imminent | f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2022 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe
Size

1.1MB
MD5

025815e4612abeb9091363175923143f
SHA1

c8f1da32c27227ac04e877b56ac52367e4f040bb
SHA256

f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239
SHA512

e61bcabbe6ad4d87fa609aafa605f592a1cc01326cc0c967765de6846af22d70406ba60a871e152d42e7dd29d17bfac9d67e460b4c29f9b318bb6f007de4f044
SSDEEP

24576:2t24Hig61KRHaDleb38novJ7ZoYHdScInH2v27efUlcaVW67fsMH:cHigDRHElSMnox7ZoYHd9IslsqKWKf1H

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 2 IoCs

pid	Process
3040	ewnkp.com
4320	ewnkp.com

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ewnkp.com

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ewnkp.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cvtres = "C:\\Users\\Admin\\AppData\\Roaming\\soawf\\ewnkp.com C:\\Users\\Admin\\AppData\\Roaming\\soawf\\irrdb.txl"	ewnkp.com

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	RegSvcs.exe
File created	C:\Windows\assembly\Desktop.ini	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4320 set thread context of 4748	4320	ewnkp.com	92

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	RegSvcs.exe
File created	C:\Windows\assembly\Desktop.ini	RegSvcs.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1640	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4320	ewnkp.com
4320	ewnkp.com

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4748	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1640	taskkill.exe
Token: SeDebugPrivilege	4748	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4748	RegSvcs.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 3040	1496	f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe	78
PID 1496 wrote to memory of 3040	1496	f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe	78
PID 1496 wrote to memory of 3040	1496	f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe	78
PID 3040 wrote to memory of 4320	3040	ewnkp.com	80
PID 3040 wrote to memory of 4320	3040	ewnkp.com	80
PID 3040 wrote to memory of 4320	3040	ewnkp.com	80
PID 4320 wrote to memory of 4676	4320	ewnkp.com	81
PID 4320 wrote to memory of 4676	4320	ewnkp.com	81
PID 4320 wrote to memory of 4676	4320	ewnkp.com	81
PID 4320 wrote to memory of 3884	4320	ewnkp.com	82
PID 4320 wrote to memory of 3884	4320	ewnkp.com	82
PID 4320 wrote to memory of 3884	4320	ewnkp.com	82
PID 4320 wrote to memory of 628	4320	ewnkp.com	83
PID 4320 wrote to memory of 628	4320	ewnkp.com	83
PID 4320 wrote to memory of 628	4320	ewnkp.com	83
PID 4320 wrote to memory of 1108	4320	ewnkp.com	84
PID 4320 wrote to memory of 1108	4320	ewnkp.com	84
PID 4320 wrote to memory of 1108	4320	ewnkp.com	84
PID 4320 wrote to memory of 3392	4320	ewnkp.com	85
PID 4320 wrote to memory of 3392	4320	ewnkp.com	85
PID 4320 wrote to memory of 3392	4320	ewnkp.com	85
PID 4320 wrote to memory of 2392	4320	ewnkp.com	87
PID 4320 wrote to memory of 2392	4320	ewnkp.com	87
PID 4320 wrote to memory of 2392	4320	ewnkp.com	87
PID 4320 wrote to memory of 3896	4320	ewnkp.com	88
PID 4320 wrote to memory of 3896	4320	ewnkp.com	88
PID 4320 wrote to memory of 3896	4320	ewnkp.com	88
PID 4320 wrote to memory of 2328	4320	ewnkp.com	89
PID 4320 wrote to memory of 2328	4320	ewnkp.com	89
PID 4320 wrote to memory of 2328	4320	ewnkp.com	89
PID 2328 wrote to memory of 1640	2328	cmd.exe	91
PID 2328 wrote to memory of 1640	2328	cmd.exe	91
PID 2328 wrote to memory of 1640	2328	cmd.exe	91
PID 4320 wrote to memory of 4748	4320	ewnkp.com	92
PID 4320 wrote to memory of 4748	4320	ewnkp.com	92
PID 4320 wrote to memory of 4748	4320	ewnkp.com	92
PID 4320 wrote to memory of 4748	4320	ewnkp.com	92
PID 4320 wrote to memory of 4748	4320	ewnkp.com	92
PID 4320 wrote to memory of 4748	4320	ewnkp.com	92
PID 4320 wrote to memory of 4748	4320	ewnkp.com	92
PID 4320 wrote to memory of 4748	4320	ewnkp.com	92

C:\Users\Admin\AppData\Local\Temp\f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe
"C:\Users\Admin\AppData\Local\Temp\f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com
  "C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com" irrdb.txl
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com
    C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Users\Admin\AppData\Roaming\soawf\JVNSK
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4320
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:4676
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:3884
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:628
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:1108
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:3392
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:2392
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:3896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C taskkill /f /IM mshta.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2328
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /IM mshta.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      Drops desktop.ini file(s)
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\soawf\JVNSK

Filesize
117KB

MD5
3384979a23fbe4de79286b1901121b19

SHA1
5e69f43dcc8ed992ab17c233271712bb0bf60f13

SHA256
ae2427d833c91c213875fe7e70b05c88e949859da91b33681d598e3fd6b4f740

SHA512
0f98ff4b4c631dfc388e515dcaa3e858ed2c9581a63d9ab3ec588ea9ef17a593dc632c6f9093c13944812f273153ea0f0b37a1ca8aaa30a23d1199dcdf832fa3

Download Submit
C:\Users\Admin\AppData\Roaming\soawf\YMQGIX

Filesize
22KB

MD5
8411942151d844067bc637c35ac2847e

SHA1
0fae54a9b04ab15ce4acff346224d88195300b23

SHA256
96a2341f1bc8f3a31ca774b76f0c441d54f4f9e270d7aeeafac68e2ccf9e3506

SHA512
a3fb1441cd29300abdaa889e4c6cec9dba4e12d21459eada361117a2a64f163051af8bc0c942e56b2b932df7428c259d8dcc5d6c5d3c260be799050bb0ccd610

Download Submit
C:\Users\Admin\AppData\Roaming\soawf\citax.ojb

Filesize
117KB

MD5
3a6730dd1fd8c9a8a316dcc6d4c6510c

SHA1
2d1d23733c1e34143b85575418b0d7fb39c30a78

SHA256
b5f108cffa82e6bd972d548139ef07d2024db58f0657b1cce60d1d1ca27958e5

SHA512
e5280425ea75d2429bc3795aa8352a687910fc3b43c533ae31afb7d6dafaa1f7bdac3698b94fd4ef7f0bfc49eccdd371cc83727b377baec2c9a974d4a4206310

Download Submit
C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com

Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com

Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com

Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
C:\Users\Admin\AppData\Roaming\soawf\irrdb.txl

Filesize
3KB

MD5
320133077eb8365d0a35a6c8bf1078c5

SHA1
31bf50ca151ee596b2fa04db5f748c2799b16b26

SHA256
a18eb74dc95cd8df63dd06561ade96d97efe753153f7e679f118be9cc3b2aad6

SHA512
f6cf82316f2562d6910690064fcb1681d1136ce902cac2f6dd8daa1b5b8877b8ebf6be8b5bd48ea00a522971fa85929340268ea69cf1f3003ebfa4af9e26da38

Download Submit
C:\Users\Admin\AppData\Roaming\soawf\nbwul

Filesize
272KB

MD5
b6ea1cbbe3f6599f3992c1b0eacfa171

SHA1
2844c4ea48876886757a24b05c72473594a8cb4e

SHA256
87d170c56ef26f9bb8f46151a61d56be62ecac3847c33145e3c8501fad778c4d

SHA512
01fa6e5a8dcc661c0e8a037de9476920ea0d87370e0b895c7d5c2dfd17db1b2ef9dca7c29dc43b6223c0a77cefb889b1ad2cf7cdeff997647e358e6c147823ef

Download Submit
memory/4748-152-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4748-153-0x0000000072720000-0x0000000072CD1000-memory.dmp

Filesize
5.7MB

Download
memory/4748-154-0x0000000072720000-0x0000000072CD1000-memory.dmp

Filesize
5.7MB

Download