imminent | 698955ab6d32e0593a3fe7fa85e89dd9d050185b4cd4ca764c623585f1006220

General

Target

0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
Size

1.3MB
MD5

0fa5140ac2d0b3ed9c0f8137dd10b0b9
SHA1

f17db86c3147896823fe050600be977bb3b2d5b3
SHA256

698955ab6d32e0593a3fe7fa85e89dd9d050185b4cd4ca764c623585f1006220
SHA512

e942f7e21e92ac889e9fea842fa10a9266e452c3362afe1a331fe5fed4e167ca70458c91a9783a5b2cbc02303679e477f5d31319afba9a20afa2b8527217f575
SSDEEP

6144:LZh/bYkcsfM7mH6IUCuKYNqgW935aShOR5TyVFTj48nOogUwzJj2rqorrgHFV:bbcgMg6dKYNqlnlh0KfdgUwtu

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe

Executes dropped EXE 2 IoCs

pid	Process
1088	File.exe
3796	svhost.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4544 set thread context of 3796	4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	96

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
File created	C:\Windows\assembly\Desktop.ini	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3904	timeout.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\Sony\start.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
Token: SeDebugPrivilege	3796	svhost.exe
Token: 33	3796	svhost.exe
Token: SeIncBasePriorityPrivilege	3796	svhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3796	svhost.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 1088	4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	94
PID 4544 wrote to memory of 1088	4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	94
PID 4544 wrote to memory of 1088	4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	94
PID 4544 wrote to memory of 3500	4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	91
PID 4544 wrote to memory of 3500	4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	91
PID 4544 wrote to memory of 3500	4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	91
PID 3500 wrote to memory of 4036	3500	cmd.exe	95
PID 3500 wrote to memory of 4036	3500	cmd.exe	95
PID 3500 wrote to memory of 4036	3500	cmd.exe	95
PID 4544 wrote to memory of 3796	4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	96
PID 4544 wrote to memory of 3796	4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	96
PID 4544 wrote to memory of 3796	4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	96
PID 4544 wrote to memory of 3796	4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	96
PID 4544 wrote to memory of 3796	4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	96
PID 4544 wrote to memory of 3796	4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	96
PID 4544 wrote to memory of 3796	4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	96
PID 4544 wrote to memory of 3796	4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	96
PID 4544 wrote to memory of 2868	4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	98
PID 4544 wrote to memory of 2868	4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	98
PID 4544 wrote to memory of 2868	4544	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	98
PID 2868 wrote to memory of 3904	2868	cmd.exe	99
PID 2868 wrote to memory of 3904	2868	cmd.exe	99
PID 2868 wrote to memory of 3904	2868	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
"C:\Users\Admin\AppData\Local\Temp\0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Sony\start.exe.lnk" /f
    3⤵
    PID:4036
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Sony\start.exe.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 120
    3⤵
    - Delays execution with timeout.exe
    PID:3904

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
5KB

MD5
682da3155d77cf83f657e030785a4b96

SHA1
80312a2e338ba03aba581252417e2bdb2efcf8a7

SHA256
1bd6fc01a265f4983b7c8cb277518ff5d2ee01de392b3c65c186f4c11d77b30d

SHA512
a7b6c29e2a99e2073d8a2b22790cb4b01fa252c94fd952786fed54e7236253f81ebbfd532e9db77993abee4f67590809961675db542c02b0608d7240331ef447

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sony\start.exe.bat

Filesize
202B

MD5
2a5743568465d83307cc64dec6c1a803

SHA1
dc4b4cac4a3a17bcc84a7e70ddf5ab4f538f2da7

SHA256
181fe174d634d8d53b81e3214b79c4edfb28c4d71efcb0e259b94bba8feb4425

SHA512
e8905a94533c844e9d6e9e2483685cf0ac08296dca46c5a1fd974d0bbfe20a28a3561d05d3f4d2575583b6465bc90ff933456847950f3a291b4f721597355862

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sony\start.exe.jpg

Filesize
516KB

MD5
ab1d16b28fd143af31478fa87d69bd6f

SHA1
935e516e9162198e690c642598aeda79eb0c7278

SHA256
fad95b4b279baaa8f3bd8843137d9e678874ecc48b4884e7e8603b328f680b2a

SHA512
a17caa5bf9ee823f4949b588bf1585d5b9c922ed4566373c587a883750219819a0a27fede9dc1e03e9fd0af0593dd277812862316a950aebb703d06bbc8e7646

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
89KB

MD5
84c42d0f2c1ae761bef884638bc1eacd

SHA1
4353881e7f4e9c7610f4e0489183b55bb58bb574

SHA256
331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3

SHA512
43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87

Download Submit
memory/1088-28-0x0000000071F10000-0x00000000726C0000-memory.dmp

Filesize
7.7MB

Download
memory/1088-44-0x0000000071F10000-0x00000000726C0000-memory.dmp

Filesize
7.7MB

Download
memory/1088-25-0x0000000000790000-0x0000000000798000-memory.dmp

Filesize
32KB

Download
memory/3796-33-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/3796-45-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/3796-29-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/3796-49-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/3796-48-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/3796-30-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/3796-35-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/3796-36-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/3796-47-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/3796-46-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/3796-24-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4544-0-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/4544-43-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/4544-2-0x0000000074FF0000-0x00000000755A1000-memory.dmp

Filesize
5.7MB

Download
memory/4544-1-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing