Overview

overview

10

Static

static

3

AbitSmarter4.6.1.exe

windows7-x64

10

AbitSmarter4.6.1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-10-2024 09:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AbitSmarter4.6.1.exe

  • Size

    1.3MB

  • MD5

    7e8236fd0047d8c807d0439b0b77d1d5

  • SHA1

    6a33b3aeab36d5158c7a3dbf1ae306cea1642025

  • SHA256

    f8d5d2a97dcf6dae00ac56d1d8732065af21623a97e081e6518d1e1e878e1c41

  • SHA512

    04e565721f07201fff2af942279c5fbb523e85d1069ad3188ac4111fa8eaa31b970955882b81bc42364f1978a3032c066cb392a5352628b8f58aaa1e4c62da4e

  • SSDEEP

    24576:SMXAF2jHlk02cIwiW0eKGepqMY8QZaYXhGuWLl/n1DFYkI5:S0IOHlUcti/PGoaXYuAtK

Score
10/10
imminentdiscoveryspywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AbitSmarter4.6.1.exe
    "C:\Users\Admin\AppData\Local\Temp\AbitSmarter4.6.1.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4688
    • C:\Users\Admin\AppData\Local\Temp\A bit Smarter Public Version.exe
      "C:\Users\Admin\AppData\Local\Temp\A bit Smarter Public Version.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3984
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -n
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2292
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "cmd /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3676
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "cmd /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" /f
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3276
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\snwpjmle.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2864
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84EF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF8FEBFB0CBE4F5CABC9899F3F61F340.TMP"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5088
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        3⤵
        • Drops desktop.ini file(s)
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2452
      • C:\Users\Admin\AppData\Local\Temp\spoolsc.exe
        "C:\Users\Admin\AppData\Local\Temp\spoolsc.exe" -n
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4268

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\A bit Smarter Public Version.exe
    Filesize

    496KB

    MD5

    9ab9b5b94fd820b4d1a642bab1c6d667

    SHA1

    d7cb65462fa1bc213c3c499925b4dae0e6d3c0a9

    SHA256

    172341e4b37b0555b4ad2def2ad2939f402c80c91ee6a270feb741a8b9379c94

    SHA512

    160361057f3b4038260f0038e5fab5167b7a12ca1445eb0e0153587e57e6bbf4753b57e1900abf3664851e27961d3b2182a2eb9bde3f7bad32968f6cbf0523bb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RES84EF.tmp
    Filesize

    1KB

    MD5

    6850c4fab50807a5bb4978b47d42972c

    SHA1

    648ea2d8f44bee329054c55bd1bd67040c8c2c8f

    SHA256

    5cc5c00f2eee157559e71b6a8a657b6f4660f2afdf7ae8d29036c0cae924e424

    SHA512

    cd80ced88dacaf8f713441a285e6fd722812404aa11998bce8c6544fa2de96b64498560a3cbc4d0e0aec4af5f10bf5e7a326294c41d136d1d8976e81779ad746

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\snwpjmle.0.vb
    Filesize

    3KB

    MD5

    900786350171abc675d131ec7800fcfc

    SHA1

    ba08346708a18f2007f784145ccc40e109cddcd7

    SHA256

    3179cb6eb51a8be5bb60cc7b40182cc24db339d7131104b06d2dab0014afcb03

    SHA512

    20b88b3dcf52bce9ab8a34f7e78db6c54bdefbfa77c54c9c5a06a9ec6b77bf912809b564a1a1a4cac0b98cfccccdb4496d822c12b8cabc3b4861034d33267845

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\snwpjmle.cmdline
    Filesize

    200B

    MD5

    e990b4662dd2bd01e789b0e7caa12729

    SHA1

    250cffdc85a67fe48edf27f077175959f627ffd3

    SHA256

    972829969787e01330f47023526d86731feea95c7cb7cf53cbff9693d6bfa52f

    SHA512

    91197700af94159127ce6d713ace654c9835cc3dd50052f503dc04fc5cf5b1329d3dc13be4bbef16fe0a18f00bb0af3cd84ef2d6e8289ce279b2110b1ed3c909

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\spoolsc.exe
    Filesize

    7KB

    MD5

    2aea70b9d564aa553283dffa69286b46

    SHA1

    b576534cdc74137f461697f441481e20dbbf30a4

    SHA256

    5bd904b4233db1bf7886407fdff2af10fa7779f8ad14dc22fd70c39ff893d48d

    SHA512

    f4cc5b4ca58f711a1d0f5efd929575672695d90409ad80dd0e349eaddfd091f742808fe86d4fcb06bfce7ba0727bc3ea14ad0215e760e77128641c1d9e9336a3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbcF8FEBFB0CBE4F5CABC9899F3F61F340.TMP
    Filesize

    932B

    MD5

    a4f1b6d3bf61f6ce1983cf7185422302

    SHA1

    1ed985cc7a181dc850cc34b1e93ae8e78d350255

    SHA256

    49910004977b290d4e70d3179bae001ecc38ae455f662e05b5a56d4592bc8125

    SHA512

    bbb184d02e291fadc27547321b386cb7bfc83ebb64cf26f3058f119dd5de1384f1b514415ac88295c9ccc434f68bcf0a7107760e92eeba53ec26ea7a5e583a4a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
    Filesize

    1.3MB

    MD5

    7e8236fd0047d8c807d0439b0b77d1d5

    SHA1

    6a33b3aeab36d5158c7a3dbf1ae306cea1642025

    SHA256

    f8d5d2a97dcf6dae00ac56d1d8732065af21623a97e081e6518d1e1e878e1c41

    SHA512

    04e565721f07201fff2af942279c5fbb523e85d1069ad3188ac4111fa8eaa31b970955882b81bc42364f1978a3032c066cb392a5352628b8f58aaa1e4c62da4e

    Download Submit

  • memory/2292-52-0x0000000074970000-0x0000000074F21000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2292-53-0x0000000074972000-0x0000000074973000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2292-26-0x0000000074972000-0x0000000074973000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2292-29-0x0000000074970000-0x0000000074F21000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2292-27-0x0000000074970000-0x0000000074F21000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2452-43-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3984-12-0x0000000000640000-0x00000000006C1000-memory.dmp

    Filesize

    516KB

    Download

  • memory/3984-14-0x0000000005560000-0x00000000055F2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3984-13-0x0000000005B10000-0x00000000060B4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3984-45-0x0000000005490000-0x00000000054A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3984-11-0x00000000719DE000-0x00000000719DF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4268-51-0x0000000001A00000-0x0000000001AA6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4688-28-0x0000000074970000-0x0000000074F21000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4688-0-0x0000000074972000-0x0000000074973000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4688-2-0x0000000074970000-0x0000000074F21000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4688-1-0x0000000074970000-0x0000000074F21000-memory.dmp

    Filesize

    5.7MB

    Download