imminent | f159d6cda2240860733dba50c040df6a433e5cc27038b47c73186311305ce642

General

Target

f159d6cda2240860733dba50c040df6a433e5cc27038b47c73186311305ce642.exe
Size

775KB
MD5

cf8afe8f43d0ceb419b660e17f3ae7ca
SHA1

b70b100b643bd4f617b4f9a5b0f828d3a9c09c86
SHA256

f159d6cda2240860733dba50c040df6a433e5cc27038b47c73186311305ce642
SHA512

0f92a936bf333ac61e69b979949d8d09768102636b8c7f212c59711cf45229c438d968b9f2972a951159c8fe039080b0635d0cb75365f7839cd16cc2ae54a5f4
SSDEEP

12288:2A9RqqM2bijAIK7/jas7pmL3qiBXMia3uesKL5iLnE72Ni0YEgqM:2A7iJi43HlF+5MnE7ilG

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\file.exe"	f159d6cda2240860733dba50c040df6a433e5cc27038b47c73186311305ce642.exe

Executes dropped EXE 1 IoCs

pid	Process
4012	System interrupt .exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	f159d6cda2240860733dba50c040df6a433e5cc27038b47c73186311305ce642.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	System interrupt .exe
File opened for modification	C:\Windows\assembly\Desktop.ini	System interrupt .exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3444 set thread context of 4012	3444	f159d6cda2240860733dba50c040df6a433e5cc27038b47c73186311305ce642.exe	81

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	System interrupt .exe
File created	C:\Windows\assembly\Desktop.ini	System interrupt .exe
File opened for modification	C:\Windows\assembly\Desktop.ini	System interrupt .exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2164	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3444	f159d6cda2240860733dba50c040df6a433e5cc27038b47c73186311305ce642.exe
3444	f159d6cda2240860733dba50c040df6a433e5cc27038b47c73186311305ce642.exe
3444	f159d6cda2240860733dba50c040df6a433e5cc27038b47c73186311305ce642.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4012	System interrupt .exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3444	f159d6cda2240860733dba50c040df6a433e5cc27038b47c73186311305ce642.exe
Token: SeDebugPrivilege	4012	System interrupt .exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4012	System interrupt .exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 4652	3444	f159d6cda2240860733dba50c040df6a433e5cc27038b47c73186311305ce642.exe	79
PID 3444 wrote to memory of 4652	3444	f159d6cda2240860733dba50c040df6a433e5cc27038b47c73186311305ce642.exe	79
PID 3444 wrote to memory of 4652	3444	f159d6cda2240860733dba50c040df6a433e5cc27038b47c73186311305ce642.exe	79
PID 3444 wrote to memory of 4012	3444	f159d6cda2240860733dba50c040df6a433e5cc27038b47c73186311305ce642.exe	81
PID 3444 wrote to memory of 4012	3444	f159d6cda2240860733dba50c040df6a433e5cc27038b47c73186311305ce642.exe	81
PID 3444 wrote to memory of 4012	3444	f159d6cda2240860733dba50c040df6a433e5cc27038b47c73186311305ce642.exe	81
PID 3444 wrote to memory of 4012	3444	f159d6cda2240860733dba50c040df6a433e5cc27038b47c73186311305ce642.exe	81
PID 4652 wrote to memory of 4148	4652	cmd.exe	82
PID 4652 wrote to memory of 4148	4652	cmd.exe	82
PID 4652 wrote to memory of 4148	4652	cmd.exe	82
PID 3444 wrote to memory of 4012	3444	f159d6cda2240860733dba50c040df6a433e5cc27038b47c73186311305ce642.exe	81
PID 3444 wrote to memory of 4012	3444	f159d6cda2240860733dba50c040df6a433e5cc27038b47c73186311305ce642.exe	81
PID 3444 wrote to memory of 4012	3444	f159d6cda2240860733dba50c040df6a433e5cc27038b47c73186311305ce642.exe	81
PID 3444 wrote to memory of 4012	3444	f159d6cda2240860733dba50c040df6a433e5cc27038b47c73186311305ce642.exe	81
PID 4148 wrote to memory of 2308	4148	wscript.exe	83
PID 4148 wrote to memory of 2308	4148	wscript.exe	83
PID 4148 wrote to memory of 2308	4148	wscript.exe	83
PID 3444 wrote to memory of 704	3444	f159d6cda2240860733dba50c040df6a433e5cc27038b47c73186311305ce642.exe	93
PID 3444 wrote to memory of 704	3444	f159d6cda2240860733dba50c040df6a433e5cc27038b47c73186311305ce642.exe	93
PID 3444 wrote to memory of 704	3444	f159d6cda2240860733dba50c040df6a433e5cc27038b47c73186311305ce642.exe	93
PID 704 wrote to memory of 2164	704	cmd.exe	95
PID 704 wrote to memory of 2164	704	cmd.exe	95
PID 704 wrote to memory of 2164	704	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\f159d6cda2240860733dba50c040df6a433e5cc27038b47c73186311305ce642.exe
"C:\Users\Admin\AppData\Local\Temp\f159d6cda2240860733dba50c040df6a433e5cc27038b47c73186311305ce642.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat" "
      4⤵
      PID:2308
- C:\Users\Admin\AppData\Roaming\System interrupt .exe
  "C:\Users\Admin\AppData\Roaming\System interrupt .exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\FolderName\stres.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 300
    3⤵
    - Delays execution with timeout.exe
    PID:2164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FolderName\file.exe

