imminent | b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51

General

Target

b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe
Size

339KB
MD5

6f2079524dfbcc1873b236623bf54332
SHA1

81d9fa986239d2cddb88b0171ef8cc310636a92a
SHA256

b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51
SHA512

281d5f300c68947b506c4041341e8a5823caf66233d2aec2d026e73dce26edaf0c485b506f1fb6f31665d641df6632ee867ff0d4e095dc548d46d439ba6597f4
SSDEEP

6144:L2gD4gPNYTcl6bWq0o5ACUJVymf7ouQo97HAXvc1GZ/9ctltCc/+EvFkywdg:ggEbWfoSCUqcao97gXvc1ylItCc/+EQ

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent
Executes dropped EXE 1 IoCs

Processes:

b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

pid process

1492 b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

pid	process
1492	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Word = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft Word\\Svchost.exe"	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Word = "\\Microsoft Word\\Svchost.exe"	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2396 PING.EXE

pid	process
2396	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exeb1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

description	pid	process
Token: SeDebugPrivilege	4032	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe
Token: SeDebugPrivilege	1492	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

pid process

1492 b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

pid	process
1492	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.execmd.exe

description	pid	process	target process
PID 4032 wrote to memory of 1492	4032	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe
PID 4032 wrote to memory of 1492	4032	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe
PID 4032 wrote to memory of 1492	4032	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe
PID 4032 wrote to memory of 2612	4032	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe	cmd.exe
PID 4032 wrote to memory of 2612	4032	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe	cmd.exe
PID 4032 wrote to memory of 2612	4032	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe	cmd.exe
PID 2612 wrote to memory of 2396	2612	cmd.exe	PING.EXE
PID 2612 wrote to memory of 2396	2612	cmd.exe	PING.EXE
PID 2612 wrote to memory of 2396	2612	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe
"C:\Users\Admin\AppData\Local\Temp\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4032

C:\Users\Admin\AppData\Local\Temp\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe
"C:\Users\Admin\AppData\Local\Temp\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
3⤵
- Runs ping.exe
PID:2396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

Filesize
339KB

MD5
6f2079524dfbcc1873b236623bf54332

SHA1
81d9fa986239d2cddb88b0171ef8cc310636a92a

SHA256
b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51

SHA512
281d5f300c68947b506c4041341e8a5823caf66233d2aec2d026e73dce26edaf0c485b506f1fb6f31665d641df6632ee867ff0d4e095dc548d46d439ba6597f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

Filesize
339KB

MD5
6f2079524dfbcc1873b236623bf54332

SHA1
81d9fa986239d2cddb88b0171ef8cc310636a92a

SHA256
b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51

SHA512
281d5f300c68947b506c4041341e8a5823caf66233d2aec2d026e73dce26edaf0c485b506f1fb6f31665d641df6632ee867ff0d4e095dc548d46d439ba6597f4

Download Submit
memory/1492-134-0x0000000000000000-mapping.dmp

Download
memory/1492-137-0x00000000745C0000-0x0000000074B71000-memory.dmp

Filesize
5.7MB

Download
memory/1492-141-0x00000000745C0000-0x0000000074B71000-memory.dmp

Filesize
5.7MB

Download
memory/2396-139-0x0000000000000000-mapping.dmp

Download
memory/2612-138-0x0000000000000000-mapping.dmp

Download
memory/4032-132-0x00000000745C0000-0x0000000074B71000-memory.dmp

Filesize
5.7MB

Download
memory/4032-133-0x00000000745C0000-0x0000000074B71000-memory.dmp

Filesize
5.7MB

Download
memory/4032-140-0x00000000745C0000-0x0000000074B71000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads