imminent | fd1916a392220cd992581702e90a710dbf320009d585e64e7b982ab1b946f93f

Analysis

max time kernel
165s
max time network
179s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd1916a392220cd992581702e90a710dbf320009d585e64e7b982ab1b946f93f.exe
Size

1.1MB
MD5

f1986f6f9c557cba0ddd74907fe9a10f
SHA1

e1a7082eba81f783f3802b694d7eb81f6f5eb9d6
SHA256

fd1916a392220cd992581702e90a710dbf320009d585e64e7b982ab1b946f93f
SHA512

5780aa0de7feb6113f91d71d1e6d931faa410f082754c73de5b3aebb986b094c69c2c925cec837e7e62279bf6b100622403755666442fbf27ecf8dd28da86626
SSDEEP

24576:ct24U3gipfnsa5Yu0KPRjez8l+OSgLphaZ3etWrv:mSd0Cu8hm3vv

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent
Executes dropped EXE 2 IoCs

Processes:

fbelj.comfbelj.com

pid process

864 fbelj.com
1388 fbelj.com

pid	process
864	fbelj.com
1388	fbelj.com

Loads dropped DLL 5 IoCs

Processes:

fd1916a392220cd992581702e90a710dbf320009d585e64e7b982ab1b946f93f.exefbelj.com

pid	process
996	fd1916a392220cd992581702e90a710dbf320009d585e64e7b982ab1b946f93f.exe
996	fd1916a392220cd992581702e90a710dbf320009d585e64e7b982ab1b946f93f.exe
996	fd1916a392220cd992581702e90a710dbf320009d585e64e7b982ab1b946f93f.exe
996	fd1916a392220cd992581702e90a710dbf320009d585e64e7b982ab1b946f93f.exe
864	fbelj.com

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fbelj.com

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	fbelj.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\mocow\\fbelj.com C:\\Users\\Admin\\AppData\\Roaming\\mocow\\mwmsa.guw"	fbelj.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

fbelj.com

description pid process target process

PID 1388 set thread context of 1416 1388 fbelj.com RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1056 taskkill.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

fbelj.com

pid process

1388 fbelj.com
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 1056 taskkill.exe
Token: SeDebugPrivilege 1416 RegSvcs.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

1416 RegSvcs.exe

description	pid	process	target process
PID 1388 set thread context of 1416	1388	fbelj.com	RegSvcs.exe

pid	process
1056	taskkill.exe

pid	process
1388	fbelj.com

description	pid	process
Token: SeDebugPrivilege	1056	taskkill.exe
Token: SeDebugPrivilege	1416	RegSvcs.exe

pid	process
1416	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fd1916a392220cd992581702e90a710dbf320009d585e64e7b982ab1b946f93f.exefbelj.comfbelj.com

description	pid	process	target process
PID 996 wrote to memory of 864	996	fd1916a392220cd992581702e90a710dbf320009d585e64e7b982ab1b946f93f.exe	fbelj.com
PID 996 wrote to memory of 864	996	fd1916a392220cd992581702e90a710dbf320009d585e64e7b982ab1b946f93f.exe	fbelj.com
PID 996 wrote to memory of 864	996	fd1916a392220cd992581702e90a710dbf320009d585e64e7b982ab1b946f93f.exe	fbelj.com
PID 996 wrote to memory of 864	996	fd1916a392220cd992581702e90a710dbf320009d585e64e7b982ab1b946f93f.exe	fbelj.com
PID 996 wrote to memory of 864	996	fd1916a392220cd992581702e90a710dbf320009d585e64e7b982ab1b946f93f.exe	fbelj.com
PID 996 wrote to memory of 864	996	fd1916a392220cd992581702e90a710dbf320009d585e64e7b982ab1b946f93f.exe	fbelj.com
PID 996 wrote to memory of 864	996	fd1916a392220cd992581702e90a710dbf320009d585e64e7b982ab1b946f93f.exe	fbelj.com
PID 864 wrote to memory of 1388	864	fbelj.com	fbelj.com
PID 864 wrote to memory of 1388	864	fbelj.com	fbelj.com
PID 864 wrote to memory of 1388	864	fbelj.com	fbelj.com
PID 864 wrote to memory of 1388	864	fbelj.com	fbelj.com
PID 864 wrote to memory of 1388	864	fbelj.com	fbelj.com
PID 864 wrote to memory of 1388	864	fbelj.com	fbelj.com
PID 864 wrote to memory of 1388	864	fbelj.com	fbelj.com
PID 1388 wrote to memory of 1940	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1940	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1940	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1940	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1940	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1940	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1940	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1756	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1756	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1756	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1756	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1756	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1756	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1756	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1372	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1372	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1372	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1372	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1372	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1372	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1372	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1696	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1696	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1696	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1696	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1696	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1696	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1696	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1968	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1968	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1968	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1968	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1968	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1968	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1968	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1380	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1380	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1380	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1380	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1380	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1380	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1380	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 708	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 708	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 708	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 708	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 708	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 708	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 708	1388	fbelj.com	mshta.exe
PID 1388 wrote to memory of 1824	1388	fbelj.com	cmd.exe

C:\Users\Admin\AppData\Local\Temp\fd1916a392220cd992581702e90a710dbf320009d585e64e7b982ab1b946f93f.exe
"C:\Users\Admin\AppData\Local\Temp\fd1916a392220cd992581702e90a710dbf320009d585e64e7b982ab1b946f93f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:996

C:\Users\Admin\AppData\Roaming\mocow\fbelj.com
"C:\Users\Admin\AppData\Roaming\mocow\fbelj.com" mwmsa.guw
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864

C:\Users\Admin\AppData\Roaming\mocow\fbelj.com
C:\Users\Admin\AppData\Roaming\mocow\fbelj.com C:\Users\Admin\AppData\Roaming\mocow\TUBYQ
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:1940

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:1756

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:1372

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:1696

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:1968

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:1380

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C taskkill /f /IM mshta.exe
4⤵
PID:1824

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /IM mshta.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mocow\TUBYQ
Filesize
118KB

MD5
c346f5cd7684d742e218dc717b47c027

SHA1
c1486531db25d3c7f86e6a0031342885bd8580b5

SHA256
f4277a31ceba382ca8de4d8771e9d12e67dac07c421edbb9dc38be4d843bcb63

SHA512
90548e009e967c0151b3330c5070352a5de2e227d61a0695044ebaddad492d2a95a05fbeddb7155b959320ffbfbb0866f091348f8e7927a5810aa8ec2344edaf

Download Submit
C:\Users\Admin\AppData\Roaming\mocow\YMQGIX
Filesize
29KB

MD5
27f8e29b46e0f22c0f3c3719e1ae255a

SHA1
93dfaad73f38a0f0f4fb853046c701f89be69fea

SHA256
9df519788d7144c9994b473110f1bcc52c71df640272b062e6914ce8bbcce541

SHA512
13399fec829948f3bf8751706ecef040c47aed98df8b2dc6ffddbbaad2d9cc10ef3c1a0a981e3b78d1d7f8e705134eebafab7ea1eace1a33088e9431bf63497a

Download Submit
C:\Users\Admin\AppData\Roaming\mocow\cuvwl
Filesize
277KB

MD5
358d42dbd27056d26ac7c36894867024

SHA1
c8674fcf937b6afba3b10d55c740120fec63b3e2

SHA256
7c1a5054664ad89866c2d94760eda80de4aba4ac7629f384be474c8a0d21d7c4

SHA512
43a6b5857f931dfad8ad72c5821c86a26b6bd0298db76ece1806af4a8e0c9fa0217fbefb51d847d2d5e52a2facc3e7f8278b2d9d211da99da00f12d12a90f47b

Download Submit
C:\Users\Admin\AppData\Roaming\mocow\fbelj.com
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Roaming\mocow\fbelj.com
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Roaming\mocow\fbelj.com
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Roaming\mocow\mwmsa.guw
Filesize
74KB

MD5
9087bb5a0e5a8c107730fb9f64786ba1

SHA1
8fa6f94a78ccdb7041818e94bc49c142bd5813d9

SHA256
2dc1a4b49d344e240a68ea84ed86ad37749c017fbdfa05064108ac6fd16b5e99

SHA512
8ebd31e6f7030d3fc968025ff5275c43fc2fe00256600e9eb8456265c3370ff95ee3772fd0e4c98f8d20667d00840a50676d229ad931029f49a6f4008eea58f8

Download Submit
C:\Users\Admin\AppData\Roaming\mocow\tknbe.jue
Filesize
118KB

MD5
f6e15c6d7f0c9520825cb0f0b792153f

SHA1
337135a46591e4139300775cf0acee39e87d961e

SHA256
b84f15965a8afe578a1a138e6bf194fc283d76e7131a013ea5c3a996a5173af4

SHA512
d196fc316d2c2e9fdc4e58aa432a29cd7bbd54b03a6f71bb7dbe1832d750194caccddf441677fd975d3a5d094ed86cfcab618bbf05d0e9866ccf32b570291920

Download Submit
\Users\Admin\AppData\Roaming\mocow\fbelj.com
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\AppData\Roaming\mocow\fbelj.com
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\AppData\Roaming\mocow\fbelj.com
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\AppData\Roaming\mocow\fbelj.com
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\AppData\Roaming\mocow\fbelj.com
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
memory/708-83-0x0000000000000000-mapping.dmp

Download
memory/864-59-0x0000000000000000-mapping.dmp

Download
memory/996-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1056-87-0x0000000000000000-mapping.dmp

Download
memory/1372-75-0x0000000000000000-mapping.dmp

Download
memory/1380-81-0x0000000000000000-mapping.dmp

Download
memory/1388-67-0x0000000000000000-mapping.dmp

Download
memory/1416-91-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1416-96-0x000000000044674E-mapping.dmp

Download
memory/1416-103-0x00000000741B0000-0x000000007475B000-memory.dmp

Filesize
5.7MB

Download
memory/1416-102-0x00000000741B0000-0x000000007475B000-memory.dmp

Filesize
5.7MB

Download
memory/1416-100-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1416-90-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1416-98-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1416-93-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1416-94-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1416-95-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1696-77-0x0000000000000000-mapping.dmp

Download
memory/1756-73-0x0000000000000000-mapping.dmp

Download
memory/1824-85-0x0000000000000000-mapping.dmp

Download
memory/1940-71-0x0000000000000000-mapping.dmp

Download
memory/1968-79-0x0000000000000000-mapping.dmp

Download