imminent | e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a

General

Target

e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe
Size

1.1MB
MD5

60e6d51d8c8e568b2f721daa8517e330
SHA1

599bfcabaaf49e843a363057d4b5baade0c9bf1e
SHA256

e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a
SHA512

b124440bd73647c403f810604918526e873868b7355ee6c8e613ec8a965567c209fc5233b0f214f6f7c147925659df93ad6184ae0d8d9a883626d957979880d9
SSDEEP

24576:Htb20pkaCqT5TBWgNQ7alF6NnrqoedRaKR8B96A:EVg5tQ7alUrqTdnRk5

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2388 set thread context of 1156	2388	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2388	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe
2388	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1156	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1156	vbc.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
1664	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe
1664	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe
1664	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe
1664	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe
1664	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe
1664	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe
1664	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe
1664	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe
1664	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
1664	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe
1664	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe
1664	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe
1664	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe
1664	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe
1664	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe
1664	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe
1664	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe
1664	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1648	OpenWith.exe
1156	vbc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2388	1664	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe	84
PID 1664 wrote to memory of 2388	1664	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe	84
PID 1664 wrote to memory of 2388	1664	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe	84
PID 2388 wrote to memory of 1156	2388	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe	86
PID 2388 wrote to memory of 1156	2388	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe	86
PID 2388 wrote to memory of 1156	2388	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe	86
PID 2388 wrote to memory of 1156	2388	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe	86
PID 2388 wrote to memory of 1156	2388	e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe	86

C:\Users\Admin\AppData\Local\Temp\e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe
"C:\Users\Admin\AppData\Local\Temp\e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Local\Temp\e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe
  "C:\Users\Admin\AppData\Local\Temp\e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\791913" "C:\Users\Admin\AppData\Local\Temp\e77485234f6292a030dfeac5f46c29c116464670265cea35852e11f6f9bd509a.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1156

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\791913

Filesize
17KB

MD5
31a67a9a9b3add7bc836e3348191b2f8

SHA1
40d9198c3be878b55bc4e1404fa2eca853282c31

SHA256
46453e6da45258c2c06fecc44508cb5dab64efe57a345189f60153200d4ed8b7

SHA512
4d4100f03d68e872d6a109265a90ec4b9795978c5895c4a8aa851ea6f482973740b03702525110b676defc0bc09bb4b29911396ae94d0280e459bee4b45f810f

Download Submit
C:\Users\Admin\AppData\Local\Temp\incl1

Filesize
19KB

MD5
cf37a7b7d39af92bc45571433e1df301

SHA1
cce6c2a3c32c5ff7bdad549422cdddf5deccfd13

SHA256
d29bb4c5f8b8b32149e319f5efecb755c3b8f5465f1f33c30bbbc8774e870937

SHA512
8b4ebf92723d8b8b4c2d2928ced1c44328eb05429d7db8a7a8b282c4519cf6a168097bbdf6cdb12e1ddb65a87410cbdc7ef54d77140f4b28afc939e606840e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\incl2

Filesize
299KB

MD5
6cb65cda337af8c947fb213ebf5370cb

SHA1
78dda4b942251aba07465d2778da59a0068da92f

SHA256
390cefc7566dde54ea95718d83235aa83fd02090420b679bae5ec31847e565a6

SHA512
5ac12ca2f58bc2b3f9cb18a199b4d37e0b73ed739b12b9823d0c65a3e7aa564808518014bd66de3e182907cb1349e014c3303c30c2a5c5f85cb69fdc541122b2

Download Submit
memory/1156-137-0x0000000000690000-0x00000000006E2000-memory.dmp

Filesize
328KB

Download
memory/1156-138-0x0000000005140000-0x00000000051DC000-memory.dmp

Filesize
624KB

Download
memory/1156-139-0x0000000006C80000-0x0000000007224000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing