Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
26-12-2023 16:50
General
-
Target
7e0c7607f378ce0cac081420d270e352.exe
-
Size
9.9MB
-
MD5
7e0c7607f378ce0cac081420d270e352
-
SHA1
7334d15139330c769dbe09cdf7968bd8dedacc56
-
SHA256
3b32b6fc5406fc754c68fb447ff307427ce7acc9a506c18429cb79dfd86a9496
-
SHA512
a50245b7c3e594083e6d738f5f736a87bcbbbd5fb66d5d5f0a4beae870a4d5efeb0d0f61f3a8cc4ca6b8efa599dbfb42458a13443937691a585ec5ec8908f587
-
SSDEEP
196608:8lZrwL3PXWwE4W+iNoLCrdwJkfSl7WDiBaiM0tfAIyazhIqdJqts/kF4u7u:8lZsTXlxW+ifB8kfxLLT6aqatVF4R
Malware Config
Signatures
-
Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 12 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e0c7607f378ce0cac081420d270e352.exe"C:\Users\Admin\AppData\Local\Temp\7e0c7607f378ce0cac081420d270e352.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\QqFZAKYwmSFLCeMh.exe"C:\Users\Admin\AppData\Local\Temp\QqFZAKYwmSFLCeMh.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ping.exeping -n 1 -w 1000 www.piriform.com3⤵
- Runs ping.exe
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD541a3c964232edd2d7d5edea53e8245cd
SHA176d7e1fbf15cc3da4dd63a063d6ab2f0868a2206
SHA2568b65fec615c7b371c23f8f7f344b12dc5085e40a556f96db318ed757494d62d5
SHA512fa16bd9d020602e3065afd5c0638bc37775b40eb18bfa33b4ca5babcc3e6f112ae7d43457a6e9685ddbe6e94b954a1dc43d1da7af9ca7464019a3f110af549c1
-
Filesize
348KB
MD52973af8515effd0a3bfc7a43b03b3fcc
SHA14209cded0caac7c5cb07bcb29f1ee0dc5ac211ee
SHA256d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0
SHA512b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e
-
Filesize
7KB
MD5a736159759a56c29575e49cb2a51f2b3
SHA1b1594bbca4358886d25c3a1bc662d87c913318cb
SHA25658e75de1789c90333daaf93176194d2a3d64f2eecdf57a4b9384a229e81f874f
SHA5124da523a36375b37fa7bc4b4ccf7c93e1df7b2da15152edf7d419927aa1bb271ef8ba27fe734d2f623fcc02b47319e75333df014bed01eb466e0cd9ec4111ef53
-
Filesize
87KB
MD57f4f45c9393a0664d9d0725a2ff42c6b
SHA1b7b30eb534e6dc69e8e293443c157134569e8ce7
SHA256dbd8b6fdb66604a0a5e8efe269fbfa598e4a94dc146006036409d905209da42b
SHA5120c27f9ce615cbff3e17fd772ce3929ab4419d7432d96223b7eec1ba70953f2ac993404b954020247b52d7f7499212d44eb6f85da2e2676773cafe1ce89b390f9
-
Filesize
3KB
MD5079cca30760cca3c01863b6b96e87848
SHA198c2ca01f248bc61817db7e5faea4a3d8310db50
SHA2568dd37d3721e25c32c5bf878b6dba9e61d04b7ce8aec45bdf703a41bc41802dfa
SHA5123e25c10e3a5830584c608b9178ab062e93e0e9009a7d897bb5e3561180b0b0910bd4178063d982eb33806a005c93931ae2ec5be520ec0d0c9a7c452cb78fd6a8
-
Filesize
9.4MB
MD5a1d648bf9328c7fffaf3e0a40de85358
SHA1e0c7e796c315ea7cf5f26a551483e18a1a099042
SHA25661e1b4bf028b09ee20787cdf23cab7e3c511132f7df45da11bd9f2568cad7739
SHA5125641ed7ae0ed238c47d29eaaa38192be2e2c99b37bf802695b232eadb25144b0ac2b54a7a2531d778b893a9f96b558c4fa6873fda8f85b4766a8fd8c7d821c64
-
Filesize
4KB
MD5c1f778a6d65178d34bde4206161a98e0
SHA129719fffef1ab6fe2df47e5ed258a5e3b3a11cfc
SHA2569caf7a78f750713180cf64d18967a2b803b5580e636e59279dcaaf18ba0daa87
SHA5129c3cf25cf43f85a5f9c9ed555f12f3626ef9daeeedd4d366ada58748ead1f6e279fea977c76ae8bae1dc49bfd852e899cb137c4a006c13e9fcebf6e5e2926a4d
-
Filesize
71KB
MD561bc40d1fad9e0faa9a07219b90ba0e4
SHA15b5c3badedba915707000d2047eaf13f27b8925e
SHA25689e157a4f61d7d18180cb7f901c0095da3b7a5cc5a9fd58d710099e5f0ee505a
SHA512fa341aa975c471082b4b6c380f794d1e9ab3939382972cfb9e1dbb3491f68296ad1cedc8f03736921c8e133f62432997de29642e223c2a97f1cab5ce91d68af9
-
Filesize
9KB
MD52aba8f16eca82517460013a3de7cbf67
SHA13812192fa7b873f426c4b0d0d822b3c9d51aa164
SHA25660b85fad2477b8c0138067be3697290b280b9334cf408cb57894e3baae615d0d
SHA5124e059f70ef420c22d69199557ff3eab9e51fcefc75d220b057f1508f9566cd6251f9e06a8fe3695bf7d913ebabd2519ce52f485f2de9a5e4ab3ebc553b877fb0
-
Filesize
6KB
MD55ed60250f74fa36a5a247a715bcd026e
SHA1ff5f3ad0b32ede49a28e744664d086f6fe9e46b0
SHA256ea8026766adc2d7cc26e2206cfdf5f0865b1426bfe3bc2aec8f43d3fc9a072ef
SHA5122dd77324c1e0fea801a5cac1fe1d67349a5a93d4a9a459ee1e6b469f6ccce309fc45e513f38de238971b0a83d31e0afe3a2686eca8887772445209cde5735cee
-
Filesize
253KB
MD5f46bc8015929e17a2b1aff097d7df0e4
SHA16c30de3e6a004021e231aaa62a2c5cedec72bc6d
SHA25626602d21203cf28b0c840a57bee8f1ff52ff885223095797180c9afe91265c32
SHA512ddee56e56a60db139029bc6a43e281d0eaeb8425363e28847e43819425e0ec28bb807408488a18fa492dbfe92f27f91f83575275f952cf35c81cee7b250d5cb2
-
Filesize
4.2MB
MD54a335bc4528b3b15a287615a9462cb3e
SHA18d05ba213c2ca142ea111bb03af7e8d2ad5d1816
SHA25650190d7564ebd642f973377baebbd4e58585044b2bd335749d02295fd5998565
SHA512d57a4bce4f26bbb89f3a7bf106bcd9804d2a49874f26cbb3151f5fc112782157c8fa0926e291ca570dba9eeec76a71e75b1dfa532a8438100da10b628cba919e
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
4KB
