imminent | 2c5a372bed4212a73627ec35e5dcab998a41b9e6361364166531d0ca9a708ed4

General

Target

imminent.rar
Size

2.6MB
MD5

f5ab63dea30a9aff6eeab3b09c42b615
SHA1

27fdd5262e7ab344ac92d31316c2ecafc18cbe4f
SHA256

2c5a372bed4212a73627ec35e5dcab998a41b9e6361364166531d0ca9a708ed4
SHA512

40cf1ff8de3cb7aae067e33dd602a5aaee71da96184a95235e09bda4c3c777a0944653d68c650591d1dd4857b19948c10eea43284f6c5f90eef4c2fe46a0c4ab
SSDEEP

49152:eLJIygRcJrkeSw0gtrgHzI+DodiYIIthEa1z5h69ICBBfBax4pnU1fvMm9RMrd:eLJuRckIxgThovIIjEaBH693ox4NUlUx

Score

10^/10

imminent discovery persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent
Imminent family
imminent

Executes dropped EXE 2 IoCs

pid	Process
2092	Imminent Monitor.exe
1476	imminent monitor.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Default Key = "C:\\Users\\Admin\\AppData\\Roaming\\Default Folder\\Default File.exe"	imminent monitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Default Key = "\\Default Folder\\Default File.exe"	imminent monitor.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	imminent monitor.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	imminent monitor.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	imminent monitor.exe
File opened for modification	C:\Windows\assembly	imminent monitor.exe
File created	C:\Windows\assembly\Desktop.ini	imminent monitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imminent Monitor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imminent monitor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1880	PING.EXE
1532	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1880	PING.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1476	imminent monitor.exe
1476	imminent monitor.exe
1476	imminent monitor.exe
1476	imminent monitor.exe
1476	imminent monitor.exe
1476	imminent monitor.exe
1476	imminent monitor.exe
1476	imminent monitor.exe
1476	imminent monitor.exe
1476	imminent monitor.exe
1476	imminent monitor.exe
1476	imminent monitor.exe
1476	imminent monitor.exe
1476	imminent monitor.exe
1476	imminent monitor.exe
1476	imminent monitor.exe
1476	imminent monitor.exe
1476	imminent monitor.exe
1476	imminent monitor.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	5292	7zFM.exe
Token: 35	5292	7zFM.exe
Token: SeSecurityPrivilege	5292	7zFM.exe
Token: SeDebugPrivilege	2092	Imminent Monitor.exe
Token: SeDebugPrivilege	1476	imminent monitor.exe
Token: SeDebugPrivilege	1476	imminent monitor.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5292	7zFM.exe
5292	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1476	imminent monitor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 1476	2092	Imminent Monitor.exe	83
PID 2092 wrote to memory of 1476	2092	Imminent Monitor.exe	83
PID 2092 wrote to memory of 1476	2092	Imminent Monitor.exe	83
PID 2092 wrote to memory of 1532	2092	Imminent Monitor.exe	84
PID 2092 wrote to memory of 1532	2092	Imminent Monitor.exe	84
PID 2092 wrote to memory of 1532	2092	Imminent Monitor.exe	84
PID 1532 wrote to memory of 1880	1532	cmd.exe	86
PID 1532 wrote to memory of 1880	1532	cmd.exe	86
PID 1532 wrote to memory of 1880	1532	cmd.exe	86

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\imminent.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5292

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4988

C:\Users\Admin\Desktop\Nueva carpeta\Imminent Monitor.exe
"C:\Users\Admin\Desktop\Nueva carpeta\Imminent Monitor.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\imminent monitor\imminent monitor.exe
  "C:\Users\Admin\AppData\Local\Temp\imminent monitor\imminent monitor.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1476
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\Desktop\Nueva carpeta\Imminent Monitor.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1880

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Nueva carpeta\ReadMe.txt
1⤵
PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zECA42C3E7\Nueva carpeta\Resources\Images\Buttons\Misc\buttonhidexp.png

Filesize
452B

MD5
0965f0d1b222986515711b049af26de9

SHA1
42989d49425a540db0e318b5967574ed59e8271b

SHA256
9bb2935f59a8b15ebe12a48a0212fbd36fcb048bd43d4696857953af9df9e5e7

SHA512
f715d7f8bb2f4180a343c02532f82b862a3842f6b31f4b88f8a5fc7b955b6011cff6d05a133581e69667843c5e05398594a0e57dae8d22444d0d4742a6a8b12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zECA42C3E7\Nueva carpeta\Resources\Images\ContextMenu\File Manager\view-thumbnail.png

Filesize
451B

MD5
3256504f96cd017c9dcdee5ad0751472

SHA1
77a2fc09bf8dbd743b57880138c8c696526e674a

SHA256
ad80eff5fcc24b97590b7b7b30b7036ba9f054e78ee622bed13ec49c80020579

SHA512
b305b150b5741df1fdf89fe4f617592473790dc45964a5951c2015eeb7ad09460d90c4f8f93105dbf7757d232ac9cae52fc7505f7e869c6e86ed6ca65b04f76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zECA42C3E7\Nueva carpeta\Resources\Images\ContextMenu\Main\update-client.png

Filesize
836B

MD5
36215c5a3c6657364c401f6c593fb793

SHA1
d13c4dcd5661fff279d390793b5ec938ae51dd0a

SHA256
9b1067e7c71646bd1a557d31a3398445afa27a8f899d97fe26a052d47e0323fd

SHA512
b78ed56237f4db50013cd312508b9d9942daa36414d599e472db4574e1ca609d600b4e31e74b091b1faeb3b21ff2ec0d38705f4283400231b4eb32b0803897fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zECA42C3E7\Nueva carpeta\Resources\Images\ContextMenu\System Managers\delete.png

Filesize
544B

MD5
964d1afcaa92b7b2eda6b86513e511f8

SHA1
a928c65408cc445667843628474aeeacb86598f6

SHA256
cee7ed8601de316a2b961d3d78b07cdfdd10bd04266d366ce5e77b425513f515

SHA512
0bbc7a1e733cad30a2e26bb0dd21a465dcf3bfac888827f575dd0b2ef7d9dad1e5961b8cfbe91cede72896cd2b21ed0db135822ac71f422bd8dc55198382eb8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zECA42C3E7\Nueva carpeta\Resources\Images\Countrys\Svalbard and Jan Mayen.png

Filesize
485B

MD5
2ce917331ee7dbbdbedd716e8e84c7d0

SHA1
1d5136c70b7588b147c6631cb64ed409987ff824

SHA256
5b799d5d9cc343a2622b80b69eac4b47b7b929ffe20ccb1424c3b357c765c129

SHA512
40ba1ee90e66b73393855a6ded1d293820093827dc82cb9f82303a7b86023249b74b1414a7e91469991f37a78dd437253a8d8abcd9879b1d7cc0edbfc5b157fc

Download Submit
C:\Users\Admin\AppData\Roaming\Imminent\Path.dat

Filesize
62B

MD5
679b9b22d361d89446edd4a5caab8222

SHA1
62207d10d0d24b9dfcb1d0cc96d1e3ed41049606

SHA256
1a22ad20d417ed5d6f95a01ea57c7e4a35c5769e4919975fa7e690f68b1f1681

SHA512
37f7995380d1a211850b991c2a4cb3f3ac3270908bbe23aef917a69d06fea37d920fe9b0c84841068237c1eebb89d4a6b2acbe84df3fcc92f97a4b8c4362c969

Download Submit
C:\Users\Admin\Desktop\Nueva carpeta\Imminent Monitor.exe

Filesize
300KB

MD5
ebc3d684263f675195579880a1f4635b

SHA1
aa3ae071ad15e32e177f5625e2928933e99fef53

SHA256
5db60f1ca25c6e7486fa6225cdf3e822cdfbac91321c5aabc4a1686eac0057d6

SHA512
90ff436c9b098b0a75da84047097dd2d0a7f8d2bf4a7405db8148a26fd5e7124a8326c0772026a00958a4382d415cba880144069f0e30226985070f9424e8601

Download Submit
C:\Users\Admin\Desktop\Nueva carpeta\ReadMe.txt

Filesize
254B

MD5
3179b70ce4bb96c85f175c2fa3ac52a0

SHA1
ce0373a276e8748ece536ffad243bad32dda7d9c

SHA256
f1589da7b3cd9fb7fff393079a75c53ec90716de4e03ae59daada6ee4538ae42

SHA512
14622d575a4e0521c701fbd4683c9a987d7b0554659c946c0f47f638d4359e97b8c1d5c34234e105dc797d74c14b2cd76ac8ed7d133ae5431df04c57f53d19d3

Download Submit
memory/2092-838-0x0000000075451000-0x0000000075452000-memory.dmp

Filesize
4KB

Download
memory/2092-839-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/2092-840-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/2092-853-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads