Overview

overview

10

Static

static

3

ee74dcfc2c...23.exe

windows7-x64

10

ee74dcfc2c...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2024 01:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee74dcfc2c793e31464765575b88a36906aecb3daf685932abc3231e30cd8923.exe

  • Size

    680KB

  • MD5

    de14f5adcd20b19b6b221647507c7c09

  • SHA1

    74a3dad2deeffa26a21f643273089847df606f3f

  • SHA256

    ee74dcfc2c793e31464765575b88a36906aecb3daf685932abc3231e30cd8923

  • SHA512

    72f3950a43bac271ddd9290bfcbf4d26072abb584f9d643d90b0a98ae2e05da2649b193336d826412f8b130fd1854d76ffba9c4464f9993640154e97e4cc12c3

  • SSDEEP

    12288:PWvWgQsk97ZQjoOi1dkxVU6S8HWK/a1KPesnWwNnuFBbSEWEEEHnmfY5JdutJRMf:4v7k7ii1yUiH0

Score
10/10
imminentdiscoverypersistencespywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Imminent family
    imminent
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee74dcfc2c793e31464765575b88a36906aecb3daf685932abc3231e30cd8923.exe
    "C:\Users\Admin\AppData\Local\Temp\ee74dcfc2c793e31464765575b88a36906aecb3daf685932abc3231e30cd8923.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4800
    • C:\Windows\SysWOW64\Taskmgr.exe
      "C:\Windows\System32\Taskmgr.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4700
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:1160

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Imminent\Path.dat
      Filesize

      42B

      MD5

      abd0f6e13501f347e54ae6060f0e61eb

      SHA1

      f94cacf144b2c1f798667eb85dca532f6746d4a7

      SHA256

      7f9e5bed5bb2b25e2c0d9b235005df5fa388650f47c1c9743e0d226bc4dcb615

      SHA512

      4786455d7ea5b3508027bcbdf4e5e278e3fc90bb162ff6714256e53b9ac971b3e7a128d1040e15cd8eeb8e4fb4d60d1a1383bee0371b721d35c6425bd6d8f7e4

      Download Submit

    • memory/4700-23-0x00000000054D0000-0x00000000054D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4700-27-0x00000000054D0000-0x00000000054D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4700-15-0x00000000054D0000-0x00000000054D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4700-16-0x00000000054D0000-0x00000000054D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4700-21-0x00000000054D0000-0x00000000054D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4700-22-0x00000000054D0000-0x00000000054D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4700-24-0x00000000054D0000-0x00000000054D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4700-25-0x00000000054D0000-0x00000000054D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4700-26-0x00000000054D0000-0x00000000054D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4700-17-0x00000000054D0000-0x00000000054D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4800-7-0x0000000005FC0000-0x0000000006026000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4800-39-0x0000000075240000-0x00000000759F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4800-12-0x0000000007120000-0x000000000712A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4800-3-0x0000000009DE0000-0x0000000009E7C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4800-11-0x00000000067A0000-0x00000000067B6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4800-8-0x00000000064E0000-0x00000000064F8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4800-2-0x0000000005630000-0x0000000005658000-memory.dmp

      Filesize

      160KB

      Download

    • memory/4800-0-0x000000007524E000-0x000000007524F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4800-6-0x0000000005AB0000-0x0000000005B42000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4800-5-0x0000000075240000-0x00000000759F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4800-1-0x0000000000C50000-0x0000000000D00000-memory.dmp

      Filesize

      704KB

      Download

    • memory/4800-37-0x000000007524E000-0x000000007524F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4800-4-0x000000000A430000-0x000000000A9D4000-memory.dmp

      Filesize

      5.6MB

      Download