imminent | 9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4

General

Target

9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe
Size

747KB
MD5

20c57c5efa39d963d3a1470c5b1e0b36
SHA1

f54426d900e40925483ad6a1c1a22fe3864eb709
SHA256

9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4
SHA512

bfdb9becb9edcfb369c602587b429c3e6822d6df9d2884f195507c77a753588556b9d54cf07695a1c1949cb0b0f87c4a835c2ebfa22ec74b5182d8c7c2997934

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 2 IoCs

pid	Process
1868	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe
1436	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogiomsf = "C:\\Users\\Admin\\AppData\\Roaming\\wcindowsdefeninif\\winlogomn.exe"	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogiomsf = "\\wcindowsdefeninif\\winlogomn.exe"	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe
File created	C:\Windows\assembly\Desktop.ini	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2140 set thread context of 4960	2140	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe	89
PID 1868 set thread context of 1436	1868	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe	94

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe
File opened for modification	C:\Windows\assembly	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe
File created	C:\Windows\assembly\Desktop.ini	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4824	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1436	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2140	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe
Token: SeDebugPrivilege	4960	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe
Token: SeDebugPrivilege	1868	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe
Token: SeDebugPrivilege	1436	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe
Token: 33	1436	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe
Token: SeIncBasePriorityPrivilege	1436	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1436	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 4960	2140	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe	89
PID 2140 wrote to memory of 4960	2140	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe	89
PID 2140 wrote to memory of 4960	2140	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe	89
PID 2140 wrote to memory of 4960	2140	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe	89
PID 2140 wrote to memory of 4960	2140	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe	89
PID 2140 wrote to memory of 4960	2140	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe	89
PID 2140 wrote to memory of 4960	2140	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe	89
PID 2140 wrote to memory of 4960	2140	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe	89
PID 4960 wrote to memory of 1868	4960	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe	90
PID 4960 wrote to memory of 1868	4960	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe	90
PID 4960 wrote to memory of 1868	4960	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe	90
PID 4960 wrote to memory of 1144	4960	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe	91
PID 4960 wrote to memory of 1144	4960	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe	91
PID 4960 wrote to memory of 1144	4960	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe	91
PID 1144 wrote to memory of 4824	1144	cmd.exe	93
PID 1144 wrote to memory of 4824	1144	cmd.exe	93
PID 1144 wrote to memory of 4824	1144	cmd.exe	93
PID 1868 wrote to memory of 1436	1868	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe	94
PID 1868 wrote to memory of 1436	1868	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe	94
PID 1868 wrote to memory of 1436	1868	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe	94
PID 1868 wrote to memory of 1436	1868	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe	94
PID 1868 wrote to memory of 1436	1868	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe	94
PID 1868 wrote to memory of 1436	1868	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe	94
PID 1868 wrote to memory of 1436	1868	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe	94
PID 1868 wrote to memory of 1436	1868	9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe	94

C:\Users\Admin\AppData\Local\Temp\9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe
"C:\Users\Admin\AppData\Local\Temp\9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe
  "C:\Users\Admin\AppData\Local\Temp\9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Users\Admin\AppData\Local\Temp\9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4\9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe
    "C:\Users\Admin\AppData\Local\Temp\9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4\9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Users\Admin\AppData\Local\Temp\9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4\9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe
      "C:\Users\Admin\AppData\Local\Temp\9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4\9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops desktop.ini file(s)
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1144
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:4824

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe.log

Filesize
614B

MD5
3d2a3a481b7b5c27d792fa53189326e8

SHA1
2cbfd0dc21266826b3a07f19793fb0ee52115243

SHA256
12391de09526c63e91ad7657387cfe3db9c1ce254fc664cfded3a060455a7d8d

SHA512
3161ac3ade3cdb8c5d7310e587afe6b637b444e9918dea927170cf198eb4e2683059c1291e4690b5caa12ba25725888cf508b41effd814bb9ba21b559b31cf9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4\9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe

Filesize
747KB

MD5
20c57c5efa39d963d3a1470c5b1e0b36

SHA1
f54426d900e40925483ad6a1c1a22fe3864eb709

SHA256
9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4

SHA512
bfdb9becb9edcfb369c602587b429c3e6822d6df9d2884f195507c77a753588556b9d54cf07695a1c1949cb0b0f87c4a835c2ebfa22ec74b5182d8c7c2997934

Download Submit
C:\Users\Admin\AppData\Local\Temp\9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4\9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe

Filesize
747KB

MD5
20c57c5efa39d963d3a1470c5b1e0b36

SHA1
f54426d900e40925483ad6a1c1a22fe3864eb709

SHA256
9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4

SHA512
bfdb9becb9edcfb369c602587b429c3e6822d6df9d2884f195507c77a753588556b9d54cf07695a1c1949cb0b0f87c4a835c2ebfa22ec74b5182d8c7c2997934

Download Submit
C:\Users\Admin\AppData\Local\Temp\9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4\9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4.exe

Filesize
747KB

MD5
20c57c5efa39d963d3a1470c5b1e0b36

SHA1
f54426d900e40925483ad6a1c1a22fe3864eb709

SHA256
9fb8f0c2d645870c4b48701a1ef84503b54d203f4cec54ae4bfb30e5f754c2d4

SHA512
bfdb9becb9edcfb369c602587b429c3e6822d6df9d2884f195507c77a753588556b9d54cf07695a1c1949cb0b0f87c4a835c2ebfa22ec74b5182d8c7c2997934

Download Submit
memory/1436-150-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/1436-149-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/1868-148-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/1868-143-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/1868-144-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/2140-131-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/2140-134-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/2140-130-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/4960-133-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4960-142-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download
memory/4960-135-0x0000000075430000-0x00000000759E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing