imminent | 17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e

General

Target

17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e.exe
Size

271KB
MD5

0d9872faa1d16415b0185bc4f58ea34d
SHA1

c0373bec05812cc8887e4e762a0b355342195639
SHA256

17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e
SHA512

e07ef475347c80689fe06c117c5019f682303f2e6bcea2dcabb589fa7391fea857df9a4140dd508345a8433662b5e1b321ce937802f5f3f9149b49f615f7fb9d
SSDEEP

6144:CV92MnB1bCmlOwI3GdZHM+oEs5JDvdyGX8ctlD+:0FPYwsGfs+or5J6ID+

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 1 IoCs

pid	Process
2620	17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zdfgfdgdfgfd = "\\Mirosoft\\ScvHost.exe"	17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zdfgfdgdfgfd = "C:\\Users\\Admin\\AppData\\Roaming\\Mirosoft\\ScvHost.exe"	17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e.exe
File created	C:\Windows\assembly\Desktop.ini	17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4060	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2620	17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e.exe
Token: SeDebugPrivilege	2620	17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e.exe
Token: SeDebugPrivilege	2620	17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2620	17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2620	1720	17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e.exe	83
PID 1720 wrote to memory of 2620	1720	17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e.exe	83
PID 1720 wrote to memory of 2620	1720	17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e.exe	83
PID 1720 wrote to memory of 2912	1720	17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e.exe	84
PID 1720 wrote to memory of 2912	1720	17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e.exe	84
PID 1720 wrote to memory of 2912	1720	17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e.exe	84
PID 2912 wrote to memory of 4060	2912	cmd.exe	86
PID 2912 wrote to memory of 4060	2912	cmd.exe	86
PID 2912 wrote to memory of 4060	2912	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e.exe
"C:\Users\Admin\AppData\Local\Temp\17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e\17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e.exe
  "C:\Users\Admin\AppData\Local\Temp\17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e\17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2620
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:4060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e\17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e.exe

Filesize
271KB

MD5
0d9872faa1d16415b0185bc4f58ea34d

SHA1
c0373bec05812cc8887e4e762a0b355342195639

SHA256
17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e

SHA512
e07ef475347c80689fe06c117c5019f682303f2e6bcea2dcabb589fa7391fea857df9a4140dd508345a8433662b5e1b321ce937802f5f3f9149b49f615f7fb9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e\17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e.exe

Filesize
271KB

MD5
0d9872faa1d16415b0185bc4f58ea34d

SHA1
c0373bec05812cc8887e4e762a0b355342195639

SHA256
17f10fac1f728312eb781c8aef416da314eba5fdc9d37423ab0684c5340b414e

SHA512
e07ef475347c80689fe06c117c5019f682303f2e6bcea2dcabb589fa7391fea857df9a4140dd508345a8433662b5e1b321ce937802f5f3f9149b49f615f7fb9d

Download Submit
memory/1720-132-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/1720-133-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/1720-139-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/2620-137-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/2620-141-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing