imminent | 259f205fe9a1f92bb1edd9afcc9cd6832e07b9ed858dd0d14dac3aaaa459084c

General

Target

259f205fe9a1f92bb1edd9afcc9cd6832e07b9ed858dd0d14dac3aaaa459084c.docm
Size

680KB
MD5

f74d8ea669f1d0d933f93fdd56307d8a
SHA1

b84fed3454dc4ff366355a140817b460dc97fed3
SHA256

259f205fe9a1f92bb1edd9afcc9cd6832e07b9ed858dd0d14dac3aaaa459084c
SHA512

06062c65e36c849b8b5b376e1d299cfdca5418926d995c66db760f2dc2136ed024fdf020c085c85f3ae096d30f43fde74150703b4e663d6b3eb3478f063bb9ce

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 1 IoCs

pid	Process
2064	ms.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\icekid = "C:\\Users\\Admin\\AppData\\Roaming\\icekid\\icekid.exe"	ms.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	ms.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	ms.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	ms.exe
File opened for modification	C:\Windows\assembly	ms.exe
File created	C:\Windows\assembly\Desktop.ini	ms.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2996	WINWORD.EXE
2996	WINWORD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2064	ms.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2064	ms.exe
Token: 33	2064	ms.exe
Token: SeIncBasePriorityPrivilege	2064	ms.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2996	WINWORD.EXE
2996	WINWORD.EXE
2996	WINWORD.EXE
2996	WINWORD.EXE
2996	WINWORD.EXE
2996	WINWORD.EXE
2996	WINWORD.EXE
2064	ms.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2064	2996	WINWORD.EXE	79
PID 2996 wrote to memory of 2064	2996	WINWORD.EXE	79
PID 2996 wrote to memory of 2064	2996	WINWORD.EXE	79

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\259f205fe9a1f92bb1edd9afcc9cd6832e07b9ed858dd0d14dac3aaaa459084c.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996
- C:\ProgramData\Memsys\ms.exe
  C:\ProgramData\Memsys\ms.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2064

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Memsys\ms.exe

Filesize
321KB

MD5
9a5d1c7ad2013e8cc2af40b15f52c603

SHA1
c044a1df2ec140b76448cb2169b42864d57baeef

SHA256
9777eef17d35f36a40d078f37ed10991366d369296f3db6fde00685c31044404

SHA512
2eb7d9a8c72f2c20c59f6413aa8c66fabf3f0d9ab2f14a42141cdc21a5e0a3f297be35bd20e23c9e3124584b75ff753e5ab017a870c87d1ca877103c8d626e03

Download Submit
C:\ProgramData\Memsys\ms.exe

Filesize
321KB

MD5
9a5d1c7ad2013e8cc2af40b15f52c603

SHA1
c044a1df2ec140b76448cb2169b42864d57baeef

SHA256
9777eef17d35f36a40d078f37ed10991366d369296f3db6fde00685c31044404

SHA512
2eb7d9a8c72f2c20c59f6413aa8c66fabf3f0d9ab2f14a42141cdc21a5e0a3f297be35bd20e23c9e3124584b75ff753e5ab017a870c87d1ca877103c8d626e03

Download Submit
memory/2064-143-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download
memory/2064-142-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download
memory/2996-134-0x00007FFABF110000-0x00007FFABF120000-memory.dmp

Filesize
64KB

Download
memory/2996-136-0x00007FFABCEA0000-0x00007FFABCEB0000-memory.dmp

Filesize
64KB

Download
memory/2996-137-0x000001C1198E8000-0x000001C1198EA000-memory.dmp

Filesize
8KB

Download
memory/2996-138-0x000001C1198E8000-0x000001C1198EA000-memory.dmp

Filesize
8KB

Download
memory/2996-135-0x00007FFABCEA0000-0x00007FFABCEB0000-memory.dmp

Filesize
64KB

Download
memory/2996-130-0x00007FFABF110000-0x00007FFABF120000-memory.dmp

Filesize
64KB

Download
memory/2996-133-0x00007FFABF110000-0x00007FFABF120000-memory.dmp

Filesize
64KB

Download
memory/2996-131-0x00007FFABF110000-0x00007FFABF120000-memory.dmp

Filesize
64KB

Download
memory/2996-132-0x00007FFABF110000-0x00007FFABF120000-memory.dmp

Filesize
64KB

Download
memory/2996-146-0x00007FFABF110000-0x00007FFABF120000-memory.dmp

Filesize
64KB

Download
memory/2996-148-0x00007FFABF110000-0x00007FFABF120000-memory.dmp

Filesize
64KB

Download
memory/2996-147-0x00007FFABF110000-0x00007FFABF120000-memory.dmp

Filesize
64KB

Download
memory/2996-145-0x00007FFABF110000-0x00007FFABF120000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads