imminent | cb042a1253d6619982a9d42cf4a868282079974731caf8b2f4f505f8ae1debd1

General

Target

pic2347.exe
Size

1.5MB
MD5

76c50fc59cf9443401dcba88de75eee7
SHA1

bd0cffd8034d9c75fc79af972d291001cf141ebf
SHA256

5b0d2f2a32ec566a150f0a016d4bcbc853a6324a22ff7367212226d1d4534a98
SHA512

0152875aaac2d56f7ad9f93db8c6b37979884b72487fe9e59ef5b1c362f8a9b03871a3ce301d04da2508c72f886ac0c6f6abbdccc53c2d0bea8fb255520c1ada
SSDEEP

24576:eagVgYh/PhQnxk/7J0vpkoG854t3h0VwraXL8i1OwdtnBX4z2G3hLQhS:DgVgYh/PhQxk/7J0h28C0VpX4Tw62ehL

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 2 IoCs

pid	Process
4916	COCCAQ~1.EXE
3108	PGAh.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDLLAARFHKbd.lnk	PGAh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	pic2347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	pic2347.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000c000000022f6c-133.dat	autoit_exe
behavioral2/files/0x000c000000022f6c-134.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3108 set thread context of 1224	3108	PGAh.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4916	COCCAQ~1.EXE
4916	COCCAQ~1.EXE
3108	PGAh.exe
3108	PGAh.exe
3108	PGAh.exe
3108	PGAh.exe
3108	PGAh.exe
3108	PGAh.exe
3108	PGAh.exe
3108	PGAh.exe
1224	RegSvcs.exe
1224	RegSvcs.exe
1224	RegSvcs.exe
1224	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1224	RegSvcs.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4916	COCCAQ~1.EXE
4916	COCCAQ~1.EXE
4916	COCCAQ~1.EXE

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4916	COCCAQ~1.EXE
4916	COCCAQ~1.EXE
4916	COCCAQ~1.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1224	RegSvcs.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 4916	1780	pic2347.exe	81
PID 1780 wrote to memory of 4916	1780	pic2347.exe	81
PID 1780 wrote to memory of 4916	1780	pic2347.exe	81
PID 4916 wrote to memory of 3108	4916	COCCAQ~1.EXE	82
PID 4916 wrote to memory of 3108	4916	COCCAQ~1.EXE	82
PID 4916 wrote to memory of 3108	4916	COCCAQ~1.EXE	82
PID 3108 wrote to memory of 1224	3108	PGAh.exe	83
PID 3108 wrote to memory of 1224	3108	PGAh.exe	83
PID 3108 wrote to memory of 1224	3108	PGAh.exe	83
PID 3108 wrote to memory of 1224	3108	PGAh.exe	83
PID 3108 wrote to memory of 1224	3108	PGAh.exe	83

C:\Users\Admin\AppData\Local\Temp\pic2347.exe
"C:\Users\Admin\AppData\Local\Temp\pic2347.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Users\Admin\AppData\Roaming\PGAh.exe
    "C:\Users\Admin\AppData\Roaming\PGAh.exe" "C:\Users\Admin\AppData\Roaming\PGAhA.au3"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3108
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      0
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE

Filesize
2.8MB

MD5
71862df435a8a4560d18ffa2c804a206

SHA1
c6ecec74e8258522278ccf7f65fc3acde09b53d1

SHA256
b31163134bfb15cd6d484e8f24b8926e7491ec3e59b45e3f395d63e9059d2c27

SHA512
c87370a41065036513c0dd159b9c2223a8f7a1c60bbc672fa9a8729cd886c45729284d928164783aff33ae2de3ca7fc5ab51bb019cc5319772ee2cefa2f7746c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE

Filesize
2.8MB

MD5
71862df435a8a4560d18ffa2c804a206

SHA1
c6ecec74e8258522278ccf7f65fc3acde09b53d1

SHA256
b31163134bfb15cd6d484e8f24b8926e7491ec3e59b45e3f395d63e9059d2c27

SHA512
c87370a41065036513c0dd159b9c2223a8f7a1c60bbc672fa9a8729cd886c45729284d928164783aff33ae2de3ca7fc5ab51bb019cc5319772ee2cefa2f7746c

Download Submit
C:\Users\Admin\AppData\Roaming\PGAh.exe

Filesize
915KB

MD5
b06e67f9767e5023892d9698703ad098

SHA1
acc07666f4c1d4461d3e1c263cf6a194a8dd1544

SHA256
8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

SHA512
7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

Download Submit
C:\Users\Admin\AppData\Roaming\PGAh.exe

Filesize
915KB

MD5
b06e67f9767e5023892d9698703ad098

SHA1
acc07666f4c1d4461d3e1c263cf6a194a8dd1544

SHA256
8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

SHA512
7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

Download Submit
C:\Users\Admin\AppData\Roaming\PGAhA.au3

Filesize
615KB

MD5
4d5824752390f37c6a9abe3bfe3fd288

SHA1
abbc37a4b691e7f8f27b01195f9b1a917c133f2f

SHA256
8eee91f8fde74863178bcb872073642adbde5b2a272674479171d2d8cb383529

SHA512
3fbee004ebf74d10513cf964841fd6be6477718178224d28ddd38c442303cf5feff57002643a5e0200f4a5e8c1756739d0714091a46a1d8468efa53fe5e70fce

Download Submit
memory/1224-144-0x0000000000410000-0x0000000000484000-memory.dmp

Filesize
464KB

Download
memory/1224-150-0x0000000000410000-0x0000000000484000-memory.dmp

Filesize
464KB

Download
memory/1224-165-0x00000000057A0000-0x00000000057AA000-memory.dmp

Filesize
40KB

Download
memory/1224-142-0x0000000000410000-0x0000000000484000-memory.dmp

Filesize
464KB

Download
memory/1224-143-0x0000000000410000-0x0000000000484000-memory.dmp

Filesize
464KB

Download
memory/1224-145-0x0000000000410000-0x0000000000484000-memory.dmp

Filesize
464KB

Download
memory/1224-164-0x00000000057F0000-0x0000000005882000-memory.dmp

Filesize
584KB

Download
memory/1224-147-0x0000000000410000-0x0000000000484000-memory.dmp

Filesize
464KB

Download
memory/1224-148-0x0000000000410000-0x0000000000484000-memory.dmp

Filesize
464KB

Download
memory/1224-146-0x0000000000410000-0x0000000000484000-memory.dmp

Filesize
464KB

Download
memory/1224-138-0x0000000000410000-0x0000000000484000-memory.dmp

Filesize
464KB

Download
memory/1224-152-0x0000000000410000-0x0000000000484000-memory.dmp

Filesize
464KB

Download
memory/1224-153-0x0000000000410000-0x0000000000484000-memory.dmp

Filesize
464KB

Download
memory/1224-156-0x0000000000410000-0x0000000000484000-memory.dmp

Filesize
464KB

Download
memory/1224-158-0x0000000000410000-0x0000000000484000-memory.dmp

Filesize
464KB

Download
memory/1224-159-0x0000000000410000-0x0000000000484000-memory.dmp

Filesize
464KB

Download
memory/1224-161-0x0000000000410000-0x0000000000484000-memory.dmp

Filesize
464KB

Download
memory/1224-162-0x0000000009340000-0x00000000093DC000-memory.dmp

Filesize
624KB

Download
memory/1224-163-0x0000000009990000-0x0000000009F34000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing