imminent | 0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0

General

Target

0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe
Size

656KB
MD5

0a4c0d8994ab45e5e6968463333429e8
SHA1

2ad478a1da1bcfef9ec5118739bb5aaea8eeb2f1
SHA256

0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0
SHA512

cbfdecf5259d16553948d7b197e26393cec0e42f0adbd9b5d8bc1ca2793efeb2775d65f80b4499121f32428f0d8d63af43e3eed8f4e5e95a8f6386001f3ccf0a

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 2 IoCs

pid	Process
4496	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe
1912	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogiomsf = "\\wcindowsdefeninif\\winlogomn.exe"	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogiomsf = "C:\\Users\\Admin\\AppData\\Roaming\\wcindowsdefeninif\\winlogomn.exe"	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2128 set thread context of 1600	2128	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe	88
PID 4496 set thread context of 1912	4496	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3776	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1912	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe
Token: SeDebugPrivilege	1600	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe
Token: SeDebugPrivilege	4496	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe
Token: SeDebugPrivilege	1912	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe
Token: 33	1912	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe
Token: SeIncBasePriorityPrivilege	1912	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1912	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1600	2128	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe	88
PID 2128 wrote to memory of 1600	2128	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe	88
PID 2128 wrote to memory of 1600	2128	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe	88
PID 2128 wrote to memory of 1600	2128	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe	88
PID 2128 wrote to memory of 1600	2128	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe	88
PID 2128 wrote to memory of 1600	2128	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe	88
PID 2128 wrote to memory of 1600	2128	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe	88
PID 2128 wrote to memory of 1600	2128	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe	88
PID 1600 wrote to memory of 4496	1600	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe	89
PID 1600 wrote to memory of 4496	1600	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe	89
PID 1600 wrote to memory of 4496	1600	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe	89
PID 1600 wrote to memory of 2140	1600	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe	90
PID 1600 wrote to memory of 2140	1600	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe	90
PID 1600 wrote to memory of 2140	1600	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe	90
PID 2140 wrote to memory of 3776	2140	cmd.exe	92
PID 2140 wrote to memory of 3776	2140	cmd.exe	92
PID 2140 wrote to memory of 3776	2140	cmd.exe	92
PID 4496 wrote to memory of 1912	4496	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe	93
PID 4496 wrote to memory of 1912	4496	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe	93
PID 4496 wrote to memory of 1912	4496	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe	93
PID 4496 wrote to memory of 1912	4496	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe	93
PID 4496 wrote to memory of 1912	4496	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe	93
PID 4496 wrote to memory of 1912	4496	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe	93
PID 4496 wrote to memory of 1912	4496	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe	93
PID 4496 wrote to memory of 1912	4496	0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe	93

C:\Users\Admin\AppData\Local\Temp\0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe
"C:\Users\Admin\AppData\Local\Temp\0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe
  "C:\Users\Admin\AppData\Local\Temp\0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Users\Admin\AppData\Local\Temp\0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0\0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe
    "C:\Users\Admin\AppData\Local\Temp\0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0\0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Users\Admin\AppData\Local\Temp\0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0\0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe
      "C:\Users\Admin\AppData\Local\Temp\0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0\0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:3776

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe.log

Filesize
1KB

MD5
1191fafc0def1cf027ca380d326d5e50

SHA1
6d11938c77d51d5009a1258f9f35892866c44acf

SHA256
59e94d52aa2b2684225c35720dae5b1d76d67ce4d9e84714bf84c6b9b11d6b86

SHA512
10b375820b5e3a28f2a8ac329835af40a20aec377e94bc771863d69e834515db0b8197274d17aa0d06e96ec292a9429e122ffb87fe9dfd6a42559309fa27f088

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0\0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe

Filesize
656KB

MD5
0a4c0d8994ab45e5e6968463333429e8

SHA1
2ad478a1da1bcfef9ec5118739bb5aaea8eeb2f1

SHA256
0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0

SHA512
cbfdecf5259d16553948d7b197e26393cec0e42f0adbd9b5d8bc1ca2793efeb2775d65f80b4499121f32428f0d8d63af43e3eed8f4e5e95a8f6386001f3ccf0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0\0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe

Filesize
656KB

MD5
0a4c0d8994ab45e5e6968463333429e8

SHA1
2ad478a1da1bcfef9ec5118739bb5aaea8eeb2f1

SHA256
0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0

SHA512
cbfdecf5259d16553948d7b197e26393cec0e42f0adbd9b5d8bc1ca2793efeb2775d65f80b4499121f32428f0d8d63af43e3eed8f4e5e95a8f6386001f3ccf0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0\0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0.exe

Filesize
656KB

MD5
0a4c0d8994ab45e5e6968463333429e8

SHA1
2ad478a1da1bcfef9ec5118739bb5aaea8eeb2f1

SHA256
0e730fbd55791807de0c882f8165a05dc4e03231aae5bffdca014569dc045ff0

SHA512
cbfdecf5259d16553948d7b197e26393cec0e42f0adbd9b5d8bc1ca2793efeb2775d65f80b4499121f32428f0d8d63af43e3eed8f4e5e95a8f6386001f3ccf0a

Download Submit
memory/1600-136-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1600-137-0x0000000007AC0000-0x0000000007B26000-memory.dmp

Filesize
408KB

Download
memory/2128-134-0x00000000056D0000-0x000000000576C000-memory.dmp

Filesize
624KB

Download
memory/2128-130-0x0000000000810000-0x00000000008BE000-memory.dmp

Filesize
696KB

Download
memory/2128-133-0x0000000007840000-0x000000000784A000-memory.dmp

Filesize
40KB

Download
memory/2128-132-0x00000000078B0000-0x0000000007942000-memory.dmp

Filesize
584KB

Download
memory/2128-131-0x0000000007DC0000-0x0000000008364000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing