Overview

overview

10

Static

static

5

853b532081...6f.exe

windows7-x64

10

853b532081...6f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    188s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2022 18:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    853b532081ea4cb76aa086634bd5d07ca095bebbad7258fb5fb9ef6fb9a2746f.exe

  • Size

    1.3MB

  • MD5

    55247e810afac66a7de437793bede516

  • SHA1

    41261fddbd211b9032a17b83f0a5130f2a2a3050

  • SHA256

    853b532081ea4cb76aa086634bd5d07ca095bebbad7258fb5fb9ef6fb9a2746f

  • SHA512

    a2e4a9c2e864231fa40b0d08df6ed47683036f295df5b5f0de95b2611a77e975398938b5c8fe7b53400b8122e50c5093af5b9051b60e44a610f531bf12a36585

  • SSDEEP

    24576:Ntb20pkaCqT5TBWgNQ7a2Ikh9mR87qoz16A:+Vg5tQ7a2Ik7moR5

Score
10/10
imminentpersistencespywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\853b532081ea4cb76aa086634bd5d07ca095bebbad7258fb5fb9ef6fb9a2746f.exe
    "C:\Users\Admin\AppData\Local\Temp\853b532081ea4cb76aa086634bd5d07ca095bebbad7258fb5fb9ef6fb9a2746f.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2788
    • C:\Users\Admin\AppData\Local\Tempjavacontroller.exe
      "C:\Users\Admin\AppData\Local\Tempjavacontroller.exe"
      2⤵
      • Executes dropped EXE
      PID:2612
    • C:\Users\Admin\AppData\Local\Temp\853b532081ea4cb76aa086634bd5d07ca095bebbad7258fb5fb9ef6fb9a2746f.exe
      C:\Users\Admin\AppData\Local\Temp\853b532081ea4cb76aa086634bd5d07ca095bebbad7258fb5fb9ef6fb9a2746f.exe /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\b" "C:\Users\Admin\AppData\Local\Temp\853b532081ea4cb76aa086634bd5d07ca095bebbad7258fb5fb9ef6fb9a2746f.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:228
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        3⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:944
        • C:\Windows\SysWOW64\Taskmgr.exe
          "C:\Windows\System32\Taskmgr.exe"
          4⤵
          • Checks SCSI registry key(s)
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:4620

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\b
    Filesize

    18KB

    MD5

    bfd6856090dde147316faa457b740dda

    SHA1

    bce44b153e3412703d8f9157740a7ef500dcb0ca

    SHA256

    8d7a4b756a7651913c5cd614a5b722d7db80f3ff082222ee80a19837e42588cd

    SHA512

    c549b5285e66d90aa35e7fad0c8072a2ff1c2320c4a3b3167808fd95aa6e86d6c8799cf8bd85b3059926b731e249f8181e1788f0a35540b6f5aa8764b9b4f056

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\incl1
    Filesize

    12KB

    MD5

    2ca76a6543e1e644d5eec2a8620149d2

    SHA1

    42a03dfd435742c27da9997f71df44f7ab7d3c8d

    SHA256

    4ed7f61d00ca189aa15394ddbbee18afb8196509b23ce736646dbca8a84d9f37

    SHA512

    247d42a210e6c1d5185e96e94942871a76df598f8faf07ee59bd7c40349210a07fe492865d9dbefd27965828d2deed50af0dd6a17e30c93196a43dccc3a01761

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\incl2
    Filesize

    272KB

    MD5

    ac789c4f220f9c698c12e46c003d4d1a

    SHA1

    fd15c2413d0da384a9dad009068d6732c6a94215

    SHA256

    0c12b95b8d635c5e0c3ce9294a6a9de14d00f8f13b1ef86cf08d83b09e50d6ae

    SHA512

    5df3f57407a3f5a836f105eb22f9ef668a811dd74e706bc494c47915a97e19e96073ca5447898f9d7a0bd3aef13665ff0a39df5a1149ce464b6d187d1797843b

    Download Submit

  • C:\Users\Admin\AppData\Local\Tempjavacontroller.exe
    Filesize

    56KB

    MD5

    5ff6df9ebd3e8a21b5fd48be336846ee

    SHA1

    5bfdb145ea63874a70c8a3a2ba39e8dd826114bb

    SHA256

    af76777bbc3d2ea3e0e02c6dbe717e4d5d5458ecd1bb0baa2ce9367771d3fcab

    SHA512

    431c527e5426bd985eec15d385fbf195901e0e98815d35563c732d97497e19bf3d3d06e82be3509a9961be60a53d5d4ab227259ea839c6cb253e7449883492e9

    Download Submit

  • C:\Users\Admin\AppData\Local\Tempjavacontroller.exe
    Filesize

    56KB

    MD5

    5ff6df9ebd3e8a21b5fd48be336846ee

    SHA1

    5bfdb145ea63874a70c8a3a2ba39e8dd826114bb

    SHA256

    af76777bbc3d2ea3e0e02c6dbe717e4d5d5458ecd1bb0baa2ce9367771d3fcab

    SHA512

    431c527e5426bd985eec15d385fbf195901e0e98815d35563c732d97497e19bf3d3d06e82be3509a9961be60a53d5d4ab227259ea839c6cb253e7449883492e9

    Download Submit

  • memory/944-140-0x0000000000F70000-0x0000000000FBA000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2612-141-0x0000000000C50000-0x0000000000C66000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2612-142-0x00000000055F0000-0x000000000568C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2612-143-0x0000000005C40000-0x00000000061E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2612-144-0x0000000005730000-0x00000000057C2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2612-145-0x00000000056B0000-0x00000000056BA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2612-146-0x0000000005920000-0x0000000005976000-memory.dmp

    Filesize

    344KB

    Download