Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23/01/2025, 19:29
General
-
Target
06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe
-
Size
803KB
-
MD5
4d70c4f7594371493e4372f4c5cc2c49
-
SHA1
019f726fc46d6ce1a73cd87a46e2d565bf8271eb
-
SHA256
06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f
-
SHA512
685661f913b2d348929de9981575d343bee7a0c9beb152df09f24fb44d8260b787815fa13039a08059daf2073f898f6f51459141589689dab45fe52851ab1934
-
SSDEEP
24576:bkGvM/P1U4bBTOKr26GU5OYsnXgxvrQrAnuIwE:b2/P1UOtOKC6GrYsgxTQTID
Malware Config
Signatures
-
Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
-
Imminent family
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 4 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe"C:\Users\Admin\AppData\Local\Temp\06a66efa39b3258602d8d6f6742452f2efb8befce6320b58e6ea5e8b9e30d86f.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn NgcIso /tr "C:\Users\Admin\advpack\refsutil.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Users\Admin\advpack\refsutil.exeC:\Users\Admin\advpack\refsutil.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn NgcIso /tr "C:\Users\Admin\advpack\refsutil.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\advpack\refsutil.exeC:\Users\Admin\advpack\refsutil.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn NgcIso /tr "C:\Users\Admin\advpack\refsutil.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\advpack\refsutil.exeC:\Users\Admin\advpack\refsutil.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn NgcIso /tr "C:\Users\Admin\advpack\refsutil.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
319B
MD5c0ed926cd0e608944ad99322aaedb97a
SHA1007e5bc9d8650a46f48f75045034702c24be39c5
SHA256eb035294fbea39baa6e6c65cb7e06451987c51c5536586f23de5dc7f91096943
SHA51283891a4984208720a224937101313759ffec75f5ebb2225c30555e5a28c7cc753162d802b176694ecc7404e2723f75d86d313adb835d4ec826ac13ff24cce42a
-
Filesize
803KB
MD5d9fa547570dda4beb3a7aae54d2eea06
SHA1099164d4ce81b31fe371c43334ddc242bb4fea20
SHA25634291f762c3189a662d5c4124f68e7b0487d120529000ee14aec1f565d93699d
SHA51293a7d954495efc2081c093d30c89afab242c67ecc8ce2f822102ef7013f0158a076032f48d23882bf63e4502b40937b0f331a0634143efa38caa2cf06af2441d
-
Filesize
1.5MB
-
Filesize
4KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
344KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
344KB