imminent | 2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809

General

Target

2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe
Size

292KB
MD5

2bec47844b2158b8971395794301e712
SHA1

85e9fe6a3118fa5bf352fef7ecf8b711a45a3968
SHA256

2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809
SHA512

e0d492b85856f4a7e675fe30fbc223573dd214e12dd7b043ac84f10098477181ae59f04aa44a389159f39c91820268e02dc9d4a79910846d0da92241023c277a
SSDEEP

6144:UwcYntNJbzX8qhqEIJHqvzRb8zCgoniL2L0U1wer6:UwcYLJ///IJydbXqU1Bm

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe"	WScript.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	CasPol.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	CasPol.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4184 set thread context of 1824	4184	2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe	84

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	CasPol.exe
File created	C:\Windows\assembly\Desktop.ini	CasPol.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	CasPol.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1824	CasPol.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4184	2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe
Token: SeDebugPrivilege	1824	CasPol.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1824	CasPol.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 1824	4184	2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe	84
PID 4184 wrote to memory of 1824	4184	2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe	84
PID 4184 wrote to memory of 1824	4184	2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe	84
PID 4184 wrote to memory of 1824	4184	2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe	84
PID 4184 wrote to memory of 1824	4184	2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe	84
PID 4184 wrote to memory of 1824	4184	2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe	84
PID 4184 wrote to memory of 1824	4184	2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe	84
PID 4184 wrote to memory of 1824	4184	2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe	84
PID 4184 wrote to memory of 2004	4184	2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe	85
PID 4184 wrote to memory of 2004	4184	2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe	85
PID 4184 wrote to memory of 2004	4184	2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe	85
PID 2004 wrote to memory of 2196	2004	cmd.exe	87
PID 2004 wrote to memory of 2196	2004	cmd.exe	87
PID 2004 wrote to memory of 2196	2004	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe
"C:\Users\Admin\AppData\Local\Temp\2ad0fca6351e2690fabb0e4120105cf37473e6389356a0d1ea406339d3a53809.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4184
- \??\c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe
  "c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1824
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\fuckyounod32.vbs"
    3⤵
    - Adds Run key to start application
    PID:2196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\fuckyounod32.vbs

Filesize
219B

MD5
b559ac384267491c0796d801b39e4979

SHA1
6762fd6ee2849c743dfd2e3d6743b3f26bc32b9d

SHA256
85f64caab11088c4fa85d0caebc9086178eeef9e322be7034311cf466430302e

SHA512
292df546edec7225fca39816d4171924ced925ca00d316d7694ecfb00a2cb4d81315493e2af759121795413a5e0116abcd11b5003e332fec3a5dcf40fc24de7e

Download Submit
memory/1824-134-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1824-136-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/1824-140-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/4184-132-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download
memory/4184-139-0x0000000074FC0000-0x0000000075571000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing