imminent | df97d1d585683a303400b1fc3f6c6efcc26d3dca58a953e64ba8e1c50c70f925

General

Target

df97d1d585683a303400b1fc3f6c6efcc26d3dca58a953e64ba8e1c50c70f925.exe
Size

1.3MB
MD5

9981c0c91c4cf32e5160325284e9fc6c
SHA1

aeb6b8ef996542c5831e67ef89387d6c4a026bab
SHA256

df97d1d585683a303400b1fc3f6c6efcc26d3dca58a953e64ba8e1c50c70f925
SHA512

8b1d0f85e5728ee48cb6417cd974147aa64ab84f59d3c665d5de06864753b47ebf173776826da03f50f582355ed824987c91a1ba90d88a4d7f4b1debf11650ad
SSDEEP

24576:nFFWO5WqPbFPhGSSc5sus9Ux0HalJ2a9jRlbRgAeO7AT:nvZMqPJhGSSc5q9USCZRUF

Score

10^/10

imminent discovery persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent
Imminent family
imminent

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hTcdWNaiUEILOUVJ.cmd.lnk	JNcINeFgQBMYDefVEGSSb.exe

Executes dropped EXE 1 IoCs

pid	Process
3780	JNcINeFgQBMYDefVEGSSb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	df97d1d585683a303400b1fc3f6c6efcc26d3dca58a953e64ba8e1c50c70f925.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3780 set thread context of 1524	3780	JNcINeFgQBMYDefVEGSSb.exe	97

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly	RegAsm.exe
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df97d1d585683a303400b1fc3f6c6efcc26d3dca58a953e64ba8e1c50c70f925.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JNcINeFgQBMYDefVEGSSb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1524	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1524	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1524	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 3780	2904	df97d1d585683a303400b1fc3f6c6efcc26d3dca58a953e64ba8e1c50c70f925.exe	85
PID 2904 wrote to memory of 3780	2904	df97d1d585683a303400b1fc3f6c6efcc26d3dca58a953e64ba8e1c50c70f925.exe	85
PID 2904 wrote to memory of 3780	2904	df97d1d585683a303400b1fc3f6c6efcc26d3dca58a953e64ba8e1c50c70f925.exe	85
PID 3780 wrote to memory of 1524	3780	JNcINeFgQBMYDefVEGSSb.exe	97
PID 3780 wrote to memory of 1524	3780	JNcINeFgQBMYDefVEGSSb.exe	97
PID 3780 wrote to memory of 1524	3780	JNcINeFgQBMYDefVEGSSb.exe	97
PID 3780 wrote to memory of 1524	3780	JNcINeFgQBMYDefVEGSSb.exe	97
PID 3780 wrote to memory of 1524	3780	JNcINeFgQBMYDefVEGSSb.exe	97

C:\Users\Admin\AppData\Local\Temp\df97d1d585683a303400b1fc3f6c6efcc26d3dca58a953e64ba8e1c50c70f925.exe
"C:\Users\Admin\AppData\Local\Temp\df97d1d585683a303400b1fc3f6c6efcc26d3dca58a953e64ba8e1c50c70f925.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JNcINeFgQBMYDefVEGSSb.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JNcINeFgQBMYDefVEGSSb.exe EbKPFiePLUOOOYOhPRh
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    - CmdLine Args
    3⤵
    - Drops desktop.ini file(s)
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EbKPFiePLUOOOYOhPRh

Filesize
35KB

MD5
ea3581b5402cd25a4e87c84044baa7c4

SHA1
1a89d0820ae9a38aa33706ac315d4a9ee68ca2b4

SHA256
42b41f7864b7676d91f929d7a49c1be90ea9d553d35f13caf624f691ec370d14

SHA512
7c20f4ab4a3fa2b7bff2d08491562cfa112f6f0bdad8865a9fa0d86a8ad5956e9d4d4369468dced7ac68a51cfa4a5910a986e9d62235a399cd5d54b1d84184e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JNcINeFgQBMYDefVEGSSb.exe

Filesize
915KB

MD5
e01ced5c12390ff5256694eda890b33a

SHA1
0bb74a9d3154d1269e5e456aa41e94b60f753f78

SHA256
66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba

SHA512
93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hTcdWNaiUEIL

Filesize
440KB

MD5
f9316ff4d7013dbd09d1a176c3e857e0

SHA1
eb8cdb51c50e1a676e5d4068e6c2c4a345757568

SHA256
92d45ab64427ff281d604a8e5a611d104483e15de3202f29844acfdea2a4391f

SHA512
494abbcba1545a9fae2e5c91c507afa43b4a0f52e58a5508cd45481d853ab19c3a9ac1bdeb4f4466e9603b38d0e6f41be4477b39cfb2b7ded9f421ce4e82b03f

Download Submit
memory/1524-36-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1524-43-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1524-23-0x0000000073D72000-0x0000000073D73000-memory.dmp

Filesize
4KB

Download
memory/1524-27-0x0000000073D70000-0x0000000074321000-memory.dmp

Filesize
5.7MB

Download
memory/1524-28-0x0000000073D70000-0x0000000074321000-memory.dmp

Filesize
5.7MB

Download
memory/1524-29-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1524-31-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1524-52-0x0000000073D70000-0x0000000074321000-memory.dmp

Filesize
5.7MB

Download
memory/1524-45-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1524-19-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1524-40-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1524-37-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1524-34-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1524-42-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1524-32-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1524-30-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1524-51-0x0000000073D72000-0x0000000073D73000-memory.dmp

Filesize
4KB

Download
memory/3780-17-0x0000000001590000-0x0000000001591000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads