imminent | 47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c

General

Target

47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe
Size

1.2MB
MD5

9432bbcaab6aaded9550c649c7de5d11
SHA1

1933408859c383ffa40eb82f879f317c4bc3a067
SHA256

47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c
SHA512

0b974c79d3e13e26b05031bdd6e7990ae93d0854a45674e5edfb00bdafc73600d126acc169f456ef3b6b71ca1f7cd51272017e7576f966470235fa12c5f70fab

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe"	47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1332 set thread context of 1732	1332	47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1332	47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1732	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	vbc.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1968	47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe
1968	47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe
1968	47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe
1968	47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe
1968	47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1968	47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe
1968	47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe
1968	47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe
1968	47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe
1968	47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1732	vbc.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 1332	1968	47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe	27
PID 1968 wrote to memory of 1332	1968	47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe	27
PID 1968 wrote to memory of 1332	1968	47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe	27
PID 1968 wrote to memory of 1332	1968	47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe	27
PID 1332 wrote to memory of 1732	1332	47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe	28
PID 1332 wrote to memory of 1732	1332	47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe	28
PID 1332 wrote to memory of 1732	1332	47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe	28
PID 1332 wrote to memory of 1732	1332	47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe	28
PID 1332 wrote to memory of 1732	1332	47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe	28
PID 1332 wrote to memory of 1732	1332	47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe	28

C:\Users\Admin\AppData\Local\Temp\47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe
"C:\Users\Admin\AppData\Local\Temp\47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe
  "C:\Users\Admin\AppData\Local\Temp\47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\471905" "C:\Users\Admin\AppData\Local\Temp\47fec1f5cde05d36af0e3b7aa906b7a56cf622db151c72dd0dceedc021251c5c.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\471905

Filesize
17KB

MD5
db604bd1389be2ff2894672e6e8878d9

SHA1
c4c8c38ecfabc11467b2170f5d0f74ac2b8c96b6

SHA256
c99909337f475eada07c93826be252004f30130741cd28185722cba5cde1c81e

SHA512
effa74a64a068b1188279e1ef44689395e58184d985113d79c0b1450124eaf4c97a3ce8b9f86601a38e923324599a74651e372e36f688db92b4542151126b274

Download Submit
C:\Users\Admin\AppData\Local\Temp\incl1

Filesize
12KB

MD5
b8f891833c18f882d28dca0d8bf1edf6

SHA1
fe2ba906a57c8011d74ed5ab63da5dda5db106d9

SHA256
99b15f7e814d394ce70ef6457f6ef67c9aa63d19626b31b9e2d54a0babf0d7a5

SHA512
a2e0d64a63241b1ec98e50211434af0185fad5486e8c1e2e6fe281779109308742746e5240e713074db77c9f401254bd4a4951bb5845f6738a922ce1dc567c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\incl2

Filesize
355KB

MD5
840143153a1dec94c9c313990a786288

SHA1
f5f6af81350453b89f97be9f14a74b11ce9ba236

SHA256
138a59a804d8508943ce230dc2109fabee11adf8a51aacf5cb6f4a484b13c661

SHA512
6d62c9b7a94c4cb5822ffb1a83269864957354d557dc5bc82946c2399b5f059d4d54cd756e0599eedfb39b58cf3aec030be00a8a2d48ceed993752ab8ff3faae

Download Submit
memory/1732-71-0x0000000000080000-0x00000000000E0000-memory.dmp

Filesize
384KB

Download
memory/1732-74-0x0000000000080000-0x00000000000E0000-memory.dmp

Filesize
384KB

Download
memory/1732-62-0x0000000000080000-0x00000000000E0000-memory.dmp

Filesize
384KB

Download
memory/1732-65-0x0000000000080000-0x00000000000E0000-memory.dmp

Filesize
384KB

Download
memory/1732-67-0x0000000000080000-0x00000000000E0000-memory.dmp

Filesize
384KB

Download
memory/1732-68-0x0000000000980000-0x00000000009A8000-memory.dmp

Filesize
160KB

Download
memory/1732-70-0x0000000000080000-0x00000000000E0000-memory.dmp

Filesize
384KB

Download
memory/1732-92-0x0000000000600000-0x0000000000616000-memory.dmp

Filesize
88KB

Download
memory/1732-72-0x0000000000080000-0x00000000000E0000-memory.dmp

Filesize
384KB

Download
memory/1732-73-0x0000000000080000-0x00000000000E0000-memory.dmp

Filesize
384KB

Download
memory/1732-60-0x0000000000080000-0x00000000000E0000-memory.dmp

Filesize
384KB

Download
memory/1732-75-0x0000000000080000-0x00000000000E0000-memory.dmp

Filesize
384KB

Download
memory/1732-76-0x0000000000080000-0x00000000000E0000-memory.dmp

Filesize
384KB

Download
memory/1732-78-0x0000000000080000-0x00000000000E0000-memory.dmp

Filesize
384KB

Download
memory/1732-80-0x0000000000080000-0x00000000000E0000-memory.dmp

Filesize
384KB

Download
memory/1732-81-0x0000000000080000-0x00000000000E0000-memory.dmp

Filesize
384KB

Download
memory/1732-87-0x0000000000080000-0x00000000000E0000-memory.dmp

Filesize
384KB

Download
memory/1732-89-0x0000000000080000-0x00000000000E0000-memory.dmp

Filesize
384KB

Download
memory/1732-86-0x0000000000080000-0x00000000000E0000-memory.dmp

Filesize
384KB

Download
memory/1732-84-0x0000000000080000-0x00000000000E0000-memory.dmp

Filesize
384KB

Download
memory/1732-90-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/1968-54-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing