imminent | 085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406

General

Target

085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe
Size

1.0MB
MD5

630f1f1db8de6ebd3194537bcba93320
SHA1

e8d63e33bc211c4be7805401812b041c2b229ff7
SHA256

085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406
SHA512

c66e3404db29d5bbeab8b14b4428f83cf3472223f7ffafe165a3d4c2a8d0aa5d40c1127fd4ab4936b43ccff9d0298d0e82b8b01eda59ca5b2da238bdccc1e249

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 2 IoCs

pid	Process
4792	VGAuthService.exe
4368	VGAuthService.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	VGAuthService.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VGAuthService.lnk	VGAuthService.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4792 set thread context of 4368	4792	VGAuthService.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VGAuthService.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\Temp\085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VGAuthService.exe\:Zone.Identifier:$DATA	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4368	VGAuthService.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1228	085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe
Token: SeDebugPrivilege	4792	VGAuthService.exe
Token: SeDebugPrivilege	4368	VGAuthService.exe
Token: 33	4368	VGAuthService.exe
Token: SeIncBasePriorityPrivilege	4368	VGAuthService.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4368	VGAuthService.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 3192	1228	085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe	81
PID 1228 wrote to memory of 3192	1228	085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe	81
PID 1228 wrote to memory of 3192	1228	085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe	81
PID 1228 wrote to memory of 3896	1228	085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe	84
PID 1228 wrote to memory of 3896	1228	085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe	84
PID 1228 wrote to memory of 3896	1228	085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe	84
PID 1228 wrote to memory of 3448	1228	085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe	87
PID 1228 wrote to memory of 3448	1228	085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe	87
PID 1228 wrote to memory of 3448	1228	085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe	87
PID 3448 wrote to memory of 4792	3448	cmd.exe	88
PID 3448 wrote to memory of 4792	3448	cmd.exe	88
PID 3448 wrote to memory of 4792	3448	cmd.exe	88
PID 4792 wrote to memory of 4448	4792	VGAuthService.exe	89
PID 4792 wrote to memory of 4448	4792	VGAuthService.exe	89
PID 4792 wrote to memory of 4448	4792	VGAuthService.exe	89
PID 4792 wrote to memory of 4368	4792	VGAuthService.exe	91
PID 4792 wrote to memory of 4368	4792	VGAuthService.exe	91
PID 4792 wrote to memory of 4368	4792	VGAuthService.exe	91
PID 4792 wrote to memory of 4368	4792	VGAuthService.exe	91
PID 4792 wrote to memory of 4368	4792	VGAuthService.exe	91
PID 4792 wrote to memory of 4368	4792	VGAuthService.exe	91
PID 4792 wrote to memory of 4368	4792	VGAuthService.exe	91
PID 4792 wrote to memory of 4368	4792	VGAuthService.exe	91

C:\Users\Admin\AppData\Local\Temp\085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe
"C:\Users\Admin\AppData\Local\Temp\085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe:Zone.Identifier"
  2⤵
  - NTFS ADS
  PID:3192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VGAuthService.exe"
  2⤵
  - NTFS ADS
  PID:3896
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VGAuthService.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VGAuthService.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VGAuthService.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops startup file
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VGAuthService.exe:Zone.Identifier"
      4⤵
      NTFS ADS
      PID:4448
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VGAuthService.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VGAuthService.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4368

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VGAuthService.exe.log

Filesize
1KB

MD5
05054fe97857e8cf5f8469d0517ef3a0

SHA1
5745b1916087fe36bf0076d63f54402daaaa382d

SHA256
4776b8faed8002d836b94d6e423f0e3436cda349b26e0d5c9373f3941080985c

SHA512
a0a68ae503ec0e79d43246f8a100fac6264573f97fe9340842a20973d14c1617fd36c0f38d5124516d40e6230291cd50627c061a36921977362efb122afa064b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VGAuthService.exe

Filesize
1.0MB

MD5
630f1f1db8de6ebd3194537bcba93320

SHA1
e8d63e33bc211c4be7805401812b041c2b229ff7

SHA256
085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406

SHA512
c66e3404db29d5bbeab8b14b4428f83cf3472223f7ffafe165a3d4c2a8d0aa5d40c1127fd4ab4936b43ccff9d0298d0e82b8b01eda59ca5b2da238bdccc1e249

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VGAuthService.exe

Filesize
1.0MB

MD5
630f1f1db8de6ebd3194537bcba93320

SHA1
e8d63e33bc211c4be7805401812b041c2b229ff7

SHA256
085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406

SHA512
c66e3404db29d5bbeab8b14b4428f83cf3472223f7ffafe165a3d4c2a8d0aa5d40c1127fd4ab4936b43ccff9d0298d0e82b8b01eda59ca5b2da238bdccc1e249

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VGAuthService.exe

Filesize
1.0MB

MD5
630f1f1db8de6ebd3194537bcba93320

SHA1
e8d63e33bc211c4be7805401812b041c2b229ff7

SHA256
085af04b094fa4ace83e52e475d99fefd9050099dba73b11c63308920fb87406

SHA512
c66e3404db29d5bbeab8b14b4428f83cf3472223f7ffafe165a3d4c2a8d0aa5d40c1127fd4ab4936b43ccff9d0298d0e82b8b01eda59ca5b2da238bdccc1e249

Download Submit
memory/1228-135-0x00000000052B0000-0x0000000005472000-memory.dmp

Filesize
1.8MB

Download
memory/1228-132-0x0000000004FD0000-0x0000000005062000-memory.dmp

Filesize
584KB

Download
memory/1228-137-0x00000000063C0000-0x0000000006964000-memory.dmp

Filesize
5.6MB

Download
memory/1228-131-0x0000000002AB0000-0x0000000002AD2000-memory.dmp

Filesize
136KB

Download
memory/1228-134-0x0000000004F80000-0x0000000004FA2000-memory.dmp

Filesize
136KB

Download
memory/1228-130-0x0000000000670000-0x000000000077A000-memory.dmp

Filesize
1.0MB

Download
memory/1228-133-0x0000000005070000-0x00000000050D6000-memory.dmp

Filesize
408KB

Download
memory/4368-150-0x00000000075E0000-0x00000000075EA000-memory.dmp

Filesize
40KB

Download
memory/4368-149-0x0000000000360000-0x00000000003B6000-memory.dmp

Filesize
344KB

Download
memory/4792-144-0x0000000007010000-0x00000000070AC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing