Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
23/03/2025, 00:49
Static task
static1
Behavioral task
behavioral1
Sample
a5b420888c9cdb05ae191a1996bd7d38618c7b5b0f6d9085c7812afca3b5b1daN.exe
Resource
win10v2004-20250314-en
General
-
Target
a5b420888c9cdb05ae191a1996bd7d38618c7b5b0f6d9085c7812afca3b5b1daN.exe
-
Size
1.3MB
-
MD5
842192abeee1ca4788c7f9562ba77c40
-
SHA1
0097f42320ccec5a937a9e43dcd37adf154b4f78
-
SHA256
a5b420888c9cdb05ae191a1996bd7d38618c7b5b0f6d9085c7812afca3b5b1da
-
SHA512
b9ee5e78431ff98c06318fcfbb603041f572672810f136c4e393a1aa1d027ff61923ae565af9ec3b5a4caee1c5a9d3e5bb005934550052a5df415073550f2d34
-
SSDEEP
24576:nFFWO5WqPbFPhGSSc5sus9Ux0HalJ2a9jRlbRgAeO7A:nvZMqPJhGSSc5q9USCZRU
Malware Config
Signatures
-
Imminent family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hTcdWNaiUEILOUVJ.cmd.lnk JNcINeFgQBMYDefVEGSSb.exe -
Executes dropped EXE 1 IoCs
pid Process 3080 JNcINeFgQBMYDefVEGSSb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a5b420888c9cdb05ae191a1996bd7d38618c7b5b0f6d9085c7812afca3b5b1daN.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini RegAsm.exe File opened for modification C:\Windows\assembly\Desktop.ini RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3080 set thread context of 4036 3080 JNcINeFgQBMYDefVEGSSb.exe 97 -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini RegAsm.exe File opened for modification C:\Windows\assembly\Desktop.ini RegAsm.exe File opened for modification C:\Windows\assembly RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a5b420888c9cdb05ae191a1996bd7d38618c7b5b0f6d9085c7812afca3b5b1daN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JNcINeFgQBMYDefVEGSSb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4036 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4036 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4036 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5808 wrote to memory of 3080 5808 a5b420888c9cdb05ae191a1996bd7d38618c7b5b0f6d9085c7812afca3b5b1daN.exe 86 PID 5808 wrote to memory of 3080 5808 a5b420888c9cdb05ae191a1996bd7d38618c7b5b0f6d9085c7812afca3b5b1daN.exe 86 PID 5808 wrote to memory of 3080 5808 a5b420888c9cdb05ae191a1996bd7d38618c7b5b0f6d9085c7812afca3b5b1daN.exe 86 PID 3080 wrote to memory of 4036 3080 JNcINeFgQBMYDefVEGSSb.exe 97 PID 3080 wrote to memory of 4036 3080 JNcINeFgQBMYDefVEGSSb.exe 97 PID 3080 wrote to memory of 4036 3080 JNcINeFgQBMYDefVEGSSb.exe 97 PID 3080 wrote to memory of 4036 3080 JNcINeFgQBMYDefVEGSSb.exe 97 PID 3080 wrote to memory of 4036 3080 JNcINeFgQBMYDefVEGSSb.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5b420888c9cdb05ae191a1996bd7d38618c7b5b0f6d9085c7812afca3b5b1daN.exe"C:\Users\Admin\AppData\Local\Temp\a5b420888c9cdb05ae191a1996bd7d38618c7b5b0f6d9085c7812afca3b5b1daN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5808 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JNcINeFgQBMYDefVEGSSb.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JNcINeFgQBMYDefVEGSSb.exe EbKPFiePLUOOOYOhPRh2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe- CmdLine Args3⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4036
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5ea3581b5402cd25a4e87c84044baa7c4
SHA11a89d0820ae9a38aa33706ac315d4a9ee68ca2b4
SHA25642b41f7864b7676d91f929d7a49c1be90ea9d553d35f13caf624f691ec370d14
SHA5127c20f4ab4a3fa2b7bff2d08491562cfa112f6f0bdad8865a9fa0d86a8ad5956e9d4d4369468dced7ac68a51cfa4a5910a986e9d62235a399cd5d54b1d84184e0
-
Filesize
915KB
MD5e01ced5c12390ff5256694eda890b33a
SHA10bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA25666c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA51293a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d
-
Filesize
440KB
MD5f9316ff4d7013dbd09d1a176c3e857e0
SHA1eb8cdb51c50e1a676e5d4068e6c2c4a345757568
SHA25692d45ab64427ff281d604a8e5a611d104483e15de3202f29844acfdea2a4391f
SHA512494abbcba1545a9fae2e5c91c507afa43b4a0f52e58a5508cd45481d853ab19c3a9ac1bdeb4f4466e9603b38d0e6f41be4477b39cfb2b7ded9f421ce4e82b03f