Filesize
775KB

MD5
cf8afe8f43d0ceb419b660e17f3ae7ca

SHA1
b70b100b643bd4f617b4f9a5b0f828d3a9c09c86

SHA256
f159d6cda2240860733dba50c040df6a433e5cc27038b47c73186311305ce642

SHA512
0f92a936bf333ac61e69b979949d8d09768102636b8c7f212c59711cf45229c438d968b9f2972a951159c8fe039080b0635d0cb75365f7839cd16cc2ae54a5f4

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata.bat

Filesize
75B

MD5
b33985e3fc0ff1814a70626c744d2fd9

SHA1
269ff1b7ff5510822cd5207ca8593e48672d7431

SHA256
b4a06f7d7c2b2887801515c8f0cdc7a4cf8245af5afa38314f72952bd18fb357

SHA512
689de361836ff6053e2f0c88942e0b7ac62a3cbc8e8ef923d49c6e84e4c28e65c11588b6d88b69abad86e06d5eb22586d22cafe1abff1ceb6e0fc0d930a97769

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat

Filesize
77B

MD5
a557a61b017faddffbf634b01b09afa2

SHA1
324addd96cc2878fe77c1de25fa59b90afa81172

SHA256
9d605915f3bfafc681b550536c203f51698b695dcf1b44f991f517cfa2bc85aa

SHA512
0666502bac0b965c4bc0fa6f7e360c9ca44df50a5fb85a0754d8db534a7db85297ae1654207b9fe16b8525603fefa8ddb96a792da30f0846af38266fbb2a9178

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\rundll11-.txt

Filesize
775KB

MD5
cf8afe8f43d0ceb419b660e17f3ae7ca

SHA1
b70b100b643bd4f617b4f9a5b0f828d3a9c09c86

SHA256
f159d6cda2240860733dba50c040df6a433e5cc27038b47c73186311305ce642

SHA512
0f92a936bf333ac61e69b979949d8d09768102636b8c7f212c59711cf45229c438d968b9f2972a951159c8fe039080b0635d0cb75365f7839cd16cc2ae54a5f4

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\stres.bat

Filesize
226B

MD5
6cb26b07dc723c4766fc65c2f575d595

SHA1
d012b7a1b8eb3d230d0a790645118c2905a1a332

SHA256
e8e6378f72dd93c1798069e37a2419e40060762b672f0b5bcedb620e06320d73

SHA512
23cda088868129003217c9364217f3165ab9ab915b0eb5067f0560bb45c0fff0b4dccff24f8a7ee1552d5c0174310e17252d899d99518bdb31bc4b1565a14b7e

Download Submit
C:\Users\Admin\AppData\Roaming\System interrupt .exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Roaming\System interrupt .exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
memory/3444-141-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/3444-132-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/3444-150-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/4012-145-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/4012-146-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/4012-142-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing