imminent | fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934

Analysis

max time kernel
146s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MT1893878746.PDF.IMG.exe
Size

1.2MB
MD5

b7babb9f64a9ecd894d100ce02f132fe
SHA1

8fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256

fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA512

8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743
SSDEEP

12288:4v+bQYpRi8N69+d0qKu3rXbSIVfqNZSM1fpJwNDxGVwef3G1oMfqzpcfu2E:bpRbi+d0qPVGZTFfLweO1oMSzpKE

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 2 IoCs

pid	Process
3624	mt1893878746.pdf.img.exe
628	mt1893878746.pdf.img.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	MT1893878746.PDF.IMG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	mt1893878746.pdf.img.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	MT1893878746.PDF.IMG.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1912 set thread context of 1104	1912	MT1893878746.PDF.IMG.exe	88
PID 3624 set thread context of 628	3624	mt1893878746.pdf.img.exe	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4476	schtasks.exe
3984	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4128	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4512	powershell.exe
4512	powershell.exe
2036	powershell.exe
2036	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
628	mt1893878746.pdf.img.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	1104	MT1893878746.PDF.IMG.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	628	mt1893878746.pdf.img.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
628	mt1893878746.pdf.img.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 4512	1912	MT1893878746.PDF.IMG.exe	84
PID 1912 wrote to memory of 4512	1912	MT1893878746.PDF.IMG.exe	84
PID 1912 wrote to memory of 4512	1912	MT1893878746.PDF.IMG.exe	84
PID 1912 wrote to memory of 4476	1912	MT1893878746.PDF.IMG.exe	86
PID 1912 wrote to memory of 4476	1912	MT1893878746.PDF.IMG.exe	86
PID 1912 wrote to memory of 4476	1912	MT1893878746.PDF.IMG.exe	86
PID 1912 wrote to memory of 1104	1912	MT1893878746.PDF.IMG.exe	88
PID 1912 wrote to memory of 1104	1912	MT1893878746.PDF.IMG.exe	88
PID 1912 wrote to memory of 1104	1912	MT1893878746.PDF.IMG.exe	88
PID 1912 wrote to memory of 1104	1912	MT1893878746.PDF.IMG.exe	88
PID 1912 wrote to memory of 1104	1912	MT1893878746.PDF.IMG.exe	88
PID 1912 wrote to memory of 1104	1912	MT1893878746.PDF.IMG.exe	88
PID 1912 wrote to memory of 1104	1912	MT1893878746.PDF.IMG.exe	88
PID 1912 wrote to memory of 1104	1912	MT1893878746.PDF.IMG.exe	88
PID 1104 wrote to memory of 3624	1104	MT1893878746.PDF.IMG.exe	89
PID 1104 wrote to memory of 3624	1104	MT1893878746.PDF.IMG.exe	89
PID 1104 wrote to memory of 3624	1104	MT1893878746.PDF.IMG.exe	89
PID 1104 wrote to memory of 3844	1104	MT1893878746.PDF.IMG.exe	90
PID 1104 wrote to memory of 3844	1104	MT1893878746.PDF.IMG.exe	90
PID 1104 wrote to memory of 3844	1104	MT1893878746.PDF.IMG.exe	90
PID 3844 wrote to memory of 4128	3844	cmd.exe	92
PID 3844 wrote to memory of 4128	3844	cmd.exe	92
PID 3844 wrote to memory of 4128	3844	cmd.exe	92
PID 3624 wrote to memory of 2036	3624	mt1893878746.pdf.img.exe	99
PID 3624 wrote to memory of 2036	3624	mt1893878746.pdf.img.exe	99
PID 3624 wrote to memory of 2036	3624	mt1893878746.pdf.img.exe	99
PID 3624 wrote to memory of 3984	3624	mt1893878746.pdf.img.exe	100
PID 3624 wrote to memory of 3984	3624	mt1893878746.pdf.img.exe	100
PID 3624 wrote to memory of 3984	3624	mt1893878746.pdf.img.exe	100
PID 3624 wrote to memory of 628	3624	mt1893878746.pdf.img.exe	103
PID 3624 wrote to memory of 628	3624	mt1893878746.pdf.img.exe	103
PID 3624 wrote to memory of 628	3624	mt1893878746.pdf.img.exe	103
PID 3624 wrote to memory of 628	3624	mt1893878746.pdf.img.exe	103
PID 3624 wrote to memory of 628	3624	mt1893878746.pdf.img.exe	103
PID 3624 wrote to memory of 628	3624	mt1893878746.pdf.img.exe	103
PID 3624 wrote to memory of 628	3624	mt1893878746.pdf.img.exe	103
PID 3624 wrote to memory of 628	3624	mt1893878746.pdf.img.exe	103

C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
"C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dGKItyBaw.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4512
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dGKItyBaw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D74.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4476
- C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
  "C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
    "C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3624
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dGKItyBaw.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2036
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dGKItyBaw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB94.tmp"
      4⤵
      Creates scheduled task(s)
      PID:3984
  - - C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
      "C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:628
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3844
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:4128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MT1893878746.PDF.IMG.exe.log

Filesize
1KB

MD5
e08f822522c617a40840c62e4b0fb45e

SHA1
ae516dca4da5234be6676d3f234c19ec55725be7

SHA256
bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7

SHA512
894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4453f1fdca9ea31e4c83c557ebfc9973

SHA1
e9ab3838564420c1c546dbec5a53cb4157792055

SHA256
376582de6a111e2fdcdd90df19ba1c2c2f21c5cfee933cce78e0273809ffcbf0

SHA512
9a69ea0ab78f3f93eeaf443a798b975fc55fd8f6e34a321437ca098fa1953bd0b1c232b396e46ad2e514e40a3f1971d86056d715d3bf62efa22f4fd56f5033b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

Filesize
1.2MB

MD5
b7babb9f64a9ecd894d100ce02f132fe

SHA1
8fa93c638d331f51ec638655d82ec431fdae3f6a

SHA256
fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934

SHA512
8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

Download Submit
C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

Filesize
1.2MB

MD5
b7babb9f64a9ecd894d100ce02f132fe

SHA1
8fa93c638d331f51ec638655d82ec431fdae3f6a

SHA256
fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934

SHA512
8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

Download Submit
C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

Filesize
1.2MB

MD5
b7babb9f64a9ecd894d100ce02f132fe

SHA1
8fa93c638d331f51ec638655d82ec431fdae3f6a

SHA256
fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934

SHA512
8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4D74.tmp

Filesize
1KB

MD5
c404ef61bb974e90226fed749a85be10

SHA1
a5fc044ed24a743355ca48546f716ade8015a975

SHA256
d3e125deee5f28a651cdc01a7d249decffaa0fcb13b42797f21011457f62b66c

SHA512
c6a64b6b2c5a8b534fd0f187d23c4171ed8e652c6d99458324414504f3053b34130581f00129804f04962c3bee0836984b0a924afe2f6c45a9fef0ab966ff894

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB94.tmp

Filesize
1KB

MD5
c404ef61bb974e90226fed749a85be10

SHA1
a5fc044ed24a743355ca48546f716ade8015a975

SHA256
d3e125deee5f28a651cdc01a7d249decffaa0fcb13b42797f21011457f62b66c

SHA512
c6a64b6b2c5a8b534fd0f187d23c4171ed8e652c6d99458324414504f3053b34130581f00129804f04962c3bee0836984b0a924afe2f6c45a9fef0ab966ff894

Download Submit
memory/1104-163-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1104-159-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1104-144-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1104-168-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1104-166-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1104-165-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1104-149-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1104-150-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1104-151-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1104-154-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1104-152-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1104-153-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1104-155-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1104-157-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1104-160-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1912-136-0x0000000008C90000-0x0000000008D2C000-memory.dmp

Filesize
624KB

Download
memory/1912-132-0x00000000001B0000-0x00000000002DE000-memory.dmp

Filesize
1.2MB

Download
memory/1912-134-0x0000000004D10000-0x0000000004DA2000-memory.dmp

Filesize
584KB

Download
memory/1912-133-0x00000000052C0000-0x0000000005864000-memory.dmp

Filesize
5.6MB

Download
memory/1912-137-0x0000000008E30000-0x0000000008E96000-memory.dmp

Filesize
408KB

Download
memory/1912-135-0x0000000004C60000-0x0000000004C6A000-memory.dmp

Filesize
40KB

Download
memory/2036-214-0x0000000072650000-0x000000007269C000-memory.dmp

Filesize
304KB

Download
memory/4512-178-0x0000000007410000-0x0000000007A8A000-memory.dmp

Filesize
6.5MB

Download
memory/4512-179-0x0000000006DC0000-0x0000000006DDA000-memory.dmp

Filesize
104KB

Download
memory/4512-180-0x0000000006E30000-0x0000000006E3A000-memory.dmp

Filesize
40KB

Download
memory/4512-181-0x0000000007040000-0x00000000070D6000-memory.dmp

Filesize
600KB

Download
memory/4512-182-0x0000000006FF0000-0x0000000006FFE000-memory.dmp

Filesize
56KB

Download
memory/4512-183-0x0000000007100000-0x000000000711A000-memory.dmp

Filesize
104KB

Download
memory/4512-184-0x00000000070E0000-0x00000000070E8000-memory.dmp

Filesize
32KB

Download
memory/4512-177-0x0000000006070000-0x000000000608E000-memory.dmp

Filesize
120KB

Download
memory/4512-176-0x0000000070480000-0x00000000704CC000-memory.dmp

Filesize
304KB

Download
memory/4512-175-0x0000000006090000-0x00000000060C2000-memory.dmp

Filesize
200KB

Download
memory/4512-172-0x0000000005AB0000-0x0000000005ACE000-memory.dmp

Filesize
120KB

Download
memory/4512-142-0x0000000004CA0000-0x00000000052C8000-memory.dmp

Filesize
6.2MB

Download
memory/4512-147-0x00000000052D0000-0x0000000005336000-memory.dmp

Filesize
408KB

Download
memory/4512-146-0x00000000049D0000-0x00000000049F2000-memory.dmp

Filesize
136KB

Download
memory/4512-140-0x0000000002190000-0x00000000021C6000-memory.dmp

Filesize
216KB

Download