imminent | f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973

General

Target

f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe
Size

613KB
MD5

a482ff02cc9c671882add028df3d6f16
SHA1

acf2184f5689ec3f540f98bc4cdc9341dace0d71
SHA256

f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973
SHA512

1229dca9599660cc4d7194ce1c1e6c082c6b501e4aafbf4bb1acbf0da2163e4640fd21a5b5ffdf1aea99e507567aa0ca5c8fd760050e76bd655900050b6712c7
SSDEEP

12288:7W3lPUgZ/xVjXAIOztFVtx7ShP10VgckaS8:G9Z/bjAI8N8tagczS8

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FolderName\\file.exe"	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
4240	tmp.exe
4380	notepad .exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	notepad .exe
File opened for modification	C:\Windows\assembly\Desktop.ini	notepad .exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tmp.exe	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3892 set thread context of 4380	3892	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	86

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	notepad .exe
File opened for modification	C:\Windows\assembly	notepad .exe
File created	C:\Windows\assembly\Desktop.ini	notepad .exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3892	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe
3892	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe
3892	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe
3892	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe
3892	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4380	notepad .exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3892	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe
Token: 33	3892	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe
Token: SeIncBasePriorityPrivilege	3892	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe
Token: SeDebugPrivilege	4380	notepad .exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4380	notepad .exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 4372	3892	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	82
PID 3892 wrote to memory of 4372	3892	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	82
PID 3892 wrote to memory of 4372	3892	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	82
PID 4372 wrote to memory of 3216	4372	cmd.exe	84
PID 4372 wrote to memory of 3216	4372	cmd.exe	84
PID 4372 wrote to memory of 3216	4372	cmd.exe	84
PID 3892 wrote to memory of 4240	3892	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	85
PID 3892 wrote to memory of 4240	3892	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	85
PID 3892 wrote to memory of 4240	3892	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	85
PID 3892 wrote to memory of 4380	3892	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	86
PID 3892 wrote to memory of 4380	3892	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	86
PID 3892 wrote to memory of 4380	3892	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	86
PID 3892 wrote to memory of 4380	3892	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	86
PID 3892 wrote to memory of 4380	3892	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	86
PID 3892 wrote to memory of 4380	3892	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	86
PID 3892 wrote to memory of 4380	3892	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	86
PID 3892 wrote to memory of 4380	3892	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	86
PID 3216 wrote to memory of 3644	3216	wscript.exe	87
PID 3216 wrote to memory of 3644	3216	wscript.exe	87
PID 3216 wrote to memory of 3644	3216	wscript.exe	87
PID 3644 wrote to memory of 2960	3644	cmd.exe	89
PID 3644 wrote to memory of 2960	3644	cmd.exe	89
PID 3644 wrote to memory of 2960	3644	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe
"C:\Users\Admin\AppData\Local\Temp\f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3644
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderName\file.exe" /f
        5⤵
        Modifies WinLogon for persistence
        
        PID:2960
- C:\Windows\SysWOW64\tmp.exe
  "C:\Windows\system32\tmp.exe"
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Users\Admin\AppData\Local\Temp\notepad .exe
  "C:\Users\Admin\AppData\Local\Temp\notepad .exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderName\file.exe

Filesize
613KB

MD5
a482ff02cc9c671882add028df3d6f16

SHA1
acf2184f5689ec3f540f98bc4cdc9341dace0d71

SHA256
f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973

SHA512
1229dca9599660cc4d7194ce1c1e6c082c6b501e4aafbf4bb1acbf0da2163e4640fd21a5b5ffdf1aea99e507567aa0ca5c8fd760050e76bd655900050b6712c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat

Filesize
70B

MD5
23f72401196919748c14cb64c1d55c3b

SHA1
869e3809cb4391e6f5aee5349a871e40a1e1fb22

SHA256
d09c4054568f89c5de2bd9bae9cbcbcb3ef2dda9a9ded0153e29da26dc405d11

SHA512
2ab844717c31c4819d8773d7604dfc831e950ae9e38fe311acf8178d46f39fafb54b448ebb6b9cf5d1edd47ed36eae11d649c1be346b0a35d380dd07101c79f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat

Filesize
264B

MD5
6ecf2f3e1102f8c431d8986f794b6f39

SHA1
17c59e2db7ffa50a987bd2f7d35e4060bdc3548a

SHA256
02e997ac200eb1d460a7d719616489efc9cd79efa7e602e5e056c99dc8be75d5

SHA512
6f50909b50543079ea3d7d3080e1e9b77da133b83f260a6187a2b6de97607777c2813f3c8ee72d0dd7217083131bfcc7ea0290358228b2574d3e9d76c6c11404

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad .exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad .exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Windows\SysWOW64\tmp.exe

Filesize
272KB

MD5
17e960204c17955b57a96b61b6abb260

SHA1
9e4a913e83a237c447d096b0b14a7b1d833c6830

SHA256
77ac0191d581cbb96a1f40d873d9f9accbafb919fe0c447f9156448b366ebfdf

SHA512
6c3408b0a4914b01fd1a7779e0a6499248365abc5dde8973adeb5cedc9102eb1b512b9ec0e94ec37820f78aa6f9627adb488e9a91feb53f84037dc9982e973c8

Download Submit
C:\Windows\SysWOW64\tmp.exe

Filesize
272KB

MD5
17e960204c17955b57a96b61b6abb260

SHA1
9e4a913e83a237c447d096b0b14a7b1d833c6830

SHA256
77ac0191d581cbb96a1f40d873d9f9accbafb919fe0c447f9156448b366ebfdf

SHA512
6c3408b0a4914b01fd1a7779e0a6499248365abc5dde8973adeb5cedc9102eb1b512b9ec0e94ec37820f78aa6f9627adb488e9a91feb53f84037dc9982e973c8

Download Submit
memory/3892-136-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/3892-150-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/4240-147-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/4240-152-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/4380-142-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4380-148-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/4380-151-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing