imminent | c29081401e06988f07c143b0ce73990e21222e9b847faffd9c48f431a03bb9d0

General

Target

6d063a2768053694eb3ca3c449f2c39e.exe
Size

803KB
MD5

6d063a2768053694eb3ca3c449f2c39e
SHA1

6ec3c9ef4252cdf0dac4df6f35d3831723c6b17b
SHA256

c29081401e06988f07c143b0ce73990e21222e9b847faffd9c48f431a03bb9d0
SHA512

5c6a6638c9929157ad03525b38a95ac3e7c2bea3c6c25de07eb4b9322def1482ba233999a706a4cd285d26d948108d1b8f96c2939ef9163fb25895999ddd44e1
SSDEEP

24576:Q/CczGjGj0khrcMzXZuhTTxZPxMp9VUpx4h:Q/CAkGj0kJB8RfEQ/

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	6d063a2768053694eb3ca3c449f2c39e.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Svg.lnk	6d063a2768053694eb3ca3c449f2c39e.exe

Executes dropped EXE 1 IoCs

pid	Process
1996	TurboHUD.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	6d063a2768053694eb3ca3c449f2c39e.exe
File created	C:\Windows\assembly\Desktop.ini	6d063a2768053694eb3ca3c449f2c39e.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5092 set thread context of 876	5092	6d063a2768053694eb3ca3c449f2c39e.exe	89
PID 5092 set thread context of 2308	5092	6d063a2768053694eb3ca3c449f2c39e.exe	91

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	6d063a2768053694eb3ca3c449f2c39e.exe
File created	C:\Windows\assembly\Desktop.ini	6d063a2768053694eb3ca3c449f2c39e.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	6d063a2768053694eb3ca3c449f2c39e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3960	1996	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5092	6d063a2768053694eb3ca3c449f2c39e.exe
5092	6d063a2768053694eb3ca3c449f2c39e.exe
5092	6d063a2768053694eb3ca3c449f2c39e.exe
5092	6d063a2768053694eb3ca3c449f2c39e.exe
2308	RegAsm.exe
2308	RegAsm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
876	6d063a2768053694eb3ca3c449f2c39e.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	5092	6d063a2768053694eb3ca3c449f2c39e.exe
Token: SeDebugPrivilege	2308	RegAsm.exe
Token: SeDebugPrivilege	876	6d063a2768053694eb3ca3c449f2c39e.exe
Token: 33	876	6d063a2768053694eb3ca3c449f2c39e.exe
Token: SeIncBasePriorityPrivilege	876	6d063a2768053694eb3ca3c449f2c39e.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
876	6d063a2768053694eb3ca3c449f2c39e.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 1996	5092	6d063a2768053694eb3ca3c449f2c39e.exe	92
PID 5092 wrote to memory of 1996	5092	6d063a2768053694eb3ca3c449f2c39e.exe	92
PID 5092 wrote to memory of 1996	5092	6d063a2768053694eb3ca3c449f2c39e.exe	92
PID 5092 wrote to memory of 4924	5092	6d063a2768053694eb3ca3c449f2c39e.exe	90
PID 5092 wrote to memory of 4924	5092	6d063a2768053694eb3ca3c449f2c39e.exe	90
PID 5092 wrote to memory of 4924	5092	6d063a2768053694eb3ca3c449f2c39e.exe	90
PID 5092 wrote to memory of 876	5092	6d063a2768053694eb3ca3c449f2c39e.exe	89
PID 5092 wrote to memory of 876	5092	6d063a2768053694eb3ca3c449f2c39e.exe	89
PID 5092 wrote to memory of 876	5092	6d063a2768053694eb3ca3c449f2c39e.exe	89
PID 5092 wrote to memory of 876	5092	6d063a2768053694eb3ca3c449f2c39e.exe	89
PID 5092 wrote to memory of 876	5092	6d063a2768053694eb3ca3c449f2c39e.exe	89
PID 5092 wrote to memory of 876	5092	6d063a2768053694eb3ca3c449f2c39e.exe	89
PID 5092 wrote to memory of 876	5092	6d063a2768053694eb3ca3c449f2c39e.exe	89
PID 5092 wrote to memory of 876	5092	6d063a2768053694eb3ca3c449f2c39e.exe	89
PID 5092 wrote to memory of 2308	5092	6d063a2768053694eb3ca3c449f2c39e.exe	91
PID 5092 wrote to memory of 2308	5092	6d063a2768053694eb3ca3c449f2c39e.exe	91
PID 5092 wrote to memory of 2308	5092	6d063a2768053694eb3ca3c449f2c39e.exe	91
PID 5092 wrote to memory of 2308	5092	6d063a2768053694eb3ca3c449f2c39e.exe	91
PID 5092 wrote to memory of 2308	5092	6d063a2768053694eb3ca3c449f2c39e.exe	91
PID 5092 wrote to memory of 2308	5092	6d063a2768053694eb3ca3c449f2c39e.exe	91
PID 5092 wrote to memory of 2308	5092	6d063a2768053694eb3ca3c449f2c39e.exe	91
PID 5092 wrote to memory of 2308	5092	6d063a2768053694eb3ca3c449f2c39e.exe	91

C:\Users\Admin\AppData\Local\Temp\6d063a2768053694eb3ca3c449f2c39e.exe
"C:\Users\Admin\AppData\Local\Temp\6d063a2768053694eb3ca3c449f2c39e.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Users\Admin\AppData\Local\Temp\6d063a2768053694eb3ca3c449f2c39e.exe
  "C:\Users\Admin\AppData\Local\Temp\6d063a2768053694eb3ca3c449f2c39e.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:876
- C:\Users\Admin\AppData\Local\Temp\6d063a2768053694eb3ca3c449f2c39e.exe
  "C:\Users\Admin\AppData\Local\Temp\6d063a2768053694eb3ca3c449f2c39e.exe"
  2⤵
  PID:4924
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" 5092 "C:\Users\Admin\AppData\Local\Temp\6d063a2768053694eb3ca3c449f2c39e.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Users\Admin\AppData\Roaming\TurboHUD.exe
  "C:\Users\Admin\AppData\Roaming\TurboHUD.exe"
  2⤵
  - Executes dropped EXE
  PID:1996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 872
    3⤵
    - Program crash
    PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1996 -ip 1996
1⤵
PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\TurboHUD.exe

Filesize
25KB

MD5
c95bc713469d37cd181ba0ae40c3a9d0

SHA1
6e1a2266ad207f0536f381fc9c28fd92530608d0

SHA256
0b078da686cbada5f63cb4d75846b280e3a0db266abc910a6fb53769deafa01a

SHA512
e1659593e35f29007afb5b1a5431ae1555ccf7e86209d94f315a471b84d66d60f111daeda892d64522271a5e2848e2489cdaaba277dcc286272e01c4acf3fcc4

Download Submit
C:\Users\Admin\AppData\Roaming\TurboHUD.exe

Filesize
61KB

MD5
da015b44aafe0d0c7e4849fd5ea7139c

SHA1
92a525335fde055a5430a068819087011ae3b814

SHA256
322e17690678c51d7240d0a18866a593a76390eb0e4432e262e863c955a63ed5

SHA512
a77bb2431d8b1a3bfb2821374a807e40ce3c2deb8ba88dc2cd7f117dd7b37ca92179438aad3483fd826a9d21b358268caeff1b689b3a5aae18fc6e494f08ecab

Download Submit
memory/876-20-0x00000000753D0000-0x0000000075981000-memory.dmp

Filesize
5.7MB

Download
memory/876-39-0x00000000753D0000-0x0000000075981000-memory.dmp

Filesize
5.7MB

Download
memory/876-40-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

Filesize
64KB

Download
memory/876-14-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/876-38-0x00000000753D0000-0x0000000075981000-memory.dmp

Filesize
5.7MB

Download
memory/876-18-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

Filesize
64KB

Download
memory/876-16-0x00000000753D0000-0x0000000075981000-memory.dmp

Filesize
5.7MB

Download
memory/1996-25-0x00000000723E0000-0x0000000072B90000-memory.dmp

Filesize
7.7MB

Download
memory/1996-31-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/1996-17-0x00000000003A0000-0x00000000003B8000-memory.dmp

Filesize
96KB

Download
memory/1996-34-0x00000000723E0000-0x0000000072B90000-memory.dmp

Filesize
7.7MB

Download
memory/1996-22-0x0000000002710000-0x0000000002716000-memory.dmp

Filesize
24KB

Download
memory/1996-26-0x0000000009730000-0x0000000009CD4000-memory.dmp

Filesize
5.6MB

Download
memory/1996-29-0x0000000004E00000-0x0000000004E92000-memory.dmp

Filesize
584KB

Download
memory/2308-27-0x00000000753D0000-0x0000000075981000-memory.dmp

Filesize
5.7MB

Download
memory/2308-28-0x00000000753D0000-0x0000000075981000-memory.dmp

Filesize
5.7MB

Download
memory/2308-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2308-41-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/2308-42-0x00000000753D0000-0x0000000075981000-memory.dmp

Filesize
5.7MB

Download
memory/5092-0-0x00000000753D0000-0x0000000075981000-memory.dmp

Filesize
5.7MB

Download
memory/5092-37-0x00000000753D0000-0x0000000075981000-memory.dmp

Filesize
5.7MB

Download
memory/5092-2-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

Filesize
64KB

Download
memory/5092-1-0x00000000753D0000-0x0000000075981000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing