imminent | c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0

General

Target

c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe
Size

1.9MB
MD5

53594cf41be285fa4304d10b680245f2
SHA1

6a2841d2af67d098f93b2a6df527abb08923ae22
SHA256

c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0
SHA512

b0c2f53023381c29267c36a44e4cec39272af41a8b5068250de9d71cd899e8feb6cc887b13b785e9ffb1c7b1174e670d47559dd85bf47b655595ee07ad3b5151
SSDEEP

24576:iu6J33O0c+JY5UZ+XC0kGso6Fa9GWjtGD0GY/y69Pk3dF08EsmwrTZIZvziK6gQf:Eu0c++OCvkGs9FaIXKZlOVYk

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 2 IoCs

pid	Process
644	wbadmin.exe
3896	wbadmin.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	wbadmin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NET Framework = "C:\\Users\\Admin\\AppData\\Roaming\\Roaming\\Application Frame Host.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NET Framework = "\\Roaming\\Application Frame Host.exe"	RegAsm.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0006000000022f68-141.dat	autoit_exe
behavioral2/files/0x0006000000022f68-142.dat	autoit_exe
behavioral2/files/0x0006000000022f68-151.dat	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4772 set thread context of 2104	4772	c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe	81
PID 644 set thread context of 5004	644	wbadmin.exe	98
PID 3896 set thread context of 1412	3896	wbadmin.exe	102

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	RegAsm.exe
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4032	schtasks.exe
3868	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2104	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2104	RegAsm.exe
Token: 33	2104	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2104	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2104	RegAsm.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 2104	4772	c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe	81
PID 4772 wrote to memory of 2104	4772	c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe	81
PID 4772 wrote to memory of 2104	4772	c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe	81
PID 4772 wrote to memory of 2104	4772	c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe	81
PID 4772 wrote to memory of 2104	4772	c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe	81
PID 4772 wrote to memory of 4032	4772	c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe	85
PID 4772 wrote to memory of 4032	4772	c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe	85
PID 4772 wrote to memory of 4032	4772	c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe	85
PID 644 wrote to memory of 5004	644	wbadmin.exe	98
PID 644 wrote to memory of 5004	644	wbadmin.exe	98
PID 644 wrote to memory of 5004	644	wbadmin.exe	98
PID 644 wrote to memory of 5004	644	wbadmin.exe	98
PID 644 wrote to memory of 5004	644	wbadmin.exe	98
PID 644 wrote to memory of 3868	644	wbadmin.exe	99
PID 644 wrote to memory of 3868	644	wbadmin.exe	99
PID 644 wrote to memory of 3868	644	wbadmin.exe	99
PID 3896 wrote to memory of 1412	3896	wbadmin.exe	102
PID 3896 wrote to memory of 1412	3896	wbadmin.exe	102
PID 3896 wrote to memory of 1412	3896	wbadmin.exe	102
PID 3896 wrote to memory of 1412	3896	wbadmin.exe	102
PID 3896 wrote to memory of 1412	3896	wbadmin.exe	102

C:\Users\Admin\AppData\Local\Temp\c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe
"C:\Users\Admin\AppData\Local\Temp\c31dcd609e617b1b33f6218f0f77494b37190a0f8245c6bed840bb2842b177f0.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2104
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn rasdial /tr "C:\Users\Admin\AppData\Local\Temp\sftp\wbadmin.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:4032

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\sftp\wbadmin.exe
C:\Users\Admin\AppData\Local\Temp\sftp\wbadmin.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:644
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:5004
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn rasdial /tr "C:\Users\Admin\AppData\Local\Temp\sftp\wbadmin.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:3868

C:\Users\Admin\AppData\Local\Temp\sftp\wbadmin.exe
C:\Users\Admin\AppData\Local\Temp\sftp\wbadmin.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:1412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log

Filesize
319B

MD5
c0ed926cd0e608944ad99322aaedb97a

SHA1
007e5bc9d8650a46f48f75045034702c24be39c5

SHA256
eb035294fbea39baa6e6c65cb7e06451987c51c5536586f23de5dc7f91096943

SHA512
83891a4984208720a224937101313759ffec75f5ebb2225c30555e5a28c7cc753162d802b176694ecc7404e2723f75d86d313adb835d4ec826ac13ff24cce42a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sftp\wbadmin.exe

Filesize
1.9MB

MD5
2a62cb96850cc87d0d06ca9055c5c310

SHA1
6df46ccbc3d153876218cd6d2e43c9ed8f700d4b

SHA256
248afe19cbb50478608759ba4e337c027b53c0b8e3e64483667e002a5e7c9e8e

SHA512
7b65962459f721b3cb728f8f3179b6badfaff40dcdb7252b86ca8e7dcebb4ce4d3806298648608051766e27a0b595deab38f3dc7709eccadaf0de0c9e741822a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sftp\wbadmin.exe

Filesize
1.9MB

MD5
2a62cb96850cc87d0d06ca9055c5c310

SHA1
6df46ccbc3d153876218cd6d2e43c9ed8f700d4b

SHA256
248afe19cbb50478608759ba4e337c027b53c0b8e3e64483667e002a5e7c9e8e

SHA512
7b65962459f721b3cb728f8f3179b6badfaff40dcdb7252b86ca8e7dcebb4ce4d3806298648608051766e27a0b595deab38f3dc7709eccadaf0de0c9e741822a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sftp\wbadmin.exe

Filesize
1.9MB

MD5
2a62cb96850cc87d0d06ca9055c5c310

SHA1
6df46ccbc3d153876218cd6d2e43c9ed8f700d4b

SHA256
248afe19cbb50478608759ba4e337c027b53c0b8e3e64483667e002a5e7c9e8e

SHA512
7b65962459f721b3cb728f8f3179b6badfaff40dcdb7252b86ca8e7dcebb4ce4d3806298648608051766e27a0b595deab38f3dc7709eccadaf0de0c9e741822a

Download Submit
memory/1412-159-0x0000000073CB0000-0x0000000074261000-memory.dmp

Filesize
5.7MB

Download
memory/2104-139-0x0000000073CB0000-0x0000000074261000-memory.dmp

Filesize
5.7MB

Download
memory/2104-138-0x0000000073CB0000-0x0000000074261000-memory.dmp

Filesize
5.7MB

Download
memory/2104-133-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5004-149-0x0000000073CB0000-0x0000000074261000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads