imminent | 3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7

General

Target

3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe
Size

644KB
MD5

2d52f51831bb09c03ef6d4237df554f3
SHA1

2b96a3092e7a44b0af213adb78ce9d38ba8e4df4
SHA256

3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7
SHA512

84324a5bf5ce001ec71ff22111fd7aa8f29dd01163a6f5f0ad242149cb21a1d64a91a70b2de7a7c2d0dc974882088b95f8c66134208bc572200c0b1bea767790

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 2 IoCs

pid	Process
4364	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe
396	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winregedit = "\\winlogomereg\\windowsreg.exe"	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winregedit = "C:\\Users\\Admin\\AppData\\Roaming\\winlogomereg\\windowsreg.exe"	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2360 set thread context of 216	2360	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	88
PID 4364 set thread context of 396	4364	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4172	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
396	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2360	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe
Token: SeDebugPrivilege	216	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe
Token: SeDebugPrivilege	4364	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe
Token: SeDebugPrivilege	396	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe
Token: 33	396	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe
Token: SeIncBasePriorityPrivilege	396	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
396	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 216	2360	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	88
PID 2360 wrote to memory of 216	2360	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	88
PID 2360 wrote to memory of 216	2360	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	88
PID 2360 wrote to memory of 216	2360	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	88
PID 2360 wrote to memory of 216	2360	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	88
PID 2360 wrote to memory of 216	2360	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	88
PID 2360 wrote to memory of 216	2360	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	88
PID 2360 wrote to memory of 216	2360	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	88
PID 216 wrote to memory of 4364	216	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	91
PID 216 wrote to memory of 4364	216	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	91
PID 216 wrote to memory of 4364	216	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	91
PID 216 wrote to memory of 4228	216	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	92
PID 216 wrote to memory of 4228	216	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	92
PID 216 wrote to memory of 4228	216	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	92
PID 4228 wrote to memory of 4172	4228	cmd.exe	94
PID 4228 wrote to memory of 4172	4228	cmd.exe	94
PID 4228 wrote to memory of 4172	4228	cmd.exe	94
PID 4364 wrote to memory of 396	4364	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	95
PID 4364 wrote to memory of 396	4364	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	95
PID 4364 wrote to memory of 396	4364	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	95
PID 4364 wrote to memory of 396	4364	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	95
PID 4364 wrote to memory of 396	4364	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	95
PID 4364 wrote to memory of 396	4364	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	95
PID 4364 wrote to memory of 396	4364	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	95
PID 4364 wrote to memory of 396	4364	3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe	95

C:\Users\Admin\AppData\Local\Temp\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe
"C:\Users\Admin\AppData\Local\Temp\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe
  "C:\Users\Admin\AppData\Local\Temp\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Users\Admin\AppData\Local\Temp\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe
    "C:\Users\Admin\AppData\Local\Temp\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4364
  - - C:\Users\Admin\AppData\Local\Temp\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe
      "C:\Users\Admin\AppData\Local\Temp\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:396
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4228
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:4172

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe

Filesize
644KB

MD5
2d52f51831bb09c03ef6d4237df554f3

SHA1
2b96a3092e7a44b0af213adb78ce9d38ba8e4df4

SHA256
3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7

SHA512
84324a5bf5ce001ec71ff22111fd7aa8f29dd01163a6f5f0ad242149cb21a1d64a91a70b2de7a7c2d0dc974882088b95f8c66134208bc572200c0b1bea767790

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe

Filesize
644KB

MD5
2d52f51831bb09c03ef6d4237df554f3

SHA1
2b96a3092e7a44b0af213adb78ce9d38ba8e4df4

SHA256
3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7

SHA512
84324a5bf5ce001ec71ff22111fd7aa8f29dd01163a6f5f0ad242149cb21a1d64a91a70b2de7a7c2d0dc974882088b95f8c66134208bc572200c0b1bea767790

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7\3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7.exe

Filesize
644KB

MD5
2d52f51831bb09c03ef6d4237df554f3

SHA1
2b96a3092e7a44b0af213adb78ce9d38ba8e4df4

SHA256
3e466f7e99f42aea17a56cebb60bbb17eb2e8fbb8e779b5b076d81a2717a92c7

SHA512
84324a5bf5ce001ec71ff22111fd7aa8f29dd01163a6f5f0ad242149cb21a1d64a91a70b2de7a7c2d0dc974882088b95f8c66134208bc572200c0b1bea767790

Download Submit
memory/216-136-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/216-137-0x00000000077C0000-0x0000000007826000-memory.dmp

Filesize
408KB

Download
memory/2360-134-0x00000000098E0000-0x000000000997C000-memory.dmp

Filesize
624KB

Download
memory/2360-130-0x0000000000340000-0x00000000003EA000-memory.dmp

Filesize
680KB

Download
memory/2360-133-0x0000000005190000-0x000000000519A000-memory.dmp

Filesize
40KB

Download
memory/2360-132-0x0000000004D80000-0x0000000004E12000-memory.dmp

Filesize
584KB

Download
memory/2360-131-0x0000000005270000-0x0000000005814000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing