imminent | 86323f88c25087297a92e91065b6f9d111f57954e82dbb7317f9f535af71fae8

General

Target

86323f88c25087297a92e91065b6f9d111f57954e82dbb7317f9f535af71fae8.exe
Size

426KB
MD5

78ce45061e4eb02f1ecba7f6027fceb2
SHA1

007c03dac41efb63dba336aec8812e05b538c569
SHA256

86323f88c25087297a92e91065b6f9d111f57954e82dbb7317f9f535af71fae8
SHA512

1451957185e8cd9bbe0686139365aedaa04cb523791b0247f25b48d631c007ced32f0ed7f6e2ec5fea88b2320c18675675a98c1197ae0506614e171b68e08972

Score

10^/10

imminent evasion spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	86323f88c25087297a92e91065b6f9d111f57954e82dbb7317f9f535af71fae8.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	86323f88c25087297a92e91065b6f9d111f57954e82dbb7317f9f535af71fae8.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	86323f88c25087297a92e91065b6f9d111f57954e82dbb7317f9f535af71fae8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	86323f88c25087297a92e91065b6f9d111f57954e82dbb7317f9f535af71fae8.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	86323f88c25087297a92e91065b6f9d111f57954e82dbb7317f9f535af71fae8.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	86323f88c25087297a92e91065b6f9d111f57954e82dbb7317f9f535af71fae8.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3500 set thread context of 1120	3500	86323f88c25087297a92e91065b6f9d111f57954e82dbb7317f9f535af71fae8.exe	90

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	RegAsm.exe
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3500	86323f88c25087297a92e91065b6f9d111f57954e82dbb7317f9f535af71fae8.exe
3500	86323f88c25087297a92e91065b6f9d111f57954e82dbb7317f9f535af71fae8.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1120	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3500	86323f88c25087297a92e91065b6f9d111f57954e82dbb7317f9f535af71fae8.exe
Token: SeDebugPrivilege	1120	RegAsm.exe
Token: 33	1120	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1120	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1120	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 1120	3500	86323f88c25087297a92e91065b6f9d111f57954e82dbb7317f9f535af71fae8.exe	90
PID 3500 wrote to memory of 1120	3500	86323f88c25087297a92e91065b6f9d111f57954e82dbb7317f9f535af71fae8.exe	90
PID 3500 wrote to memory of 1120	3500	86323f88c25087297a92e91065b6f9d111f57954e82dbb7317f9f535af71fae8.exe	90
PID 3500 wrote to memory of 1120	3500	86323f88c25087297a92e91065b6f9d111f57954e82dbb7317f9f535af71fae8.exe	90
PID 3500 wrote to memory of 1120	3500	86323f88c25087297a92e91065b6f9d111f57954e82dbb7317f9f535af71fae8.exe	90
PID 3500 wrote to memory of 1120	3500	86323f88c25087297a92e91065b6f9d111f57954e82dbb7317f9f535af71fae8.exe	90
PID 3500 wrote to memory of 1120	3500	86323f88c25087297a92e91065b6f9d111f57954e82dbb7317f9f535af71fae8.exe	90
PID 3500 wrote to memory of 1120	3500	86323f88c25087297a92e91065b6f9d111f57954e82dbb7317f9f535af71fae8.exe	90

C:\Users\Admin\AppData\Local\Temp\86323f88c25087297a92e91065b6f9d111f57954e82dbb7317f9f535af71fae8.exe
"C:\Users\Admin\AppData\Local\Temp\86323f88c25087297a92e91065b6f9d111f57954e82dbb7317f9f535af71fae8.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1120

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1120-135-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1120-136-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/1120-138-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/3500-132-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/3500-133-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download
memory/3500-137-0x0000000075290000-0x0000000075841000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads