imminent | 399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc

General

Target

399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe
Size

880KB
MD5

e2f9aabb2e7969efd71694e749093c8b
SHA1

c3cad4660ccb5a47ee36f73edbd52458cbb0fe08
SHA256

399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc
SHA512

3267ee395d16b12bb7f734d328e26bebd39e74420478fd38994b99cacdca8734251450f15d535f52075ce71d493df261cd8bc864a0246df6fca63623f0436d0e

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 2 IoCs

pid	Process
4832	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe
3308	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winstartedwind = "C:\\Users\\Admin\\AppData\\Roaming\\defenderwwin\\winlogims.exe"	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4848 set thread context of 4100	4848	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe	82
PID 4832 set thread context of 3308	4832	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2616	PING.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4848	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe
Token: SeDebugPrivilege	4100	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe
Token: SeDebugPrivilege	4832	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe
Token: SeDebugPrivilege	3308	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe
Token: 33	3308	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe
Token: SeIncBasePriorityPrivilege	3308	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3308	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 4100	4848	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe	82
PID 4848 wrote to memory of 4100	4848	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe	82
PID 4848 wrote to memory of 4100	4848	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe	82
PID 4848 wrote to memory of 4100	4848	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe	82
PID 4848 wrote to memory of 4100	4848	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe	82
PID 4848 wrote to memory of 4100	4848	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe	82
PID 4848 wrote to memory of 4100	4848	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe	82
PID 4848 wrote to memory of 4100	4848	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe	82
PID 4100 wrote to memory of 4832	4100	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe	86
PID 4100 wrote to memory of 4832	4100	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe	86
PID 4100 wrote to memory of 4832	4100	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe	86
PID 4100 wrote to memory of 2620	4100	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe	87
PID 4100 wrote to memory of 2620	4100	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe	87
PID 4100 wrote to memory of 2620	4100	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe	87
PID 2620 wrote to memory of 2616	2620	cmd.exe	89
PID 2620 wrote to memory of 2616	2620	cmd.exe	89
PID 2620 wrote to memory of 2616	2620	cmd.exe	89
PID 4832 wrote to memory of 3308	4832	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe	90
PID 4832 wrote to memory of 3308	4832	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe	90
PID 4832 wrote to memory of 3308	4832	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe	90
PID 4832 wrote to memory of 3308	4832	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe	90
PID 4832 wrote to memory of 3308	4832	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe	90
PID 4832 wrote to memory of 3308	4832	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe	90
PID 4832 wrote to memory of 3308	4832	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe	90
PID 4832 wrote to memory of 3308	4832	399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe	90

C:\Users\Admin\AppData\Local\Temp\399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe
"C:\Users\Admin\AppData\Local\Temp\399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Users\Admin\AppData\Local\Temp\399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe
  "C:\Users\Admin\AppData\Local\Temp\399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Users\Admin\AppData\Local\Temp\399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc\399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe
    "C:\Users\Admin\AppData\Local\Temp\399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc\399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - C:\Users\Admin\AppData\Local\Temp\399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc\399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe
      "C:\Users\Admin\AppData\Local\Temp\399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc\399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3308
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:2616

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe.log

Filesize
1KB

MD5
4ae433026ba02aba51bdb1cd5285679c

SHA1
24ee6f3bb34942de62617ba7b732f540f4a7952f

SHA256
7637b235e35fedfcd3e9c4de5e02531fbebb74e620ff6dc19fd130e195a2cf6b

SHA512
0339d9534d1063b066937159f4a6d4f2e1d4e326ab9d6f143276c41ffcea8edc0dbbf6dc1ec55d8bd77d180db79fbf431d3c40b3e658169023ed0e50325fad8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc\399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe

Filesize
880KB

MD5
e2f9aabb2e7969efd71694e749093c8b

SHA1
c3cad4660ccb5a47ee36f73edbd52458cbb0fe08

SHA256
399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc

SHA512
3267ee395d16b12bb7f734d328e26bebd39e74420478fd38994b99cacdca8734251450f15d535f52075ce71d493df261cd8bc864a0246df6fca63623f0436d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc\399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe

Filesize
880KB

MD5
e2f9aabb2e7969efd71694e749093c8b

SHA1
c3cad4660ccb5a47ee36f73edbd52458cbb0fe08

SHA256
399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc

SHA512
3267ee395d16b12bb7f734d328e26bebd39e74420478fd38994b99cacdca8734251450f15d535f52075ce71d493df261cd8bc864a0246df6fca63623f0436d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc\399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc.exe

Filesize
880KB

MD5
e2f9aabb2e7969efd71694e749093c8b

SHA1
c3cad4660ccb5a47ee36f73edbd52458cbb0fe08

SHA256
399bd1e4de465b964dfb97dc0b11b6600293d22f0176283de181f2172eb4dedc

SHA512
3267ee395d16b12bb7f734d328e26bebd39e74420478fd38994b99cacdca8734251450f15d535f52075ce71d493df261cd8bc864a0246df6fca63623f0436d0e

Download Submit
memory/3308-149-0x0000000007590000-0x000000000759A000-memory.dmp

Filesize
40KB

Download
memory/4100-137-0x0000000006940000-0x00000000069A6000-memory.dmp

Filesize
408KB

Download
memory/4100-136-0x00000000005A0000-0x00000000005F6000-memory.dmp

Filesize
344KB

Download
memory/4100-135-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4832-144-0x0000000000A80000-0x0000000000A8F000-memory.dmp

Filesize
60KB

Download
memory/4832-147-0x0000000000A80000-0x0000000000A8F000-memory.dmp

Filesize
60KB

Download
memory/4848-130-0x00000000001B0000-0x0000000000294000-memory.dmp

Filesize
912KB

Download
memory/4848-133-0x0000000004D70000-0x0000000004E0C000-memory.dmp

Filesize
624KB

Download
memory/4848-132-0x0000000004CD0000-0x0000000004D62000-memory.dmp

Filesize
584KB

Download
memory/4848-131-0x0000000005280000-0x0000000005824000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing