Overview

overview

10

Static

static

3

keygen.exe

windows7-x64

10

keygen.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2025 00:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    keygen.exe

  • Size

    474KB

  • MD5

    c1cfbe3462978d8fee8b0ad881d88766

  • SHA1

    b501ac3965b05b2e7362274ab0b7be2a543b02c9

  • SHA256

    ec5116beddb3fbf853920fa28fdd5b190818b3c6ee7385c1871a4c9512e9eab9

  • SHA512

    00b55b0d3bac872e123134fb83ff294b6cdc638d4a8e8ab24d04d42085f4c1aebe79108a9be6e46c6f17d42310bf266a7b0dc41fa8e3308ecc27764374064780

  • SSDEEP

    12288:9pUEpygn7dfjcP+1PhW/+0/+OGCgiRQVaaeFn:3AqpfjSiyx/+J8aeF

Score
10/10
imminentdefense_evasiondiscoverypersistencespywaretrojan

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

    trojanspywareimminent
  • Imminent family
    imminent
  • Checks computer location settings 2 TTPs 11 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 8 IoCs
  • Executes dropped EXE 18 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 9 IoCs
  • Drops file in Windows directory 3 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 9 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • NTFS ADS 9 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\keygen.exe
    "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\keygen.exe":ZONE.identifier & exit
      2⤵
      • Subvert Trust Controls: Mark-of-the-Web Bypass
      • System Location Discovery: System Language Discovery
      • NTFS ADS
      PID:4216
    • C:\Users\Admin\AppData\Local\Temp\keygen.exe
      "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1180
      • C:\Users\Admin\AppData\Local\Temp\keygen\keygen.exe
        "C:\Users\Admin\AppData\Local\Temp\keygen\keygen.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:376
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\keygen\keygen.exe":ZONE.identifier & exit
          4⤵
          • Subvert Trust Controls: Mark-of-the-Web Bypass
          • System Location Discovery: System Language Discovery
          • NTFS ADS
          PID:3676
        • C:\Users\Admin\AppData\Local\Temp\keygen\keygen.exe
          "C:\Users\Admin\AppData\Local\Temp\keygen\keygen.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops desktop.ini file(s)
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3988
          • C:\Windows\SysWOW64\Taskmgr.exe
            "C:\Windows\System32\Taskmgr.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:224
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:3716
        • C:\Windows\SysWOW64\PING.EXE
          ping 1.1.1.1 -n 1 -w 1000
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2448
    • C:\Users\Admin\AppData\Local\Temp\keygen.exe
      "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3664
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\keygen.exe":ZONE.identifier & exit
        3⤵
        • Subvert Trust Controls: Mark-of-the-Web Bypass
        • System Location Discovery: System Language Discovery
        • NTFS ADS
        PID:4808
      • C:\Users\Admin\AppData\Local\Temp\keygen.exe
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4716
      • C:\Users\Admin\AppData\Local\Temp\keygen.exe
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3904
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\keygen.exe":ZONE.identifier & exit
          4⤵
          • Subvert Trust Controls: Mark-of-the-Web Bypass
          • System Location Discovery: System Language Discovery
          • NTFS ADS
          PID:5040
        • C:\Users\Admin\AppData\Local\Temp\keygen.exe
          "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
          4⤵
          • Deletes itself
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:440
        • C:\Users\Admin\AppData\Local\Temp\keygen.exe
          "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3976
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\keygen.exe":ZONE.identifier & exit
            5⤵
            • Subvert Trust Controls: Mark-of-the-Web Bypass
            • System Location Discovery: System Language Discovery
            • NTFS ADS
            PID:4412
          • C:\Users\Admin\AppData\Local\Temp\keygen.exe
            "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
            5⤵
            • Deletes itself
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2840
          • C:\Users\Admin\AppData\Local\Temp\keygen.exe
            "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3984
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\keygen.exe":ZONE.identifier & exit
              6⤵
              • Subvert Trust Controls: Mark-of-the-Web Bypass
              • System Location Discovery: System Language Discovery
              • NTFS ADS
              PID:212
            • C:\Users\Admin\AppData\Local\Temp\keygen.exe
              "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
              6⤵
              • Deletes itself
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:4928
            • C:\Users\Admin\AppData\Local\Temp\keygen.exe
              "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2532
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\keygen.exe":ZONE.identifier & exit
                7⤵
                • Subvert Trust Controls: Mark-of-the-Web Bypass
                • System Location Discovery: System Language Discovery
                • NTFS ADS
                PID:4604
              • C:\Users\Admin\AppData\Local\Temp\keygen.exe
                "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
                7⤵
                • Deletes itself
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:4404
              • C:\Users\Admin\AppData\Local\Temp\keygen.exe
                "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:4312
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\keygen.exe":ZONE.identifier & exit
                  8⤵
                  • Subvert Trust Controls: Mark-of-the-Web Bypass
                  • System Location Discovery: System Language Discovery
                  • NTFS ADS
                  PID:3364
                • C:\Users\Admin\AppData\Local\Temp\keygen.exe
                  "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
                  8⤵
                  • Deletes itself
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:3684
                • C:\Users\Admin\AppData\Local\Temp\keygen.exe
                  "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4084
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\keygen.exe":ZONE.identifier & exit
                    9⤵
                    • Subvert Trust Controls: Mark-of-the-Web Bypass
                    • System Location Discovery: System Language Discovery
                    • NTFS ADS
                    PID:2164
                  • C:\Users\Admin\AppData\Local\Temp\keygen.exe
                    "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
                    9⤵
                    • Deletes itself
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:2516
                  • C:\Users\Admin\AppData\Local\Temp\keygen.exe
                    "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
                    9⤵
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\keygen.exe.log
    Filesize

    319B

    MD5

    824ba7b7eed8b900a98dd25129c4cd83

    SHA1

    54478770b2158000ef365591d42977cb854453a1

    SHA256

    d182dd648c92e41cd62dccc65f130c07f0a96c03b32f907c3d1218e9aa5bda03

    SHA512

    ae4f3a9673711ecb6cc5d06874c587341d5094803923b53b6e982278fa64549d7acf866de165e23750facd55da556b6794c0d32f129f4087529c73acd4ffb11e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\keygen.exe
    Filesize

    474KB

    MD5

    c1cfbe3462978d8fee8b0ad881d88766

    SHA1

    b501ac3965b05b2e7362274ab0b7be2a543b02c9

    SHA256

    ec5116beddb3fbf853920fa28fdd5b190818b3c6ee7385c1871a4c9512e9eab9

    SHA512

    00b55b0d3bac872e123134fb83ff294b6cdc638d4a8e8ab24d04d42085f4c1aebe79108a9be6e46c6f17d42310bf266a7b0dc41fa8e3308ecc27764374064780

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\keygen.exe:ZONE.identifier
    Filesize

    28B

    MD5

    90fd34c6bd120fb6d41d18161a05296b

    SHA1

    346e55ea4c486d9f4ac7e65793c34fc18e5a28b1

    SHA256

    53c9dbb7d60a9fd6c12d2580557472f0132cc26c055e2e841b455be1b8713695

    SHA512

    74a0d8a648267a6c2a31cecd076a3d30d59951ca3e00b8e2e0a935a709cd105c6a8da2da6988f4c3bbef13aea3ad9a805547e8373e57a471d1f794db4ca4709e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Imminent\Path.dat
    Filesize

    54B

    MD5

    a0d295bd586a1735e87fbc214a8aea15

    SHA1

    271ae6bfdd06fe0487a61fdf344ea40d4349e6ea

    SHA256

    88891c61dd0e0b8dcac004777310ec01a888adad2f8648b686dc1a9073c2637f

    SHA512

    5651a26a4cc6bd6fae2bae5eca18273d08c7d64f7a303a3cc02f5c15a2a20185ed04e31f85789b41d72d75cdcd92fa38bf290b28d69d96816af9ba79e49e50c3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\rundll32.exe
    Filesize

    474KB

    MD5

    bdcc994a6b6fbf973ddf562e9caf73cc

    SHA1

    6cb3d713e860fbbc8e1fd1bfd8d7f24f79d408c7

    SHA256

    7f452f92949ffdbdc5b8fec59cfbd4c675f9872c9bc7d9b33e949d7eef71df0e

    SHA512

    becf9059391fd68c163721e60e08fe27a85aa32a47afaf1ba1f1fd394387b2f2300a97b4580cd75161de296e3a6117db4edb9db5607c27f0f10d964bfae42c66

    Download Submit

  • memory/224-94-0x0000000005E30000-0x0000000005E31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/224-97-0x0000000005E30000-0x0000000005E31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/224-96-0x0000000005E30000-0x0000000005E31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/224-98-0x0000000005E30000-0x0000000005E31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/224-99-0x0000000005E30000-0x0000000005E31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/224-100-0x0000000005E30000-0x0000000005E31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/224-90-0x0000000005E30000-0x0000000005E31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/224-89-0x0000000005E30000-0x0000000005E31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/224-88-0x0000000005E30000-0x0000000005E31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/224-95-0x0000000005E30000-0x0000000005E31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/376-53-0x00000000749C0000-0x0000000074F71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/376-47-0x00000000749C0000-0x0000000074F71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/376-46-0x00000000749C0000-0x0000000074F71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1180-15-0x00000000749C0000-0x0000000074F71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1180-34-0x00000000003A0000-0x00000000003FE000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1180-26-0x00000000003A0000-0x00000000003FE000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1180-24-0x00000000003A0000-0x00000000003FE000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1180-23-0x00000000003A0000-0x00000000003FE000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1180-22-0x00000000003A0000-0x00000000003FE000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1180-21-0x00000000003A0000-0x00000000003FE000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1180-20-0x00000000003A0000-0x00000000003FE000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1180-19-0x00000000003A0000-0x00000000003FE000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1180-18-0x00000000003A0000-0x00000000003FE000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1180-17-0x00000000003A0000-0x00000000003FE000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1180-32-0x00000000003A0000-0x00000000003FE000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1180-14-0x00000000749C0000-0x0000000074F71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1180-49-0x00000000749C0000-0x0000000074F71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1180-35-0x00000000003A0000-0x00000000003FE000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1180-37-0x00000000003A0000-0x00000000003FE000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1180-29-0x00000000003A0000-0x00000000003FE000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1180-28-0x00000000003A0000-0x00000000003FE000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1180-16-0x00000000749C0000-0x0000000074F71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1520-0-0x00000000749C2000-0x00000000749C3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1520-52-0x00000000749C0000-0x0000000074F71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1520-8-0x00000000749C0000-0x0000000074F71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1520-7-0x00000000749C0000-0x0000000074F71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1520-6-0x00000000749C0000-0x0000000074F71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1520-4-0x00000000749C0000-0x0000000074F71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1520-3-0x00000000749C2000-0x00000000749C3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1520-2-0x00000000749C0000-0x0000000074F71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1520-1-0x00000000749C0000-0x0000000074F71000-memory.dmp

    Filesize

    5.7MB

    Download