imminent | 26dcefb48f3b7fa97765b0f4db3ebfbf615f57b42c7c051c145e8981c4dbbdb3

General

Target

dpwwkbvgzxukmji.exe
Size

1.2MB
MD5

bdea975f05590979c4193de0b984da84
SHA1

b37c50bda301d647282ef6cf5bd7d411e295cae9
SHA256

26dcefb48f3b7fa97765b0f4db3ebfbf615f57b42c7c051c145e8981c4dbbdb3
SHA512

59e19339b4681d45a644c7eeae00329e5cd9a56c6ecc17331bc43dcbaa020bf39cad5d241c365bbda0aa0f3ccaf0cd17ad1cccce381014169882a592570e666a
SSDEEP

24576:Gtb20pkaCqT5TBWgNQ7aMN7IcAo6iRzpaOF/mN16AK:zVg5tQ7aMN7IryzpaOpmr5K

Score

10^/10

imminent discovery spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dpwwkbvgzxukmji.fr.url	dpwwkbvgzxukmji.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3668 set thread context of 4404	3668	dpwwkbvgzxukmji.exe	85

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly	RegAsm.exe
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dpwwkbvgzxukmji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3668	dpwwkbvgzxukmji.exe
3668	dpwwkbvgzxukmji.exe
3668	dpwwkbvgzxukmji.exe
3668	dpwwkbvgzxukmji.exe
3668	dpwwkbvgzxukmji.exe
3668	dpwwkbvgzxukmji.exe
3668	dpwwkbvgzxukmji.exe
3668	dpwwkbvgzxukmji.exe
3668	dpwwkbvgzxukmji.exe
3668	dpwwkbvgzxukmji.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4404	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4404	RegAsm.exe
Token: 33	4404	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4404	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4404	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3668 wrote to memory of 4404	3668	dpwwkbvgzxukmji.exe	85
PID 3668 wrote to memory of 4404	3668	dpwwkbvgzxukmji.exe	85
PID 3668 wrote to memory of 4404	3668	dpwwkbvgzxukmji.exe	85
PID 3668 wrote to memory of 4404	3668	dpwwkbvgzxukmji.exe	85
PID 3668 wrote to memory of 4404	3668	dpwwkbvgzxukmji.exe	85
PID 3668 wrote to memory of 4404	3668	dpwwkbvgzxukmji.exe	85
PID 3668 wrote to memory of 4404	3668	dpwwkbvgzxukmji.exe	85
PID 3668 wrote to memory of 4404	3668	dpwwkbvgzxukmji.exe	85

C:\Users\Admin\AppData\Local\Temp\dpwwkbvgzxukmji.exe
"C:\Users\Admin\AppData\Local\Temp\dpwwkbvgzxukmji.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4404

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autBD83.tmp

Filesize
322KB

MD5
229969ae0032bf818c604a1370a1cf14

SHA1
14772f98b1c8d7631ef57f1dfc3abf517b77d49f

SHA256
468c9575e6be0ea0ef82b29f087c7901bfe49731a1f88e2f7cda26242dfbaeed

SHA512
f1a6140d1ea077acc67b9193c7cfe06f4c5741c2320bc3a002553a7ee3f845342bda899448f2cb3f4ada11934277911280a188aebe046053f0cdf8097b4eaf30

Download Submit
memory/3668-17-0x00000000019E0000-0x00000000019E1000-memory.dmp

Filesize
4KB

Download
memory/3668-15-0x00000000019E0000-0x00000000019E1000-memory.dmp

Filesize
4KB

Download
memory/3668-16-0x00000000019E0000-0x00000000019E1000-memory.dmp

Filesize
4KB

Download
memory/3668-14-0x00000000019E0000-0x00000000019E1000-memory.dmp

Filesize
4KB

Download
memory/3668-11-0x00000000019D0000-0x00000000019D1000-memory.dmp

Filesize
4KB

Download
memory/3668-13-0x00000000019E0000-0x00000000019E1000-memory.dmp

Filesize
4KB

Download
memory/3668-18-0x00000000019E0000-0x00000000019E1000-memory.dmp

Filesize
4KB

Download
memory/3668-20-0x00000000019D0000-0x00000000019D1000-memory.dmp

Filesize
4KB

Download
memory/3668-12-0x00000000019E0000-0x00000000019E1000-memory.dmp

Filesize
4KB

Download
memory/3668-10-0x00000000019C0000-0x00000000019C1000-memory.dmp

Filesize
4KB

Download
memory/4404-19-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4404-21-0x0000000074A22000-0x0000000074A23000-memory.dmp

Filesize
4KB

Download
memory/4404-22-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/4404-23-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/4404-32-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/4404-31-0x0000000074A22000-0x0000000074A23000-memory.dmp

Filesize
4KB

Download
memory/4404-33-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing