imminent | 06d69058adecff07609b0916b28f042629724ee10739b08d4b3631066a613e76

General

Target

06d69058adecff07609b0916b28f042629724ee10739b08d4b3631066a613e76.exe
Size

426KB
MD5

58b82f6046af7142174639c87cc98049
SHA1

ccc10bb1450f97141f5da53c06a331ceb9afeb46
SHA256

06d69058adecff07609b0916b28f042629724ee10739b08d4b3631066a613e76
SHA512

20c1242c8ffa359d2d98bac66581e7b346315d377d8e2a64a42f85837a51b36172c0a05e4af81a5844ebdab044d919969046aefb011f2d7e06b3f95bce64c992

Score

10^/10

imminent evasion spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	06d69058adecff07609b0916b28f042629724ee10739b08d4b3631066a613e76.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	06d69058adecff07609b0916b28f042629724ee10739b08d4b3631066a613e76.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	06d69058adecff07609b0916b28f042629724ee10739b08d4b3631066a613e76.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	06d69058adecff07609b0916b28f042629724ee10739b08d4b3631066a613e76.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	06d69058adecff07609b0916b28f042629724ee10739b08d4b3631066a613e76.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3100 set thread context of 4272	3100	06d69058adecff07609b0916b28f042629724ee10739b08d4b3631066a613e76.exe	88

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	RegAsm.exe
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
868	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3100	06d69058adecff07609b0916b28f042629724ee10739b08d4b3631066a613e76.exe
3100	06d69058adecff07609b0916b28f042629724ee10739b08d4b3631066a613e76.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3100	06d69058adecff07609b0916b28f042629724ee10739b08d4b3631066a613e76.exe
Token: SeDebugPrivilege	4272	RegAsm.exe
Token: 33	4272	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4272	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4272	RegAsm.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 868	3100	06d69058adecff07609b0916b28f042629724ee10739b08d4b3631066a613e76.exe	86
PID 3100 wrote to memory of 868	3100	06d69058adecff07609b0916b28f042629724ee10739b08d4b3631066a613e76.exe	86
PID 3100 wrote to memory of 868	3100	06d69058adecff07609b0916b28f042629724ee10739b08d4b3631066a613e76.exe	86
PID 3100 wrote to memory of 4272	3100	06d69058adecff07609b0916b28f042629724ee10739b08d4b3631066a613e76.exe	88
PID 3100 wrote to memory of 4272	3100	06d69058adecff07609b0916b28f042629724ee10739b08d4b3631066a613e76.exe	88
PID 3100 wrote to memory of 4272	3100	06d69058adecff07609b0916b28f042629724ee10739b08d4b3631066a613e76.exe	88
PID 3100 wrote to memory of 4272	3100	06d69058adecff07609b0916b28f042629724ee10739b08d4b3631066a613e76.exe	88
PID 3100 wrote to memory of 4272	3100	06d69058adecff07609b0916b28f042629724ee10739b08d4b3631066a613e76.exe	88
PID 3100 wrote to memory of 4272	3100	06d69058adecff07609b0916b28f042629724ee10739b08d4b3631066a613e76.exe	88
PID 3100 wrote to memory of 4272	3100	06d69058adecff07609b0916b28f042629724ee10739b08d4b3631066a613e76.exe	88
PID 3100 wrote to memory of 4272	3100	06d69058adecff07609b0916b28f042629724ee10739b08d4b3631066a613e76.exe	88

C:\Users\Admin\AppData\Local\Temp\06d69058adecff07609b0916b28f042629724ee10739b08d4b3631066a613e76.exe
"C:\Users\Admin\AppData\Local\Temp\06d69058adecff07609b0916b28f042629724ee10739b08d4b3631066a613e76.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bVeuivoLvJs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3870.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:868
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4272

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3870.tmp

Filesize
1KB

MD5
3f8978356b4643b1324797eea9c2da53

SHA1
caf1e13f2e1f79025f394d248dde74933aeadf0d

SHA256
26986196bc5badd464f9415cb89f22abc368ad1028454e126fe6148c1fbaa142

SHA512
7fed75cec309b0fe4a5850c517bcd388ab6ec390ee5524756a60a03b5bbead301c307fa9283373430ff808d73af14e6f10a9efff3b830c6eefcd79aef2c89f49

Download Submit
memory/3100-142-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/3100-131-0x0000000073580000-0x0000000074080000-memory.dmp

Filesize
11.0MB

Download
memory/3100-132-0x0000000072D70000-0x0000000073518000-memory.dmp

Filesize
7.7MB

Download
memory/3100-133-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/3100-134-0x0000000073580000-0x0000000074080000-memory.dmp

Filesize
11.0MB

Download
memory/3100-135-0x0000000072D70000-0x0000000073518000-memory.dmp

Filesize
7.7MB

Download
memory/3100-130-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/3100-140-0x0000000072D70000-0x0000000073518000-memory.dmp

Filesize
7.7MB

Download
memory/3100-141-0x0000000073580000-0x0000000074080000-memory.dmp

Filesize
11.0MB

Download
memory/4272-143-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/4272-144-0x0000000073580000-0x0000000074080000-memory.dmp

Filesize
11.0MB

Download
memory/4272-145-0x0000000072D10000-0x00000000734B8000-memory.dmp

Filesize
7.7MB

Download
memory/4272-146-0x0000000074780000-0x0000000074D31000-memory.dmp

Filesize
5.7MB

Download
memory/4272-147-0x0000000073580000-0x0000000074080000-memory.dmp

Filesize
11.0MB

Download
memory/4272-148-0x0000000072D10000-0x00000000734B8000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads