imminent | e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a

General

Target

e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe
Size

1.1MB
MD5

60e6d51d8c8e568b2f721daa8517e330
SHA1

599bfcabaaf49e843a363057d4b5baade0c9bf1e
SHA256

e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a
SHA512

b124440bd73647c403f810604918526e873868b7355ee6c8e613ec8a965567c209fc5233b0f214f6f7c147925659df93ad6184ae0d8d9a883626d957979880d9
SSDEEP

24576:Htb20pkaCqT5TBWgNQ7alF6NnrqoedRaKR8B96A:EVg5tQ7alUrqTdnRk5

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1256 set thread context of 2036	1256	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\ahk_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\ahk_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\ahk_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\ahk_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.ahk	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.ahk\ = "ahk_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\ahk_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\ahk_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1256	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2036	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	vbc.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1692	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe
1692	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe
1692	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1692	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe
1692	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe
1692	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2036	vbc.exe
112	AcroRd32.exe
112	AcroRd32.exe
112	AcroRd32.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 1272	1692	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe	27
PID 1692 wrote to memory of 1272	1692	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe	27
PID 1692 wrote to memory of 1272	1692	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe	27
PID 1692 wrote to memory of 1272	1692	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe	27
PID 1692 wrote to memory of 1272	1692	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe	27
PID 1692 wrote to memory of 1272	1692	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe	27
PID 1692 wrote to memory of 1272	1692	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe	27
PID 1692 wrote to memory of 1256	1692	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe	28
PID 1692 wrote to memory of 1256	1692	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe	28
PID 1692 wrote to memory of 1256	1692	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe	28
PID 1692 wrote to memory of 1256	1692	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe	28
PID 1256 wrote to memory of 2036	1256	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe	29
PID 1256 wrote to memory of 2036	1256	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe	29
PID 1256 wrote to memory of 2036	1256	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe	29
PID 1256 wrote to memory of 2036	1256	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe	29
PID 1256 wrote to memory of 2036	1256	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe	29
PID 1256 wrote to memory of 2036	1256	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe	29
PID 1272 wrote to memory of 112	1272	rundll32.exe	30
PID 1272 wrote to memory of 112	1272	rundll32.exe	30
PID 1272 wrote to memory of 112	1272	rundll32.exe	30
PID 1272 wrote to memory of 112	1272	rundll32.exe	30

C:\Users\Admin\AppData\Local\Temp\e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe
"C:\Users\Admin\AppData\Local\Temp\e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Tempauto jump.ahk
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Tempauto jump.ahk"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:112
- C:\Users\Admin\AppData\Local\Temp\e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe
  "C:\Users\Admin\AppData\Local\Temp\e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\732125" "C:\Users\Admin\AppData\Local\Temp\e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\732125

Filesize
17KB

MD5
31a67a9a9b3add7bc836e3348191b2f8

SHA1
40d9198c3be878b55bc4e1404fa2eca853282c31

SHA256
46453e6da45258c2c06fecc44508cb5dab64efe57a345189f60153200d4ed8b7

SHA512
4d4100f03d68e872d6a109265a90ec4b9795978c5895c4a8aa851ea6f482973740b03702525110b676defc0bc09bb4b29911396ae94d0280e459bee4b45f810f

Download Submit
C:\Users\Admin\AppData\Local\Temp\incl1

Filesize
19KB

MD5
cf37a7b7d39af92bc45571433e1df301

SHA1
cce6c2a3c32c5ff7bdad549422cdddf5deccfd13

SHA256
d29bb4c5f8b8b32149e319f5efecb755c3b8f5465f1f33c30bbbc8774e870937

SHA512
8b4ebf92723d8b8b4c2d2928ced1c44328eb05429d7db8a7a8b282c4519cf6a168097bbdf6cdb12e1ddb65a87410cbdc7ef54d77140f4b28afc939e606840e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\incl2

Filesize
299KB

MD5
6cb65cda337af8c947fb213ebf5370cb

SHA1
78dda4b942251aba07465d2778da59a0068da92f

SHA256
390cefc7566dde54ea95718d83235aa83fd02090420b679bae5ec31847e565a6

SHA512
5ac12ca2f58bc2b3f9cb18a199b4d37e0b73ed739b12b9823d0c65a3e7aa564808518014bd66de3e182907cb1349e014c3303c30c2a5c5f85cb69fdc541122b2

Download Submit
C:\Users\Admin\AppData\Local\Tempauto jump.ahk

Filesize
169B

MD5
5b000d5b5e2f07dc0d3b03c1b041c6d0

SHA1
1e79bdc98b57be8c72e199863e90c02e3bfd1bc3

SHA256
ddd52a4136145708f8399349127492ec3b2692a2acd4c6a0d02372e92a990099

SHA512
19e5ebe1182e70a5e4a2ff313cc222654147acef6063617d692bb7b7011d97ddaef54171d7b9793744bb928e262019a29770dd509d35ddfca1f5a066b11c6fae

Download Submit
memory/1692-54-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download
memory/2036-67-0x0000000000080000-0x00000000000D2000-memory.dmp

Filesize
328KB

Download
memory/2036-69-0x0000000000080000-0x00000000000D2000-memory.dmp

Filesize
328KB

Download
memory/2036-70-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/2036-71-0x0000000004580000-0x0000000004628000-memory.dmp

Filesize
672KB

Download
memory/2036-72-0x0000000000460000-0x0000000000490000-memory.dmp

Filesize
192KB

Download
memory/2036-73-0x00000000005A0000-0x00000000005AE000-memory.dmp

Filesize
56KB

Download
memory/2036-75-0x0000000000620000-0x0000000000636000-memory.dmp

Filesize
88KB

Download
memory/2036-64-0x0000000000080000-0x00000000000D2000-memory.dmp

Filesize
328KB

Download
memory/2036-62-0x0000000000080000-0x00000000000D2000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing