Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/03/2025, 06:17

General

  • Target

    df97d1d585683a303400b1fc3f6c6efcc26d3dca58a953e64ba8e1c50c70f925.exe

  • Size

    1.3MB

  • MD5

    9981c0c91c4cf32e5160325284e9fc6c

  • SHA1

    aeb6b8ef996542c5831e67ef89387d6c4a026bab

  • SHA256

    df97d1d585683a303400b1fc3f6c6efcc26d3dca58a953e64ba8e1c50c70f925

  • SHA512

    8b1d0f85e5728ee48cb6417cd974147aa64ab84f59d3c665d5de06864753b47ebf173776826da03f50f582355ed824987c91a1ba90d88a4d7f4b1debf11650ad

  • SSDEEP

    24576:nFFWO5WqPbFPhGSSc5sus9Ux0HalJ2a9jRlbRgAeO7AT:nvZMqPJhGSSc5q9USCZRUF

Malware Config

Signatures

  • Imminent RAT

    Remote-access trojan based on Imminent Monitor remote admin software.

  • Imminent family
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\df97d1d585683a303400b1fc3f6c6efcc26d3dca58a953e64ba8e1c50c70f925.exe
    "C:\Users\Admin\AppData\Local\Temp\df97d1d585683a303400b1fc3f6c6efcc26d3dca58a953e64ba8e1c50c70f925.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JNcINeFgQBMYDefVEGSSb.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JNcINeFgQBMYDefVEGSSb.exe EbKPFiePLUOOOYOhPRh
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3780
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        - CmdLine Args
        3⤵
        • Drops desktop.ini file(s)
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1524

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EbKPFiePLUOOOYOhPRh

    Filesize

    35KB

    MD5

    ea3581b5402cd25a4e87c84044baa7c4

    SHA1

    1a89d0820ae9a38aa33706ac315d4a9ee68ca2b4

    SHA256

    42b41f7864b7676d91f929d7a49c1be90ea9d553d35f13caf624f691ec370d14

    SHA512

    7c20f4ab4a3fa2b7bff2d08491562cfa112f6f0bdad8865a9fa0d86a8ad5956e9d4d4369468dced7ac68a51cfa4a5910a986e9d62235a399cd5d54b1d84184e0

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JNcINeFgQBMYDefVEGSSb.exe

    Filesize

    915KB

    MD5

    e01ced5c12390ff5256694eda890b33a

    SHA1

    0bb74a9d3154d1269e5e456aa41e94b60f753f78

    SHA256

    66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba

    SHA512

    93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hTcdWNaiUEIL

    Filesize

    440KB

    MD5

    f9316ff4d7013dbd09d1a176c3e857e0

    SHA1

    eb8cdb51c50e1a676e5d4068e6c2c4a345757568

    SHA256

    92d45ab64427ff281d604a8e5a611d104483e15de3202f29844acfdea2a4391f

    SHA512

    494abbcba1545a9fae2e5c91c507afa43b4a0f52e58a5508cd45481d853ab19c3a9ac1bdeb4f4466e9603b38d0e6f41be4477b39cfb2b7ded9f421ce4e82b03f

  • memory/1524-36-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

  • memory/1524-43-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

  • memory/1524-23-0x0000000073D72000-0x0000000073D73000-memory.dmp

    Filesize

    4KB

  • memory/1524-27-0x0000000073D70000-0x0000000074321000-memory.dmp

    Filesize

    5.7MB

  • memory/1524-28-0x0000000073D70000-0x0000000074321000-memory.dmp

    Filesize

    5.7MB

  • memory/1524-29-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

  • memory/1524-31-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

  • memory/1524-52-0x0000000073D70000-0x0000000074321000-memory.dmp

    Filesize

    5.7MB

  • memory/1524-45-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

  • memory/1524-19-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

  • memory/1524-40-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

  • memory/1524-37-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

  • memory/1524-34-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

  • memory/1524-42-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

  • memory/1524-32-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

  • memory/1524-30-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

  • memory/1524-51-0x0000000073D72000-0x0000000073D73000-memory.dmp

    Filesize

    4KB

  • memory/3780-17-0x0000000001590000-0x0000000001591000-memory.dmp

    Filesize

    4KB