imminent | 3c3557d4bcad650d784053c1b8cb81e94045a5c9bfca6c2c4af2546b353589e0

General

Target

3c3557d4bcad650d784053c1b8cb81e94045a5c9bfca6c2c4af2546b353589e0.exe
Size

651KB
MD5

3a4603408b7f9cf81b35e35098333d47
SHA1

f78f6215dea5ecb2168b9b122e976e4a936a6ea0
SHA256

3c3557d4bcad650d784053c1b8cb81e94045a5c9bfca6c2c4af2546b353589e0
SHA512

5ba5bd6ace28cbdd8bb56c3f6b8490110ef903f8aae39583bb36195095796d429e6ed238971a6ad9fc8b25ee2a9f563ddb0a4c902f4ede5f4ecd1d626c0c17e9

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	3c3557d4bcad650d784053c1b8cb81e94045a5c9bfca6c2c4af2546b353589e0.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.Lnk	cscript.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4820 set thread context of 392	4820	3c3557d4bcad650d784053c1b8cb81e94045a5c9bfca6c2c4af2546b353589e0.exe	82

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	RegAsm.exe
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
392	RegAsm.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4820	3c3557d4bcad650d784053c1b8cb81e94045a5c9bfca6c2c4af2546b353589e0.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	392	RegAsm.exe
Token: 33	392	RegAsm.exe
Token: SeIncBasePriorityPrivilege	392	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
392	RegAsm.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 4268	4820	3c3557d4bcad650d784053c1b8cb81e94045a5c9bfca6c2c4af2546b353589e0.exe	80
PID 4820 wrote to memory of 4268	4820	3c3557d4bcad650d784053c1b8cb81e94045a5c9bfca6c2c4af2546b353589e0.exe	80
PID 4820 wrote to memory of 4268	4820	3c3557d4bcad650d784053c1b8cb81e94045a5c9bfca6c2c4af2546b353589e0.exe	80
PID 4820 wrote to memory of 392	4820	3c3557d4bcad650d784053c1b8cb81e94045a5c9bfca6c2c4af2546b353589e0.exe	82
PID 4820 wrote to memory of 392	4820	3c3557d4bcad650d784053c1b8cb81e94045a5c9bfca6c2c4af2546b353589e0.exe	82
PID 4820 wrote to memory of 392	4820	3c3557d4bcad650d784053c1b8cb81e94045a5c9bfca6c2c4af2546b353589e0.exe	82
PID 4820 wrote to memory of 392	4820	3c3557d4bcad650d784053c1b8cb81e94045a5c9bfca6c2c4af2546b353589e0.exe	82

C:\Users\Admin\AppData\Local\Temp\3c3557d4bcad650d784053c1b8cb81e94045a5c9bfca6c2c4af2546b353589e0.exe
"C:\Users\Admin\AppData\Local\Temp\3c3557d4bcad650d784053c1b8cb81e94045a5c9bfca6c2c4af2546b353589e0.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\System32\cscript.exe" //B //Nologo C:\Users\Admin\vbc.vbs
  2⤵
  - Drops startup file
  PID:4268
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:392

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\vbc.exe

Filesize
651KB

MD5
3a4603408b7f9cf81b35e35098333d47

SHA1
f78f6215dea5ecb2168b9b122e976e4a936a6ea0

SHA256
3c3557d4bcad650d784053c1b8cb81e94045a5c9bfca6c2c4af2546b353589e0

SHA512
5ba5bd6ace28cbdd8bb56c3f6b8490110ef903f8aae39583bb36195095796d429e6ed238971a6ad9fc8b25ee2a9f563ddb0a4c902f4ede5f4ecd1d626c0c17e9

Download Submit
C:\Users\Admin\vbc.vbs

Filesize
295B

MD5
02afd0e76671e529c4ab8544550becb7

SHA1
f215c5cebf4f10d1a84eb4cf7a839ad0b70c44fe

SHA256
c0370185ad0b494fa6b8785869c73cced65529b191241a43a16d63e7a938bcd8

SHA512
06dcee27d943d984e1257bea95853748f1e7695b887ce698164845934dd525d31c26782d9203d3acc998fb210077a8d68ae8f562291b260ad298dbb265f795e1

Download Submit
memory/392-136-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download
memory/392-137-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download
memory/4820-130-0x0000000000720000-0x00000000007C8000-memory.dmp

Filesize
672KB

Download
memory/4820-131-0x0000000005440000-0x000000000596C000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing