Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
27/01/2025, 20:06
General
-
Target
18d4a9a71d86f01ea67f31471d4d4f0f9eb8a3b6059531418dd790d58dd3545e.exe
-
Size
578KB
-
MD5
528bec23dc50ef64a2484625ec52ddc5
-
SHA1
f7b7a6a139e3ab2e5121dca5154de9c4c51b033d
-
SHA256
18d4a9a71d86f01ea67f31471d4d4f0f9eb8a3b6059531418dd790d58dd3545e
-
SHA512
2568521bc3d3c80c7df707e75ddc987d68dc6c1ec78a37ceecadc3d4d0aa0dd2a68b9109249494e831ac79b69665fb1129fb19c6d2ba4c34d7195f32d83a8131
-
SSDEEP
12288:YbD5arFJwK6hMJ6ZzHFZfc28beMGTfZuqb7/:rBJwdhMJ6ZzHrfcsMGTfZ5P/
Malware Config
Signatures
-
Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
-
Imminent family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\18d4a9a71d86f01ea67f31471d4d4f0f9eb8a3b6059531418dd790d58dd3545e.exe"C:\Users\Admin\AppData\Local\Temp\18d4a9a71d86f01ea67f31471d4d4f0f9eb8a3b6059531418dd790d58dd3545e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Webdevelop\Webfrequency.exe"C:\Users\Admin\AppData\Roaming\Webdevelop\Webfrequency.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
578KB
MD5e940a89199c8733c36cb8f4484697045
SHA1426356e2fbb6a10be39ddbb740664a0d8c0561b3
SHA25619640c8174a1e40c2d3ae5d005313dfa76d29bee014309c437dcfc1c8b0bde2c
SHA51230fadd7fa1ceb2c9c596da70190d574c2a28300189fd64b91af4f7d6c61a26ebce029355ccdc9c006ad4b147e600a221460381e594ca9717100aaa8552269096
-
Filesize
7.7MB
-
Filesize
592KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
696KB
-
Filesize
160KB
-
Filesize
624KB
-
Filesize
408KB
-
Filesize
96KB
-
Filesize
344KB
-
Filesize
88KB
-
Filesize
7.7MB
-
Filesize
7.7MB