imminent | a5b420888c9cdb05ae191a1996bd7d38618c7b5b0f6d9085c7812afca3b5b1da

General

Target

a5b420888c9cdb05ae191a1996bd7d38618c7b5b0f6d9085c7812afca3b5b1daN.exe
Size

1.3MB
MD5

842192abeee1ca4788c7f9562ba77c40
SHA1

0097f42320ccec5a937a9e43dcd37adf154b4f78
SHA256

a5b420888c9cdb05ae191a1996bd7d38618c7b5b0f6d9085c7812afca3b5b1da
SHA512

b9ee5e78431ff98c06318fcfbb603041f572672810f136c4e393a1aa1d027ff61923ae565af9ec3b5a4caee1c5a9d3e5bb005934550052a5df415073550f2d34
SSDEEP

24576:nFFWO5WqPbFPhGSSc5sus9Ux0HalJ2a9jRlbRgAeO7A:nvZMqPJhGSSc5q9USCZRU

Score

10^/10

imminent discovery persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent
Imminent family
imminent

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hTcdWNaiUEILOUVJ.cmd.lnk	JNcINeFgQBMYDefVEGSSb.exe

Executes dropped EXE 1 IoCs

pid	Process
3080	JNcINeFgQBMYDefVEGSSb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a5b420888c9cdb05ae191a1996bd7d38618c7b5b0f6d9085c7812afca3b5b1daN.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3080 set thread context of 4036	3080	JNcINeFgQBMYDefVEGSSb.exe	97

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5b420888c9cdb05ae191a1996bd7d38618c7b5b0f6d9085c7812afca3b5b1daN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JNcINeFgQBMYDefVEGSSb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4036	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4036	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4036	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5808 wrote to memory of 3080	5808	a5b420888c9cdb05ae191a1996bd7d38618c7b5b0f6d9085c7812afca3b5b1daN.exe	86
PID 5808 wrote to memory of 3080	5808	a5b420888c9cdb05ae191a1996bd7d38618c7b5b0f6d9085c7812afca3b5b1daN.exe	86
PID 5808 wrote to memory of 3080	5808	a5b420888c9cdb05ae191a1996bd7d38618c7b5b0f6d9085c7812afca3b5b1daN.exe	86
PID 3080 wrote to memory of 4036	3080	JNcINeFgQBMYDefVEGSSb.exe	97
PID 3080 wrote to memory of 4036	3080	JNcINeFgQBMYDefVEGSSb.exe	97
PID 3080 wrote to memory of 4036	3080	JNcINeFgQBMYDefVEGSSb.exe	97
PID 3080 wrote to memory of 4036	3080	JNcINeFgQBMYDefVEGSSb.exe	97
PID 3080 wrote to memory of 4036	3080	JNcINeFgQBMYDefVEGSSb.exe	97

C:\Users\Admin\AppData\Local\Temp\a5b420888c9cdb05ae191a1996bd7d38618c7b5b0f6d9085c7812afca3b5b1daN.exe
"C:\Users\Admin\AppData\Local\Temp\a5b420888c9cdb05ae191a1996bd7d38618c7b5b0f6d9085c7812afca3b5b1daN.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5808
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JNcINeFgQBMYDefVEGSSb.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JNcINeFgQBMYDefVEGSSb.exe EbKPFiePLUOOOYOhPRh
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    - CmdLine Args
    3⤵
    - Drops desktop.ini file(s)
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EbKPFiePLUOOOYOhPRh

Filesize
35KB

MD5
ea3581b5402cd25a4e87c84044baa7c4

SHA1
1a89d0820ae9a38aa33706ac315d4a9ee68ca2b4

SHA256
42b41f7864b7676d91f929d7a49c1be90ea9d553d35f13caf624f691ec370d14

SHA512
7c20f4ab4a3fa2b7bff2d08491562cfa112f6f0bdad8865a9fa0d86a8ad5956e9d4d4369468dced7ac68a51cfa4a5910a986e9d62235a399cd5d54b1d84184e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JNcINeFgQBMYDefVEGSSb.exe

Filesize
915KB

MD5
e01ced5c12390ff5256694eda890b33a

SHA1
0bb74a9d3154d1269e5e456aa41e94b60f753f78

SHA256
66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba

SHA512
93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hTcdWNaiUEIL

Filesize
440KB

MD5
f9316ff4d7013dbd09d1a176c3e857e0

SHA1
eb8cdb51c50e1a676e5d4068e6c2c4a345757568

SHA256
92d45ab64427ff281d604a8e5a611d104483e15de3202f29844acfdea2a4391f

SHA512
494abbcba1545a9fae2e5c91c507afa43b4a0f52e58a5508cd45481d853ab19c3a9ac1bdeb4f4466e9603b38d0e6f41be4477b39cfb2b7ded9f421ce4e82b03f

Download Submit
memory/3080-17-0x00000000042A0000-0x00000000042A1000-memory.dmp

Filesize
4KB

Download
memory/4036-45-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4036-36-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4036-27-0x0000000073200000-0x00000000737B1000-memory.dmp

Filesize
5.7MB

Download
memory/4036-28-0x0000000073200000-0x00000000737B1000-memory.dmp

Filesize
5.7MB

Download
memory/4036-29-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4036-37-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4036-18-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4036-43-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4036-42-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4036-25-0x0000000073202000-0x0000000073203000-memory.dmp

Filesize
4KB

Download
memory/4036-34-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4036-31-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4036-30-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4036-40-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4036-32-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4036-51-0x0000000073202000-0x0000000073203000-memory.dmp

Filesize
4KB

Download
memory/4036-52-0x0000000073200000-0x00000000737B1000-memory.dmp

Filesize
5.7MB

Download
memory/4036-53-0x0000000073200000-0x00000000737B1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads