imminent | d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30

General

Target

d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe
Size

478KB
MD5

f7e1a441315a80328596c03da48d1778
SHA1

892ec2afe8549bc85d323ce9cfef1e08873ae7a0
SHA256

d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30
SHA512

ee03790b38b8986739cfda71d4cd12fee0802ae13cb11aeb59c5bdbc249aa363e281014a3da8a2f36615c34f7d6559d82035dc3432145e01e354d64f75063ab4
SSDEEP

6144:0APTi7C55DbmAs2X/4UYPOHfDLmmhDOnzYMvDfDllEVMSjFd+v:7WK5/aq4UYPOugOnEADf7g

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 2 IoCs

pid	Process
4180	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe
4224	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\\Windows32\\Explorer.exe"	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Windows32\\Explorer.exe"	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3172 set thread context of 2084	3172	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe	80
PID 4180 set thread context of 4224	4180	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe	85

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe
File created	C:\Windows\assembly\Desktop.ini	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
764	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4224	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3172	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe
Token: SeDebugPrivilege	2084	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe
Token: SeDebugPrivilege	4180	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe
Token: SeDebugPrivilege	4224	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe
Token: SeDebugPrivilege	4224	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4224	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 2084	3172	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe	80
PID 3172 wrote to memory of 2084	3172	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe	80
PID 3172 wrote to memory of 2084	3172	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe	80
PID 3172 wrote to memory of 2084	3172	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe	80
PID 3172 wrote to memory of 2084	3172	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe	80
PID 3172 wrote to memory of 2084	3172	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe	80
PID 3172 wrote to memory of 2084	3172	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe	80
PID 3172 wrote to memory of 2084	3172	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe	80
PID 2084 wrote to memory of 4180	2084	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe	81
PID 2084 wrote to memory of 4180	2084	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe	81
PID 2084 wrote to memory of 4180	2084	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe	81
PID 2084 wrote to memory of 4888	2084	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe	82
PID 2084 wrote to memory of 4888	2084	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe	82
PID 2084 wrote to memory of 4888	2084	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe	82
PID 4888 wrote to memory of 764	4888	cmd.exe	84
PID 4888 wrote to memory of 764	4888	cmd.exe	84
PID 4888 wrote to memory of 764	4888	cmd.exe	84
PID 4180 wrote to memory of 4224	4180	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe	85
PID 4180 wrote to memory of 4224	4180	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe	85
PID 4180 wrote to memory of 4224	4180	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe	85
PID 4180 wrote to memory of 4224	4180	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe	85
PID 4180 wrote to memory of 4224	4180	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe	85
PID 4180 wrote to memory of 4224	4180	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe	85
PID 4180 wrote to memory of 4224	4180	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe	85
PID 4180 wrote to memory of 4224	4180	d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe	85

C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe
"C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe
  "C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe
    "C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4180
  - - C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe
      "C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops desktop.ini file(s)
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4224
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe.log

Filesize
224B

MD5
c19eb8c8e7a40e6b987f9d2ee952996e

SHA1
6fc3049855bc9100643e162511673c6df0f28bfb

SHA256
677e9e30350df17e2bc20fa9f7d730e9f7cc6e870d6520a345f5f7dc5b31f58a

SHA512
860713b4a787c2189ed12a47d4b68b60ac00c7a253cae52dd4eb9276dacafeae3a81906b6d0742c8ecfdfaa255777c445beb7c2a532f3c677a9903237ac97596

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe

Filesize
478KB

MD5
f7e1a441315a80328596c03da48d1778

SHA1
892ec2afe8549bc85d323ce9cfef1e08873ae7a0

SHA256
d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30

SHA512
ee03790b38b8986739cfda71d4cd12fee0802ae13cb11aeb59c5bdbc249aa363e281014a3da8a2f36615c34f7d6559d82035dc3432145e01e354d64f75063ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe

Filesize
478KB

MD5
f7e1a441315a80328596c03da48d1778

SHA1
892ec2afe8549bc85d323ce9cfef1e08873ae7a0

SHA256
d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30

SHA512
ee03790b38b8986739cfda71d4cd12fee0802ae13cb11aeb59c5bdbc249aa363e281014a3da8a2f36615c34f7d6559d82035dc3432145e01e354d64f75063ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30\d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30.exe

Filesize
478KB

MD5
f7e1a441315a80328596c03da48d1778

SHA1
892ec2afe8549bc85d323ce9cfef1e08873ae7a0

SHA256
d4c1fbc3ff3b1c1d7a33bb65bb1055b72de205d5a8ce889759b744663ee9ac30

SHA512
ee03790b38b8986739cfda71d4cd12fee0802ae13cb11aeb59c5bdbc249aa363e281014a3da8a2f36615c34f7d6559d82035dc3432145e01e354d64f75063ab4

Download Submit
memory/2084-142-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/2084-134-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2084-137-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/3172-136-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/3172-132-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/4180-144-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/4180-148-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/4224-149-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/4224-150-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing