336846ee

    SHA1

    5bfdb145ea63874a70c8a3a2ba39e8dd826114bb

    SHA256

    af76777bbc3d2ea3e0e02c6dbe717e4d5d5458ecd1bb0baa2ce9367771d3fcab

    SHA512

    431c527e5426bd985eec15d385fbf195901e0e98815d35563c732d97497e19bf3d3d06e82be3509a9961be60a53d5d4ab227259ea839c6cb253e7449883492e9

    Download Submit

  • \Users\Admin\AppData\Local\Tempjavacontroller.exe
    Filesize

    56KB

    MD5

    5ff6df9ebd3e8a21b5fd48be336846ee

    SHA1

    5bfdb145ea63874a70c8a3a2ba39e8dd826114bb

    SHA256

    af76777bbc3d2ea3e0e02c6dbe717e4d5d5458ecd1bb0baa2ce9367771d3fcab

    SHA512

    431c527e5426bd985eec15d385fbf195901e0e98815d35563c732d97497e19bf3d3d06e82be3509a9961be60a53d5d4ab227259ea839c6cb253e7449883492e9

    Download Submit

  • \Users\Admin\AppData\Local\Tempjavacontroller.exe
    Filesize

    56KB

    MD5

    5ff6df9ebd3e8a21b5fd48be336846ee

    SHA1

    5bfdb145ea63874a70c8a3a2ba39e8dd826114bb

    SHA256

    af76777bbc3d2ea3e0e02c6dbe717e4d5d5458ecd1bb0baa2ce9367771d3fcab

    SHA512

    431c527e5426bd985eec15d385fbf195901e0e98815d35563c732d97497e19bf3d3d06e82be3509a9961be60a53d5d4ab227259ea839c6cb253e7449883492e9

    Download Submit

  • \Users\Admin\AppData\Local\Tempjavacontroller.exe
    Filesize

    56KB

    MD5

    5ff6df9ebd3e8a21b5fd48be336846ee

    SHA1

    5bfdb145ea63874a70c8a3a2ba39e8dd826114bb

    SHA256

    af76777bbc3d2ea3e0e02c6dbe717e4d5d5458ecd1bb0baa2ce9367771d3fcab

    SHA512

    431c527e5426bd985eec15d385fbf195901e0e98815d35563c732d97497e19bf3d3d06e82be3509a9961be60a53d5d4ab227259ea839c6cb253e7449883492e9

    Download Submit

  • \Users\Admin\AppData\Local\Tempjavacontroller.exe
    Filesize

    56KB

    MD5

    5ff6df9ebd3e8a21b5fd48be336846ee

    SHA1

    5bfdb145ea63874a70c8a3a2ba39e8dd826114bb

    SHA256

    af76777bbc3d2ea3e0e02c6dbe717e4d5d5458ecd1bb0baa2ce9367771d3fcab

    SHA512

    431c527e5426bd985eec15d385fbf195901e0e98815d35563c732d97497e19bf3d3d06e82be3509a9961be60a53d5d4ab227259ea839c6cb253e7449883492e9

    Download Submit

  • memory/1108-89-0x0000000004C65000-0x0000000004C76000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1108-67-0x0000000000D10000-0x0000000000D26000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1144-70-0x0000000000080000-0x00000000000CA000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1144-77-0x0000000000370000-0x0000000000380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1144-78-0x00000000049B0000-0x0000000004A4E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/1144-79-0x0000000000590000-0x00000000005B8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1144-82-0x00000000005C0000-0x00000000005CE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1144-75-0x0000000000080000-0x00000000000CA000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1144-73-0x0000000000080000-0x00000000000CA000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1144-88-0x0000000000CA0000-0x0000000000CB6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1144-68-0x0000000000080000-0x00000000000CA000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1724-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

    Filesize

    8KB

    Download