Overview

overview

10

Static

static

3

047fcf6cf1...47.exe

windows7-x64

10

047fcf6cf1...47.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    20-03-2024 02:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe

  • Size

    852KB

  • MD5

    e04213f27f4e2c763e0b8910f7743af3

  • SHA1

    2707a70bfb085112cb02c82c738f752a4e789825

  • SHA256

    047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547

  • SHA512

    423039cd63fac7e3ceda72bf26695cc94339b1105b4c1a0bf603364e239658b30be841c47e781da867ff1ea0f22428c589ce3daac2c3834ef58e552fdafb242e

  • SSDEEP

    24576:2deM8k31Q2B7oVSRZw/bO/PVggnoGhkOF8rcbfdaMQ8NNr+OZQw6F77GEm+pV0kn:8e831bEOOyy

Score
10/10
imminentpersistencespywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Detects PowerShell content designed to retrieve passwords from host 13 IoCs
  • detects Windows exceutables potentially bypassing UAC using eventvwr.exe 13 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe
    "C:\Users\Admin\AppData\Local\Temp\047fcf6cf1e83002c31d9725f92abe3014bcb0a65a3078dcc6467036ba792547.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Windows\SysWOW64\taskmgr.exe
      "C:\Windows\System32\taskmgr.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2460
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:2288

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Imminent\Path.dat
      Filesize

      50B

      MD5

      5e5949ab86f7e6eb19f2a7d1d11313e9

      SHA1

      4a92320fc66ef89ae83584962371fe2d7543ffa1

      SHA256

      581df2cddc7a7b8753b6f7a448ef410500222a70c265e481ce4bd815d3ac0db6

      SHA512

      dc5f4d1db3484512cc042f566570b9c4c91372a8fa22039d953597df81d5b616e285a0e7893e77d9d9f8ecd7ffed3a8983a62fca4f54159ccd7cf19fb261065c

      Download Submit
    • memory/1244-15-0x0000000000190000-0x0000000000238000-memory.dmp
      Filesize

      672KB

      Download
    • memory/1244-55-0x0000000004B80000-0x0000000004BC0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1244-14-0x0000000000190000-0x0000000000238000-memory.dmp
      Filesize

      672KB

      Download
    • memory/1244-7-0x0000000000190000-0x0000000000238000-memory.dmp
      Filesize

      672KB

      Download
    • memory/1244-8-0x0000000000190000-0x0000000000238000-memory.dmp
      Filesize

      672KB

      Download
    • memory/1244-9-0x0000000000190000-0x0000000000238000-memory.dmp
      Filesize

      672KB

      Download
    • memory/1244-10-0x0000000000190000-0x0000000000238000-memory.dmp
      Filesize

      672KB

      Download
    • memory/1244-12-0x0000000000190000-0x0000000000238000-memory.dmp
      Filesize

      672KB

      Download
    • memory/1244-6-0x0000000000190000-0x0000000000238000-memory.dmp
      Filesize

      672KB

      Download
    • memory/1244-5-0x00000000004C0000-0x00000000004E8000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1244-21-0x0000000000190000-0x0000000000238000-memory.dmp
      Filesize

      672KB

      Download
    • memory/1244-23-0x0000000000190000-0x0000000000238000-memory.dmp
      Filesize

      672KB

      Download
    • memory/1244-20-0x0000000000190000-0x0000000000238000-memory.dmp
      Filesize

      672KB

      Download
    • memory/1244-18-0x0000000000190000-0x0000000000238000-memory.dmp
      Filesize

      672KB

      Download
    • memory/1244-24-0x0000000004B80000-0x0000000004BC0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1244-27-0x00000000006E0000-0x00000000006F6000-memory.dmp
      Filesize

      88KB

      Download
    • memory/1244-4-0x0000000074D90000-0x000000007547E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1244-52-0x0000000074D90000-0x000000007547E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1244-0-0x0000000000190000-0x0000000000238000-memory.dmp
      Filesize

      672KB

      Download