imminent | 4ab258871e20f9249533c808727fa8b6520bc56424a88a40f5e689cba4e6f706

General

Target

4ab258871e20f9249533c808727fa8b6520bc56424a88a40f5e689cba4e6f706.exe
Size

649KB
MD5

ea8c8008dc1f3f4025baec1d16495917
SHA1

145c3e9890d665a5a98a32935e6e50e81885c5a8
SHA256

4ab258871e20f9249533c808727fa8b6520bc56424a88a40f5e689cba4e6f706
SHA512

ce94265ed85e11ddad87e6b0bbeb69cf275087e03775fcd4acaca751b454797a07b243cf3485fe7180281289b5a73aeafe088417d3fa376c141b61fb8433f4f3

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 2 IoCs

pid	Process
1452	fontdrvhost.exe
1916	fontdrvhost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	4ab258871e20f9249533c808727fa8b6520bc56424a88a40f5e689cba4e6f706.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fontdrvhost.lnk	fontdrvhost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1452 set thread context of 1916	1452	fontdrvhost.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\4ab258871e20f9249533c808727fa8b6520bc56424a88a40f5e689cba4e6f706.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fontdrvhost.exe\:Zone.Identifier:$DATA	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fontdrvhost.exe:Zone.Identifier	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1916	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4396	4ab258871e20f9249533c808727fa8b6520bc56424a88a40f5e689cba4e6f706.exe
Token: SeDebugPrivilege	1452	fontdrvhost.exe
Token: SeDebugPrivilege	1916	fontdrvhost.exe
Token: 33	1916	fontdrvhost.exe
Token: SeIncBasePriorityPrivilege	1916	fontdrvhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1916	fontdrvhost.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 4504	4396	4ab258871e20f9249533c808727fa8b6520bc56424a88a40f5e689cba4e6f706.exe	85
PID 4396 wrote to memory of 4504	4396	4ab258871e20f9249533c808727fa8b6520bc56424a88a40f5e689cba4e6f706.exe	85
PID 4396 wrote to memory of 4504	4396	4ab258871e20f9249533c808727fa8b6520bc56424a88a40f5e689cba4e6f706.exe	85
PID 4396 wrote to memory of 220	4396	4ab258871e20f9249533c808727fa8b6520bc56424a88a40f5e689cba4e6f706.exe	89
PID 4396 wrote to memory of 220	4396	4ab258871e20f9249533c808727fa8b6520bc56424a88a40f5e689cba4e6f706.exe	89
PID 4396 wrote to memory of 220	4396	4ab258871e20f9249533c808727fa8b6520bc56424a88a40f5e689cba4e6f706.exe	89
PID 4396 wrote to memory of 1640	4396	4ab258871e20f9249533c808727fa8b6520bc56424a88a40f5e689cba4e6f706.exe	92
PID 4396 wrote to memory of 1640	4396	4ab258871e20f9249533c808727fa8b6520bc56424a88a40f5e689cba4e6f706.exe	92
PID 4396 wrote to memory of 1640	4396	4ab258871e20f9249533c808727fa8b6520bc56424a88a40f5e689cba4e6f706.exe	92
PID 1640 wrote to memory of 1452	1640	cmd.exe	94
PID 1640 wrote to memory of 1452	1640	cmd.exe	94
PID 1640 wrote to memory of 1452	1640	cmd.exe	94
PID 1452 wrote to memory of 4600	1452	fontdrvhost.exe	95
PID 1452 wrote to memory of 4600	1452	fontdrvhost.exe	95
PID 1452 wrote to memory of 4600	1452	fontdrvhost.exe	95
PID 1452 wrote to memory of 1916	1452	fontdrvhost.exe	97
PID 1452 wrote to memory of 1916	1452	fontdrvhost.exe	97
PID 1452 wrote to memory of 1916	1452	fontdrvhost.exe	97
PID 1452 wrote to memory of 1916	1452	fontdrvhost.exe	97
PID 1452 wrote to memory of 1916	1452	fontdrvhost.exe	97
PID 1452 wrote to memory of 1916	1452	fontdrvhost.exe	97
PID 1452 wrote to memory of 1916	1452	fontdrvhost.exe	97
PID 1452 wrote to memory of 1916	1452	fontdrvhost.exe	97

