Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
23/03/2025, 06:17
Static task
static1
Behavioral task
behavioral1
Sample
df97d1d585683a303400b1fc3f6c6efcc26d3dca58a953e64ba8e1c50c70f925.exe
Resource
win10v2004-20250314-en
General
-
Target
df97d1d585683a303400b1fc3f6c6efcc26d3dca58a953e64ba8e1c50c70f925.exe
-
Size
1.3MB
-
MD5
9981c0c91c4cf32e5160325284e9fc6c
-
SHA1
aeb6b8ef996542c5831e67ef89387d6c4a026bab
-
SHA256
df97d1d585683a303400b1fc3f6c6efcc26d3dca58a953e64ba8e1c50c70f925
-
SHA512
8b1d0f85e5728ee48cb6417cd974147aa64ab84f59d3c665d5de06864753b47ebf173776826da03f50f582355ed824987c91a1ba90d88a4d7f4b1debf11650ad
-
SSDEEP
24576:nFFWO5WqPbFPhGSSc5sus9Ux0HalJ2a9jRlbRgAeO7AT:nvZMqPJhGSSc5q9USCZRUF
Malware Config
Signatures
-
Imminent family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hTcdWNaiUEILOUVJ.cmd.lnk JNcINeFgQBMYDefVEGSSb.exe -
Executes dropped EXE 1 IoCs
pid Process 3780 JNcINeFgQBMYDefVEGSSb.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" df97d1d585683a303400b1fc3f6c6efcc26d3dca58a953e64ba8e1c50c70f925.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini RegAsm.exe File opened for modification C:\Windows\assembly\Desktop.ini RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3780 set thread context of 1524 3780 JNcINeFgQBMYDefVEGSSb.exe 97 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly\Desktop.ini RegAsm.exe File opened for modification C:\Windows\assembly RegAsm.exe File created C:\Windows\assembly\Desktop.ini RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language df97d1d585683a303400b1fc3f6c6efcc26d3dca58a953e64ba8e1c50c70f925.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JNcINeFgQBMYDefVEGSSb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1524 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1524 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1524 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2904 wrote to memory of 3780 2904 df97d1d585683a303400b1fc3f6c6efcc26d3dca58a953e64ba8e1c50c70f925.exe 85 PID 2904 wrote to memory of 3780 2904 df97d1d585683a303400b1fc3f6c6efcc26d3dca58a953e64ba8e1c50c70f925.exe 85 PID 2904 wrote to memory of 3780 2904 df97d1d585683a303400b1fc3f6c6efcc26d3dca58a953e64ba8e1c50c70f925.exe 85 PID 3780 wrote to memory of 1524 3780 JNcINeFgQBMYDefVEGSSb.exe 97 PID 3780 wrote to memory of 1524 3780 JNcINeFgQBMYDefVEGSSb.exe 97 PID 3780 wrote to memory of 1524 3780 JNcINeFgQBMYDefVEGSSb.exe 97 PID 3780 wrote to memory of 1524 3780 JNcINeFgQBMYDefVEGSSb.exe 97 PID 3780 wrote to memory of 1524 3780 JNcINeFgQBMYDefVEGSSb.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\df97d1d585683a303400b1fc3f6c6efcc26d3dca58a953e64ba8e1c50c70f925.exe"C:\Users\Admin\AppData\Local\Temp\df97d1d585683a303400b1fc3f6c6efcc26d3dca58a953e64ba8e1c50c70f925.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JNcINeFgQBMYDefVEGSSb.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JNcINeFgQBMYDefVEGSSb.exe EbKPFiePLUOOOYOhPRh2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe- CmdLine Args3⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1524
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5ea3581b5402cd25a4e87c84044baa7c4
SHA11a89d0820ae9a38aa33706ac315d4a9ee68ca2b4
SHA25642b41f7864b7676d91f929d7a49c1be90ea9d553d35f13caf624f691ec370d14
SHA5127c20f4ab4a3fa2b7bff2d08491562cfa112f6f0bdad8865a9fa0d86a8ad5956e9d4d4369468dced7ac68a51cfa4a5910a986e9d62235a399cd5d54b1d84184e0
-
Filesize
915KB
MD5e01ced5c12390ff5256694eda890b33a
SHA10bb74a9d3154d1269e5e456aa41e94b60f753f78
SHA25666c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba
SHA51293a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d
-
Filesize
440KB
MD5f9316ff4d7013dbd09d1a176c3e857e0
SHA1eb8cdb51c50e1a676e5d4068e6c2c4a345757568
SHA25692d45ab64427ff281d604a8e5a611d104483e15de3202f29844acfdea2a4391f
SHA512494abbcba1545a9fae2e5c91c507afa43b4a0f52e58a5508cd45481d853ab19c3a9ac1bdeb4f4466e9603b38d0e6f41be4477b39cfb2b7ded9f421ce4e82b03f