imminent | 35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b

General

Target

35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe
Size

523KB
MD5

41a3e0dd6ab0f5f9539fb73d240c0a2d
SHA1

adfc196561eedc3ae9eb93a0a804934e5d971a05
SHA256

35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b
SHA512

c103ddcfabd7bd01537a34ef9766485fb7d47af183e20f5e87b54420a100626b13cd65b83c2d07abf76ae2df1813c200b4547e61ba6956134a232680a3a6cda6

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2160 set thread context of 212	2160	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe	88

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe
File created	C:\Windows\assembly\Desktop.ini	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1516	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
212	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	212	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe
Token: 33	212	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe
Token: SeIncBasePriorityPrivilege	212	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
212	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 1516	2160	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe	86
PID 2160 wrote to memory of 1516	2160	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe	86
PID 2160 wrote to memory of 1516	2160	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe	86
PID 2160 wrote to memory of 212	2160	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe	88
PID 2160 wrote to memory of 212	2160	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe	88
PID 2160 wrote to memory of 212	2160	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe	88
PID 2160 wrote to memory of 212	2160	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe	88
PID 2160 wrote to memory of 212	2160	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe	88
PID 2160 wrote to memory of 212	2160	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe	88
PID 2160 wrote to memory of 212	2160	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe	88
PID 2160 wrote to memory of 212	2160	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe	88

C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe
"C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbRezOawnhi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB1DB.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1516
- C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe
  "C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:212

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB1DB.tmp

Filesize
1KB

MD5
75191cf6996dc18a53ac7af553cbb78c

SHA1
497ac1790a6fe63ef6c092d5cf3f1e22f34baf98

SHA256
e032e425b83efbf2104cc9cdddc2ba125e1e33710c2b983b9b14d63eb917f387

SHA512
f20074cbe963990f76058b548d5658b47d450bff2d5ec51138c14cbf56fc2d34e74bbf04151d38bcaf3b55711b916aa5295418a14b3eb1832cce41453b529957

Download Submit
memory/212-135-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/212-137-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/212-138-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/2160-130-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/2160-131-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download
memory/2160-136-0x0000000074660000-0x0000000074C11000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads