Analysis
-
max time kernel
119s -
max time network
75s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
23-11-2024 16:25
General
-
Target
1f571395f90145cf5179f3ae88f8365371ca0ee45cf986101605f9f3e167bcf4.exe
-
Size
908KB
-
MD5
8e2a5fd038e57f041eda66f17e4b2bfb
-
SHA1
56159808ebc3ba08e1dc4c9ad4807128ea1993ea
-
SHA256
1f571395f90145cf5179f3ae88f8365371ca0ee45cf986101605f9f3e167bcf4
-
SHA512
42a41b9c4d07497c7dc2c04a175c505939dad0a77ac4c284571ef0e1ebb7a67fdb6f3220b6d84b09541bdb52277d5871c4e4cd1754589f473d118ef5fe607842
-
SSDEEP
12288:QqjqRBa80gi+TCUQpd6KA26mY6nltHnhm9FXRR:QwqN0gi+TCUQvHEFXz
Malware Config
Signatures
-
Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
-
Imminent family
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f571395f90145cf5179f3ae88f8365371ca0ee45cf986101605f9f3e167bcf4.exe"C:\Users\Admin\AppData\Local\Temp\1f571395f90145cf5179f3ae88f8365371ca0ee45cf986101605f9f3e167bcf4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\model\print.exe"C:\Users\Admin\AppData\Roaming\model\print.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
908KB
MD5249956c16c3c379fc43c691bfc7733a3
SHA1656dc5fde98f2c8de679970108cdac89bb4b16c7
SHA256271c9ce9c6c49d74881fab7b7011e5d6a8c670e6b2c61dd81029650717b9ca10
SHA51212528ea517ed23431e49e6eac106cc9d1aa020bd0ed2a772c5ed3b12280076ec8421ad13874297b79d51ba36ff6c75638115527c56f3b331ff8dba46e7dcf701
-
Filesize
344KB
-
Filesize
160KB
-
Filesize
696KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
4KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
32KB
-
Filesize
888KB
-
Filesize
352KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
888KB
-
Filesize
6.9MB