Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/03/2025, 19:22 UTC

General

  • Target

    3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe

  • Size

    803KB

  • MD5

    bcfc0f409a85ca08b9cc4aadc642d2db

  • SHA1

    158934868163c72c134eb2e4f91da0bc6adc8a7c

  • SHA256

    3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85

  • SHA512

    e14bf36cd66c6cfa2e94c84d6e3eb22c21e6152c8ad38ae2ebdcafef4a4ec2717c98ba939c86358f9f5602ddbf9a107f4b545eff4cf1de4b5bfecc371f4cbb1c

  • SSDEEP

    24576:bkGvM/P1U4bBTOKr26GU5OYsnXgxvrQrAnuIws:b2/P1UOtOKC6GrYsgxTQTIH

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

  • Imminent family
  • Executes dropped EXE 3 IoCs
  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 4 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe
    "C:\Users\Admin\AppData\Local\Temp\3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2812
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn NgcIso /tr "C:\Users\Admin\advpack\refsutil.exe" /sc minute /mo 1 /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2652
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:2884
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {D2791D31-9ACD-4B2B-BA67-086BEAC10E8A} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1884
      • C:\Users\Admin\advpack\refsutil.exe
        C:\Users\Admin\advpack\refsutil.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1976
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2800
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /tn NgcIso /tr "C:\Users\Admin\advpack\refsutil.exe" /sc minute /mo 1 /F
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:1968
      • C:\Users\Admin\advpack\refsutil.exe
        C:\Users\Admin\advpack\refsutil.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1840
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:912
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /tn NgcIso /tr "C:\Users\Admin\advpack\refsutil.exe" /sc minute /mo 1 /F
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2064
      • C:\Users\Admin\advpack\refsutil.exe
        C:\Users\Admin\advpack\refsutil.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:604
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1836
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /tn NgcIso /tr "C:\Users\Admin\advpack\refsutil.exe" /sc minute /mo 1 /F
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2520

    Network

      No results found
    • 107.173.207.168:389
      RegAsm.exe
      104 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      96 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      104 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      96 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      104 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      96 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      104 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      96 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      104 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      96 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      104 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      96 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      104 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      96 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      104 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      96 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      104 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      96 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      104 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      96 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      104 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      96 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      104 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      96 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      104 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      96 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      104 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      96 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      104 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      96 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      104 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      96 B
      2
    • 107.173.207.168:389
      RegAsm.exe
      52 B
      1
    No results found

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\advpack\refsutil.exe

      Filesize

      803KB

      MD5

      be6b354c0cb65ace3fde0c7f92884157

      SHA1

      a6e06e32316ec9bce641568e7b7ef1642fa19abe

      SHA256

      76588615d5fcdd509e65e78295d919dcfa3a7470fa7fc8444734771460d0b55f

      SHA512

      95623f03cac652fb53ba73e5c04b6266ef2c3ae705858fbd120990d05d4e33d854fbfeac8bda01a76fa39cf1333f3a756bb70fbcef032e48b18c5ef73e9f4b81

    • memory/604-64-0x00000000003D0000-0x0000000000558000-memory.dmp

      Filesize

      1.5MB

    • memory/604-53-0x00000000003D0000-0x0000000000558000-memory.dmp

      Filesize

      1.5MB

    • memory/1840-49-0x00000000013A0000-0x0000000001528000-memory.dmp

      Filesize

      1.5MB

    • memory/1976-35-0x00000000013A0000-0x0000000001528000-memory.dmp

      Filesize

      1.5MB

    • memory/1976-23-0x00000000013A0000-0x0000000001528000-memory.dmp

      Filesize

      1.5MB

    • memory/2736-1-0x0000000000350000-0x0000000000351000-memory.dmp

      Filesize

      4KB

    • memory/2736-0-0x00000000000E0000-0x0000000000268000-memory.dmp

      Filesize

      1.5MB

    • memory/2736-13-0x00000000000E0000-0x0000000000268000-memory.dmp

      Filesize

      1.5MB

    • memory/2812-10-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

    • memory/2812-20-0x0000000074612000-0x0000000074614000-memory.dmp

      Filesize

      8KB

    • memory/2812-14-0x0000000074612000-0x0000000074614000-memory.dmp

      Filesize

      8KB

    • memory/2812-3-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

    • memory/2812-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2812-9-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

    • memory/2812-2-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.