C:\Users\Admin\AppData\Local\Temp\4ab258871e20f9249533c808727fa8b6520bc56424a88a40f5e689cba4e6f706.exe
"C:\Users\Admin\AppData\Local\Temp\4ab258871e20f9249533c808727fa8b6520bc56424a88a40f5e689cba4e6f706.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\4ab258871e20f9249533c808727fa8b6520bc56424a88a40f5e689cba4e6f706.exe:Zone.Identifier"
  2⤵
  - NTFS ADS
  PID:4504
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\4ab258871e20f9249533c808727fa8b6520bc56424a88a40f5e689cba4e6f706.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fontdrvhost.exe"
  2⤵
  - NTFS ADS
  PID:220
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fontdrvhost.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fontdrvhost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fontdrvhost.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops startup file
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fontdrvhost.exe:Zone.Identifier"
      4⤵
      NTFS ADS
      PID:4600
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fontdrvhost.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fontdrvhost.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1916

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
05054fe97857e8cf5f8469d0517ef3a0

SHA1
5745b1916087fe36bf0076d63f54402daaaa382d

SHA256
4776b8faed8002d836b94d6e423f0e3436cda349b26e0d5c9373f3941080985c

SHA512
a0a68ae503ec0e79d43246f8a100fac6264573f97fe9340842a20973d14c1617fd36c0f38d5124516d40e6230291cd50627c061a36921977362efb122afa064b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fontdrvhost.exe

Filesize
649KB

MD5
ea8c8008dc1f3f4025baec1d16495917

SHA1
145c3e9890d665a5a98a32935e6e50e81885c5a8

SHA256
4ab258871e20f9249533c808727fa8b6520bc56424a88a40f5e689cba4e6f706

SHA512
ce94265ed85e11ddad87e6b0bbeb69cf275087e03775fcd4acaca751b454797a07b243cf3485fe7180281289b5a73aeafe088417d3fa376c141b61fb8433f4f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fontdrvhost.exe

Filesize
649KB

MD5
ea8c8008dc1f3f4025baec1d16495917

SHA1
145c3e9890d665a5a98a32935e6e50e81885c5a8

SHA256
4ab258871e20f9249533c808727fa8b6520bc56424a88a40f5e689cba4e6f706

SHA512
ce94265ed85e11ddad87e6b0bbeb69cf275087e03775fcd4acaca751b454797a07b243cf3485fe7180281289b5a73aeafe088417d3fa376c141b61fb8433f4f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\fontdrvhost.exe

Filesize
649KB

MD5
ea8c8008dc1f3f4025baec1d16495917

SHA1
145c3e9890d665a5a98a32935e6e50e81885c5a8

SHA256
4ab258871e20f9249533c808727fa8b6520bc56424a88a40f5e689cba4e6f706

SHA512
ce94265ed85e11ddad87e6b0bbeb69cf275087e03775fcd4acaca751b454797a07b243cf3485fe7180281289b5a73aeafe088417d3fa376c141b61fb8433f4f3

Download Submit
memory/1452-144-0x0000000007070000-0x000000000710C000-memory.dmp

Filesize
624KB

Download
memory/1916-146-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1916-149-0x0000000007F40000-0x0000000007F4A000-memory.dmp

Filesize
40KB

Download
memory/4396-137-0x0000000005D60000-0x0000000006304000-memory.dmp

Filesize
5.6MB

Download
memory/4396-135-0x0000000004D90000-0x0000000004F52000-memory.dmp

Filesize
1.8MB

Download
memory/4396-134-0x0000000004A40000-0x0000000004A62000-memory.dmp

Filesize
136KB

Download
memory/4396-133-0x0000000004B50000-0x0000000004BB6000-memory.dmp

Filesize
408KB

Download
memory/4396-130-0x0000000000050000-0x00000000000F8000-memory.dmp

Filesize
672KB

Download
memory/4396-132-0x0000000004AB0000-0x0000000004B42000-memory.dmp

Filesize
584KB

Download
memory/4396-131-0x00000000049E0000-0x0000000004A02000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing