imminent | d5a20aedb39de900453979312f67a9fafee20130e107783fb327a5bfc5b2a15d

General

Target

d5a20aedb39de900453979312f67a9fafee20130e107783fb327a5bfc5b2a15d.exe
Size

1.0MB
MD5

73545a681827b75ed487a704961065d7
SHA1

f8e2dd5c853ddc2f53387f22b3418a0feb60c2ad
SHA256

d5a20aedb39de900453979312f67a9fafee20130e107783fb327a5bfc5b2a15d
SHA512

b555ab75d7a784b4510e2e5c324a0a51e1d3f271524d61da976714cb917892d94387661cfee04aafe62ab20655bbb7acb1a15fb0a3b2d67734f24686887f5f04
SSDEEP

24576:c2O/Gli7HVTbEJRjPgKlXjbnFVPV187qL/CydNqS4I/nU:6xErPgYXj51eqWSNWI/nU

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent
Executes dropped EXE 1 IoCs

Processes:

hYuofe.com

pid process

4172 hYuofe.com

pid	process
4172	hYuofe.com

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d5a20aedb39de900453979312f67a9fafee20130e107783fb327a5bfc5b2a15d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	d5a20aedb39de900453979312f67a9fafee20130e107783fb327a5bfc5b2a15d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Helpanel = "C:\\Users\\Admin\\AppData\\Local\\Helpanel\\Helpanel.exe"	RegSvcs.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

RegSvcs.exe

description ioc process

File created C:\Windows\assembly\Desktop.ini RegSvcs.exe
File opened for modification C:\Windows\assembly\Desktop.ini RegSvcs.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

hYuofe.com

description pid process target process

PID 4172 set thread context of 1092 4172 hYuofe.com RegSvcs.exe

description	pid	process	target process
PID 4172 set thread context of 1092	4172	hYuofe.com	RegSvcs.exe

Drops file in Windows directory 3 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	RegSvcs.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegSvcs.exe
File opened for modification	C:\Windows\assembly	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

hYuofe.com

pid process

4172 hYuofe.com
4172 hYuofe.com
4172 hYuofe.com
4172 hYuofe.com
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

1092 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

hYuofe.comRegSvcs.exe

description pid process

Token: SeDebugPrivilege 4172 hYuofe.com
Token: SeDebugPrivilege 1092 RegSvcs.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

1092 RegSvcs.exe

pid	process
4172	hYuofe.com
4172	hYuofe.com
4172	hYuofe.com
4172	hYuofe.com

pid	process
1092	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	4172	hYuofe.com
Token: SeDebugPrivilege	1092	RegSvcs.exe

pid	process
1092	RegSvcs.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

d5a20aedb39de900453979312f67a9fafee20130e107783fb327a5bfc5b2a15d.exehYuofe.com

description	pid	process	target process
PID 2132 wrote to memory of 4172	2132	d5a20aedb39de900453979312f67a9fafee20130e107783fb327a5bfc5b2a15d.exe	hYuofe.com
PID 2132 wrote to memory of 4172	2132	d5a20aedb39de900453979312f67a9fafee20130e107783fb327a5bfc5b2a15d.exe	hYuofe.com
PID 2132 wrote to memory of 4172	2132	d5a20aedb39de900453979312f67a9fafee20130e107783fb327a5bfc5b2a15d.exe	hYuofe.com
PID 4172 wrote to memory of 1092	4172	hYuofe.com	RegSvcs.exe
PID 4172 wrote to memory of 1092	4172	hYuofe.com	RegSvcs.exe
PID 4172 wrote to memory of 1092	4172	hYuofe.com	RegSvcs.exe
PID 4172 wrote to memory of 1092	4172	hYuofe.com	RegSvcs.exe
PID 4172 wrote to memory of 1092	4172	hYuofe.com	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\d5a20aedb39de900453979312f67a9fafee20130e107783fb327a5bfc5b2a15d.exe
"C:\Users\Admin\AppData\Local\Temp\d5a20aedb39de900453979312f67a9fafee20130e107783fb327a5bfc5b2a15d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2132

C:\Users\Admin\ekiz55lcb\hYuofe.com
"C:\Users\Admin\ekiz55lcb\hYuofe.com" iGSd.IZJ
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4172

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\EKIZ55~1\FImfePjlvGE.HBZ

Filesize
30B

MD5
d0b479d174024436f72c1301f529fb15

SHA1
a484dd819a39b9dd97ebb79caa799abdf40d6a95

SHA256
8970ce3c7cd1a8921d3852274b57453eddbc10f8b191044e20cae26d718ee696

SHA512
5425d721db6a6535e30cce6dcc23ec375d4bced21b940ba4641ca8632329e5df7ef44631dceeb89a96b77b6203e5e442b3bd3e90e373303b6d57d6a7eb39dd28

Download Submit
C:\Users\Admin\EKIZ55~1\FMeLLJY.VSN

Filesize
271KB

MD5
a9cb8508e7f752e78c21f85bdc71045a

SHA1
edad5671d38dfb6cab31232a418c0b02bdbfedf9

SHA256
d1f9d96f53c4e4b4772eeb47e7f19cb79e741bbc91aa9db8e3a6dc166f945b7f

SHA512
aedbf071ee2c78995d2587c323ddb018a8045a65f3e6c2ed3129bc79186ce9c2387ec2d471d5f6cc9ac6ef6e9e45780787ad2ddcde31e19fcbd7f030bbc35d51

Download Submit
C:\Users\Admin\ekiz55lcb\hYuofe.com

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\ekiz55lcb\hYuofe.com

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\ekiz55lcb\iGSd.IZJ

Filesize
343.0MB

MD5
c4c466d9d6fde9943b0e639df2778ab0

SHA1
2c12d9e41d743216ca569122fba7758eeed67969

SHA256
1a78693a43535ff5e326d58853d15b4ccb84218b5fb888eb650c04728640b6f7

SHA512
88ae6d4bb03145774122a1183909122c7b4b9094ac2facab092e76b85df332eca8bdbfeebf30b60afeb8d0c5c9a7eaffd48e639530a3965a14aee22a2c506524

Download Submit
memory/1092-138-0x0000000000000000-mapping.dmp

Download
memory/1092-139-0x0000000000E00000-0x0000000000E4A000-memory.dmp

Filesize
296KB

Download
memory/1092-140-0x0000000074A10000-0x0000000074FC1000-memory.dmp

Filesize
5.7MB

Download
memory/1092-141-0x0000000074A10000-0x0000000074FC1000-memory.dmp

Filesize
5.7MB

Download
memory/4172-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads