imminent | 3b32b6fc5406fc754c68fb447ff307427ce7acc9a506c18429cb79dfd86a9496

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2024 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e0c7607f378ce0cac081420d270e352.exe
Size

9.9MB
MD5

7e0c7607f378ce0cac081420d270e352
SHA1

7334d15139330c769dbe09cdf7968bd8dedacc56
SHA256

3b32b6fc5406fc754c68fb447ff307427ce7acc9a506c18429cb79dfd86a9496
SHA512

a50245b7c3e594083e6d738f5f736a87bcbbbd5fb66d5d5f0a4beae870a4d5efeb0d0f61f3a8cc4ca6b8efa599dbfb42458a13443937691a585ec5ec8908f587
SSDEEP

196608:8lZrwL3PXWwE4W+iNoLCrdwJkfSl7WDiBaiM0tfAIyazhIqdJqts/kF4u7u:8lZsTXlxW+ifB8kfxLLT6aqatVF4R

Score

10^/10

imminent bootkit discovery persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\64DXPYp3PQKGg74A\\XB3dciiBccu5.exe\",explorer.exe"	7e0c7607f378ce0cac081420d270e352.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	7e0c7607f378ce0cac081420d270e352.exe

Executes dropped EXE 1 IoCs

pid	Process
4404	srF2qhsDbWha2lUk.exe

Loads dropped DLL 15 IoCs

pid	Process
4404	srF2qhsDbWha2lUk.exe
4404	srF2qhsDbWha2lUk.exe
4404	srF2qhsDbWha2lUk.exe
4404	srF2qhsDbWha2lUk.exe
4404	srF2qhsDbWha2lUk.exe
4404	srF2qhsDbWha2lUk.exe
4404	srF2qhsDbWha2lUk.exe
4404	srF2qhsDbWha2lUk.exe
4404	srF2qhsDbWha2lUk.exe
4404	srF2qhsDbWha2lUk.exe
4404	srF2qhsDbWha2lUk.exe
4404	srF2qhsDbWha2lUk.exe
4404	srF2qhsDbWha2lUk.exe
4404	srF2qhsDbWha2lUk.exe
4404	srF2qhsDbWha2lUk.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updater = "C:\\Users\\Admin\\AppData\\Roaming\\Updates\\Mediaupdater.exe"	7e0c7607f378ce0cac081420d270e352.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	7e0c7607f378ce0cac081420d270e352.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	7e0c7607f378ce0cac081420d270e352.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	srF2qhsDbWha2lUk.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	7e0c7607f378ce0cac081420d270e352.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	7e0c7607f378ce0cac081420d270e352.exe
File opened for modification	C:\Windows\assembly	7e0c7607f378ce0cac081420d270e352.exe
File created	C:\Windows\assembly\Desktop.ini	7e0c7607f378ce0cac081420d270e352.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4724	ping.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4740	7e0c7607f378ce0cac081420d270e352.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4740	7e0c7607f378ce0cac081420d270e352.exe
Token: 33	4740	7e0c7607f378ce0cac081420d270e352.exe
Token: SeIncBasePriorityPrivilege	4740	7e0c7607f378ce0cac081420d270e352.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4404	srF2qhsDbWha2lUk.exe
4404	srF2qhsDbWha2lUk.exe
4740	7e0c7607f378ce0cac081420d270e352.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 4404	4740	7e0c7607f378ce0cac081420d270e352.exe	88
PID 4740 wrote to memory of 4404	4740	7e0c7607f378ce0cac081420d270e352.exe	88
PID 4740 wrote to memory of 4404	4740	7e0c7607f378ce0cac081420d270e352.exe	88
PID 4404 wrote to memory of 4724	4404	srF2qhsDbWha2lUk.exe	91
PID 4404 wrote to memory of 4724	4404	srF2qhsDbWha2lUk.exe	91
PID 4404 wrote to memory of 4724	4404	srF2qhsDbWha2lUk.exe	91

C:\Users\Admin\AppData\Local\Temp\7e0c7607f378ce0cac081420d270e352.exe
"C:\Users\Admin\AppData\Local\Temp\7e0c7607f378ce0cac081420d270e352.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Users\Admin\AppData\Local\Temp\srF2qhsDbWha2lUk.exe
  "C:\Users\Admin\AppData\Local\Temp\srF2qhsDbWha2lUk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Windows\SysWOW64\ping.exe
    ping -n 1 -w 1000 www.piriform.com
    3⤵
    - Runs ping.exe
    PID:4724

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsx6795.tmp\System.dll

Filesize
11KB

MD5
41a3c964232edd2d7d5edea53e8245cd

SHA1
76d7e1fbf15cc3da4dd63a063d6ab2f0868a2206

SHA256
8b65fec615c7b371c23f8f7f344b12dc5085e40a556f96db318ed757494d62d5

SHA512
fa16bd9d020602e3065afd5c0638bc37775b40eb18bfa33b4ca5babcc3e6f112ae7d43457a6e9685ddbe6e94b954a1dc43d1da7af9ca7464019a3f110af549c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx6795.tmp\UserInfo.dll

Filesize
4KB

MD5
c1f778a6d65178d34bde4206161a98e0

SHA1
29719fffef1ab6fe2df47e5ed258a5e3b3a11cfc

SHA256
9caf7a78f750713180cf64d18967a2b803b5580e636e59279dcaaf18ba0daa87

SHA512
9c3cf25cf43f85a5f9c9ed555f12f3626ef9daeeedd4d366ada58748ead1f6e279fea977c76ae8bae1dc49bfd852e899cb137c4a006c13e9fcebf6e5e2926a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx6795.tmp\g\gcapi_dll.dll

Filesize
348KB

MD5
2973af8515effd0a3bfc7a43b03b3fcc

SHA1
4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee

SHA256
d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0

SHA512
b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx6795.tmp\g\gtapi_signed.dll

Filesize
71KB

MD5
61bc40d1fad9e0faa9a07219b90ba0e4

SHA1
5b5c3badedba915707000d2047eaf13f27b8925e

SHA256
89e157a4f61d7d18180cb7f901c0095da3b7a5cc5a9fd58d710099e5f0ee505a

SHA512
fa341aa975c471082b4b6c380f794d1e9ab3939382972cfb9e1dbb3491f68296ad1cedc8f03736921c8e133f62432997de29642e223c2a97f1cab5ce91d68af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx6795.tmp\nsDialogs.dll

Filesize
9KB

MD5
2aba8f16eca82517460013a3de7cbf67

SHA1
3812192fa7b873f426c4b0d0d822b3c9d51aa164

SHA256
60b85fad2477b8c0138067be3697290b280b9334cf408cb57894e3baae615d0d

SHA512
4e059f70ef420c22d69199557ff3eab9e51fcefc75d220b057f1508f9566cd6251f9e06a8fe3695bf7d913ebabd2519ce52f485f2de9a5e4ab3ebc553b877fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx6795.tmp\nsExec.dll

Filesize
6KB

MD5
5ed60250f74fa36a5a247a715bcd026e

SHA1
ff5f3ad0b32ede49a28e744664d086f6fe9e46b0

SHA256
ea8026766adc2d7cc26e2206cfdf5f0865b1426bfe3bc2aec8f43d3fc9a072ef

SHA512
2dd77324c1e0fea801a5cac1fe1d67349a5a93d4a9a459ee1e6b469f6ccce309fc45e513f38de238971b0a83d31e0afe3a2686eca8887772445209cde5735cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx6795.tmp\p\syschk.dll

Filesize
253KB

MD5
f46bc8015929e17a2b1aff097d7df0e4

SHA1
6c30de3e6a004021e231aaa62a2c5cedec72bc6d

SHA256
26602d21203cf28b0c840a57bee8f1ff52ff885223095797180c9afe91265c32

SHA512
ddee56e56a60db139029bc6a43e281d0eaeb8425363e28847e43819425e0ec28bb807408488a18fa492dbfe92f27f91f83575275f952cf35c81cee7b250d5cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx6795.tmp\ui\pfUI.dll

Filesize
228KB

MD5
fcbe9f9fa4c2dfde456e1c5ba5e511f1

SHA1
8a3929500d8885828c9b823dec0a71085336c633

SHA256
9bc138da709e05d448301242be15ae58b3977bd4890609bc3deaf1798bc5cd16

SHA512
b99dff4ca61e3e0cd3f483b95ba0407455636de96694531df6d21cac5321acadcc95072f28f54c03c56ad956c3d1159ff3c62fa07ee008e734bea3dee7c87c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx6795.tmp\ui\pfUI.dll

Filesize
453KB

MD5
f30bc1cadd8325ac5aeae5bf51f35a32

SHA1
3fd159f39845b022a42aeecb24fe10fd214bc163

SHA256
99450566b0ee9bb108fe42589037bd350db5921f2ed89da5ff88b6193e3feb41

SHA512
a7589d647c7db52bdcdbf6524912dfcdb4b4848aec8ab2f07c0dfaca9eb87800134ea26359c7d21adf31af49d02065e4374c20d3d303c62da5de2f188f1c01b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx6795.tmp\ui\res\CC_logo_72x66.png

Filesize
7KB

MD5
a736159759a56c29575e49cb2a51f2b3

SHA1
b1594bbca4358886d25c3a1bc662d87c913318cb

SHA256
58e75de1789c90333daaf93176194d2a3d64f2eecdf57a4b9384a229e81f874f

SHA512
4da523a36375b37fa7bc4b4ccf7c93e1df7b2da15152edf7d419927aa1bb271ef8ba27fe734d2f623fcc02b47319e75333df014bed01eb466e0cd9ec4111ef53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx6795.tmp\ui\res\PF_computer.png

Filesize
87KB

MD5
7f4f45c9393a0664d9d0725a2ff42c6b

SHA1
b7b30eb534e6dc69e8e293443c157134569e8ce7

SHA256
dbd8b6fdb66604a0a5e8efe269fbfa598e4a94dc146006036409d905209da42b

SHA512
0c27f9ce615cbff3e17fd772ce3929ab4419d7432d96223b7eec1ba70953f2ac993404b954020247b52d7f7499212d44eb6f85da2e2676773cafe1ce89b390f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx6795.tmp\ui\res\PF_logo.png

Filesize
3KB

MD5
079cca30760cca3c01863b6b96e87848

SHA1
98c2ca01f248bc61817db7e5faea4a3d8310db50

SHA256
8dd37d3721e25c32c5bf878b6dba9e61d04b7ce8aec45bdf703a41bc41802dfa

SHA512
3e25c10e3a5830584c608b9178ab062e93e0e9009a7d897bb5e3561180b0b0910bd4178063d982eb33806a005c93931ae2ec5be520ec0d0c9a7c452cb78fd6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\srF2qhsDbWha2lUk.exe

Filesize
1.4MB

MD5
443e31817fb2bb085ec94667dd708d46

SHA1
25c8c41e0e625c77448f341592ce9e45682ef580

SHA256
20607e3e2510b198c0aeedc708b35a7b7c4ca38a685752379096b1dc48deb4c4

SHA512
f4bd4c3434eba39466d5ad60bae8929d76f4175a165b698495235c61709ee1b6d72590f9b8ab295146495eb05339c2bbf7b6918fd049770a79d56fefff3315de

Download Submit
C:\Users\Admin\AppData\Local\Temp\srF2qhsDbWha2lUk.exe

Filesize
419KB

MD5
338f84403423a8f7177b193fd99b0913

SHA1
ff12c05817fd6f0ea1fe26034189b4df57f8bdb2

SHA256
793cc59117451736b1a661870f18fd754a8a7d00d4256248457ed35f11f1b06e

SHA512
9864aeea9849923a46b4f2b7610ca43546acdfccad4306064208f266090c871f12fae9f8c24da76407bc4680cf787c1bd2ec123bf6195315fe517c444d0a668e

Download Submit
C:\Users\Admin\AppData\Local\Temp\srF2qhsDbWha2lUk.exe

Filesize
128KB

MD5
0c1d9b59ec4ecb8fbd5d54dd2f78f969

SHA1
306520378f6a0c963e0b7d10af5c18084191b5dd

SHA256
a19b3a4430e17c5772785e8567670d40538ed05c69d9acf2e1119a0a28d04991

SHA512
493c38e476728ccde8581ad5b29923177f5b6a5b48d12cb3b0c75f3a58921b06995c1bafcc0d349ec93972b7cf61b807983e9a57f16a94e412f2730817e2c9c0

Download Submit
memory/4404-162-0x0000000003FF0000-0x0000000003FF1000-memory.dmp

Filesize
4KB

Download
memory/4404-132-0x0000000003FF0000-0x0000000003FF1000-memory.dmp

Filesize
4KB

Download
memory/4740-2-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/4740-0-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/4740-18-0x0000000001C60000-0x0000000001C70000-memory.dmp

Filesize
64KB

Download
memory/4740-1-0x0000000001C60000-0x0000000001C70000-memory.dmp

Filesize
64KB

Download
memory/4740-158-0x0000000074EB0000-0x0000000075461000-memory.dmp

Filesize
5.7MB

Download
memory/4740-159-0x0000000001C60000-0x0000000001C70000-memory.dmp

Filesize
64KB

Download
memory/4740-160-0x0000000001C60000-0x0000000001C70000-memory.dmp

Filesize
64KB

Download
memory/4740-161-0x0000000001C60000-0x0000000001C70000-memory.dmp

Filesize
64KB

Download
memory/4740-3-0x000000007F9A0000-0x000000007F9A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads