imminent | fa7eaa5c59411ad4c06f0f98ebbc7c444d8133fcfe98f7200c62e9686594387a

General

Target

fa7eaa5c59411ad4c06f0f98ebbc7c444d8133fcfe98f7200c62e9686594387a.exe
Size

1.1MB
MD5

55aaf5931e1f74b704044b846d2ffcdf
SHA1

1bf392fb69e3d76e4a105c8efe4ec2c9cab96e63
SHA256

fa7eaa5c59411ad4c06f0f98ebbc7c444d8133fcfe98f7200c62e9686594387a
SHA512

4ca8c392cb2c6db962df8cebb67cfaf9c0ee0f81e43dd9be058ff7cc2c851c4c9f4de8c264617293d32885b986e5dab3c030296237ea9ecd6f57c0702373bee8
SSDEEP

24576:t2O/Gl+L9i4SWzsCx592IRNHfOUED4RVPVI8Qyqd7FbO:sqn0IfHfOUEDAILyYhO

Score

10^/10

imminent evasion persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent
Executes dropped EXE 1 IoCs

Processes:

winUpdate.exe

pid process

1984 winUpdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fa7eaa5c59411ad4c06f0f98ebbc7c444d8133fcfe98f7200c62e9686594387a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	fa7eaa5c59411ad4c06f0f98ebbc7c444d8133fcfe98f7200c62e9686594387a.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winUpdate.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	winUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\m2v4v7zg9ix7 = "\\Users\\Admin\\m2v4v7zg9ix7\\lextapzxx.vbs"	winUpdate.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	winUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	winUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	winUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	winUpdate.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

winUpdate.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winUpdate.exe
Drops desktop.ini file(s) 2 IoCs

Processes:

RegSvcs.exe

description ioc process

File opened for modification C:\Windows\assembly\Desktop.ini RegSvcs.exe
File created C:\Windows\assembly\Desktop.ini RegSvcs.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

winUpdate.exe

description pid process target process

PID 1984 set thread context of 2144 1984 winUpdate.exe RegSvcs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winUpdate.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\Desktop.ini	RegSvcs.exe
File created	C:\Windows\assembly\Desktop.ini	RegSvcs.exe

description	pid	process	target process
PID 1984 set thread context of 2144	1984	winUpdate.exe	RegSvcs.exe

Drops file in Windows directory 3 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	RegSvcs.exe
File created	C:\Windows\assembly\Desktop.ini	RegSvcs.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

winUpdate.exe

pid	process
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe
1984	winUpdate.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

2144 RegSvcs.exe

pid	process
2144	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

winUpdate.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	2144	RegSvcs.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe
Token: SeDebugPrivilege	1984	winUpdate.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

2144 RegSvcs.exe

pid	process
2144	RegSvcs.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fa7eaa5c59411ad4c06f0f98ebbc7c444d8133fcfe98f7200c62e9686594387a.exewinUpdate.exe

description	pid	process	target process
PID 1260 wrote to memory of 1984	1260	fa7eaa5c59411ad4c06f0f98ebbc7c444d8133fcfe98f7200c62e9686594387a.exe	winUpdate.exe
PID 1260 wrote to memory of 1984	1260	fa7eaa5c59411ad4c06f0f98ebbc7c444d8133fcfe98f7200c62e9686594387a.exe	winUpdate.exe
PID 1260 wrote to memory of 1984	1260	fa7eaa5c59411ad4c06f0f98ebbc7c444d8133fcfe98f7200c62e9686594387a.exe	winUpdate.exe
PID 1984 wrote to memory of 2144	1984	winUpdate.exe	RegSvcs.exe
PID 1984 wrote to memory of 2144	1984	winUpdate.exe	RegSvcs.exe
PID 1984 wrote to memory of 2144	1984	winUpdate.exe	RegSvcs.exe
PID 1984 wrote to memory of 2144	1984	winUpdate.exe	RegSvcs.exe
PID 1984 wrote to memory of 2144	1984	winUpdate.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\fa7eaa5c59411ad4c06f0f98ebbc7c444d8133fcfe98f7200c62e9686594387a.exe
"C:\Users\Admin\AppData\Local\Temp\fa7eaa5c59411ad4c06f0f98ebbc7c444d8133fcfe98f7200c62e9686594387a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\m2v4v7zg9ix7\winUpdate.exe
"C:\Users\Admin\m2v4v7zg9ix7\winUpdate.exe" kvokks.MCA
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2144

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\M2V4V7~1\ZEITBJ~1.LED
Filesize
277KB

MD5
4d830bb6881a011a725275f75499645c

SHA1
53f14a69f53dcda8425405123425f34930753218

SHA256
e06fe878c778112e6784fea4b309f7b44fe027e1a89d030975bf565fea815bfe

SHA512
cd52904a56651d9f9a292b7161adf28520869bd42d907b44535cab2399c7091ed0dfa3a1f757d83a8b21f082dc6f794b59f8e765de5879965352e7bc70375fc6

Download Submit
C:\Users\Admin\M2V4V7~1\dnrmxytyqprc.API
Filesize
229B

MD5
4b94795c0152d55af432c777d1e21d0e

SHA1
64fd547f958cba6fea747cc8a476bd194ff10845

SHA256
16d5e9af35da06436f114d21f14e53beb93c6a57e0ae6fabc603edd27f355eba

SHA512
6d9bed98380f2a377e9dc889da85c714f4f5f9ba029d551f340bd53c229547573a49e215d43d7143ccf0b74dd08b05c7b7c7b4e1329844b5687f1461c817e4d1

Download Submit
C:\Users\Admin\m2v4v7zg9ix7\kvokks.MCA
Filesize
324.1MB

MD5
1528a7a002c969e55798a08329130ba2

SHA1
054e90574a38cfdf61097decb332ee741fcddd2a

SHA256
409699856af740ef8e251d8a72080a19eb2d9589975a5a6c5a8b503010f2d190

SHA512
2128551e1f1ec79a9cd2d821d73b3b7a20460f6c7a598f232eab75357ddb7b1e8dadd2cadb92bd82a26da2867b3db6c789138df85ff590e92aa4cf8e44db0d9c

Download Submit
C:\Users\Admin\m2v4v7zg9ix7\winUpdate.exe
Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\m2v4v7zg9ix7\winUpdate.exe
Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
memory/1984-132-0x0000000000000000-mapping.dmp

Download
memory/2144-138-0x0000000000000000-mapping.dmp

Download
memory/2144-139-0x0000000001350000-0x000000000139C000-memory.dmp

Filesize
304KB

Download
memory/2144-140-0x0000000073B70000-0x0000000074121000-memory.dmp

Filesize
5.7MB

Download
memory/2144-141-0x0000000073B70000-0x0000000074121000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads