Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
23-11-2024 16:37
General
-
Target
1f571395f90145cf5179f3ae88f8365371ca0ee45cf986101605f9f3e167bcf4.exe
-
Size
908KB
-
MD5
8e2a5fd038e57f041eda66f17e4b2bfb
-
SHA1
56159808ebc3ba08e1dc4c9ad4807128ea1993ea
-
SHA256
1f571395f90145cf5179f3ae88f8365371ca0ee45cf986101605f9f3e167bcf4
-
SHA512
42a41b9c4d07497c7dc2c04a175c505939dad0a77ac4c284571ef0e1ebb7a67fdb6f3220b6d84b09541bdb52277d5871c4e4cd1754589f473d118ef5fe607842
-
SSDEEP
12288:QqjqRBa80gi+TCUQpd6KA26mY6nltHnhm9FXRR:QwqN0gi+TCUQvHEFXz
Malware Config
Signatures
-
Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
-
Imminent family
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f571395f90145cf5179f3ae88f8365371ca0ee45cf986101605f9f3e167bcf4.exe"C:\Users\Admin\AppData\Local\Temp\1f571395f90145cf5179f3ae88f8365371ca0ee45cf986101605f9f3e167bcf4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\model\print.exe"C:\Users\Admin\AppData\Roaming\model\print.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
908KB
MD5ab0c0a99bd15aefc5063310b5d17c55c
SHA18130393a12d363b4abe7d304011aaf3ca0f3b82a
SHA256215c9bb146134a4397a92b73cb6f9b042f42fa430a21a010903e8ee74932b0e8
SHA51252304dcb4684c9883f5feeab0d17df1dac88605deca39a3f2c9a902afa559374c2bcae43d11904f22f999ebe7b4aea8fe54fc0db90f288f0093e807630564b0e
-
Filesize
6.9MB
-
Filesize
888KB
-
Filesize
32KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
88KB
-
Filesize
160KB
-
Filesize
696KB
-
Filesize
64KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
4KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
6.9MB
-
Filesize
888KB
-
Filesize
6.9MB
-
Filesize
352KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
6.9MB