Overview

overview

10

Static

static

1

cea2d53f37...9c.exe

windows7-x64

10

cea2d53f37...9c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-03-2024 17:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cea2d53f3741c750f8da141ce3044b9c.exe

  • Size

    548KB

  • MD5

    cea2d53f3741c750f8da141ce3044b9c

  • SHA1

    e4c40c26e0556447cbb8c5731aa3b4fe9a1e9399

  • SHA256

    059da1d4aca3dac5c4e827e9e7a5ebd07e3b3581135c200cdcb7c5e9be5065e3

  • SHA512

    36067bd002f52ea95d6eb2d2a84808a879bc0af619938ade50b2bb08fe440af897815b5066c89fbe7383f99f08a77449fdfd0524636b22a500117d3c17fec615

  • SSDEEP

    12288:e9dVKCxkIgeqXqXBb9P3BpcLLWW7HMwBIMQxlskGljE3af6EJ:yXKCFgeCqXBN3MswjQxkJ

Score
10/10
imminentspywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cea2d53f3741c750f8da141ce3044b9c.exe
    "C:\Users\Admin\AppData\Local\Temp\cea2d53f3741c750f8da141ce3044b9c.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4160
    • C:\Users\Admin\AppData\Local\Temp\Or's industry\PairBusy.exe
      "C:\Users\Admin\AppData\Local\Temp\Or's industry\PairBusy.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1440
      • C:\Users\Admin\AppData\Local\Temp\Or's industry\PairBusy.exe
        "C:\Users\Admin\AppData\Local\Temp\Or's industry\PairBusy.exe"
        3⤵
        • Executes dropped EXE
        • Drops desktop.ini file(s)
        • Drops file in Windows directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1408
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4232 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4360

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Or's industry\PairBusy.exe
      Filesize

      548KB

      MD5

      cea2d53f3741c750f8da141ce3044b9c

      SHA1

      e4c40c26e0556447cbb8c5731aa3b4fe9a1e9399

      SHA256

      059da1d4aca3dac5c4e827e9e7a5ebd07e3b3581135c200cdcb7c5e9be5065e3

      SHA512

      36067bd002f52ea95d6eb2d2a84808a879bc0af619938ade50b2bb08fe440af897815b5066c89fbe7383f99f08a77449fdfd0524636b22a500117d3c17fec615

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Or's industry\PairBusy.exe
      Filesize

      381KB

      MD5

      4e05ff6178990eab73ae9f921942f0bb

      SHA1

      70e2fcd1c1dda8c949a89696584418de8e02e364

      SHA256

      80d20d77ae3725760fd2440ee083e55d41ea90cc18b74bdc903111152e63235d

      SHA512

      da14f0db2cf3823d868cf66ee10864a4f03485c409f4f9576827550015e009bf7a8a2968e034826f37805e9105e7a1db085278660c80d85820608c546e4e9243

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Against Down.lnk
      Filesize

      1KB

      MD5

      5fcc748d1c6a11a6c2b422e0a57769fa

      SHA1

      84f5e7b3ee1f8eb07f3c2a03ecfe0ddb6e72ffb3

      SHA256

      c48e6b986c9d651d79e99c8fb68be02ed550725a2a00132d5044d8ea97fb6d9c

      SHA512

      a480e7e90590d1ff817af41b457c832ef468a7a406aff404973d9a83aa9b14ef9d35c60e130bd9f550779f22feaf872239c60a2c1715e25efbf7817bb2a68673

      Download Submit

    • memory/1408-37-0x0000000074F80000-0x0000000075531000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1408-36-0x00000000015E0000-0x00000000015F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1408-35-0x0000000074F80000-0x0000000075531000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1408-29-0x0000000000400000-0x0000000000452000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1408-48-0x00000000015E0000-0x00000000015F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1408-47-0x0000000074F80000-0x0000000075531000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1440-22-0x0000000000670000-0x0000000000680000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1440-45-0x0000000000670000-0x0000000000680000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1440-24-0x0000000074F80000-0x0000000075531000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1440-21-0x0000000074F80000-0x0000000075531000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1440-26-0x0000000000670000-0x0000000000680000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1440-46-0x0000000000670000-0x0000000000680000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1440-27-0x0000000000670000-0x0000000000680000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1440-43-0x0000000074F80000-0x0000000075531000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1440-44-0x0000000000670000-0x0000000000680000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4160-7-0x0000000001A80000-0x0000000001A90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4160-25-0x0000000074F80000-0x0000000075531000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4160-0-0x0000000074F80000-0x0000000075531000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4160-5-0x0000000074F80000-0x0000000075531000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4160-4-0x0000000074F80000-0x0000000075531000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4160-3-0x0000000001A80000-0x0000000001A90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4160-2-0x0000000001A80000-0x0000000001A90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4160-1-0x0000000074F80000-0x0000000075531000-memory.dmp

      Filesize

      5.7MB

      Download