imminent | 0abdb818b937d098342fa7a1403a73d1aa5eeb2c72bc39afdba8cad9f76eec4f

General

Target

0abdb818b937d098342fa7a1403a73d1aa5eeb2c72bc39afdba8cad9f76eec4f.exe
Size

474KB
MD5

1e574b676befa0441d0a5755f2389b10
SHA1

3c18cd1e799d55ccc3af4abd6d1f4835cd8de349
SHA256

0abdb818b937d098342fa7a1403a73d1aa5eeb2c72bc39afdba8cad9f76eec4f
SHA512

1ef5d7a2222c4434902485c4618c7b1d1505e9acb4a64733133cf6158b1e9e4d1005efafee05308713356fef4100f9612df9ba1a714ed0135e562d5ca39233df

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 1 IoCs

pid	Process
4552	Update.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update\Update.exe	0abdb818b937d098342fa7a1403a73d1aa5eeb2c72bc39afdba8cad9f76eec4f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update\Update.exe	0abdb818b937d098342fa7a1403a73d1aa5eeb2c72bc39afdba8cad9f76eec4f.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	regasm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	regasm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4552 set thread context of 1776	4552	Update.exe	89

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	regasm.exe
File created	C:\Windows\assembly\Desktop.ini	regasm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	regasm.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1572	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1776	regasm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3848	0abdb818b937d098342fa7a1403a73d1aa5eeb2c72bc39afdba8cad9f76eec4f.exe
Token: SeDebugPrivilege	4552	Update.exe
Token: SeDebugPrivilege	1776	regasm.exe
Token: 33	1776	regasm.exe
Token: SeIncBasePriorityPrivilege	1776	regasm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1776	regasm.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3848 wrote to memory of 4384	3848	0abdb818b937d098342fa7a1403a73d1aa5eeb2c72bc39afdba8cad9f76eec4f.exe	80
PID 3848 wrote to memory of 4384	3848	0abdb818b937d098342fa7a1403a73d1aa5eeb2c72bc39afdba8cad9f76eec4f.exe	80
PID 3848 wrote to memory of 4384	3848	0abdb818b937d098342fa7a1403a73d1aa5eeb2c72bc39afdba8cad9f76eec4f.exe	80
PID 4384 wrote to memory of 4552	4384	cmd.exe	82
PID 4384 wrote to memory of 4552	4384	cmd.exe	82
PID 4384 wrote to memory of 4552	4384	cmd.exe	82
PID 4552 wrote to memory of 1416	4552	Update.exe	83
PID 4552 wrote to memory of 1416	4552	Update.exe	83
PID 4552 wrote to memory of 1416	4552	Update.exe	83
PID 1416 wrote to memory of 2224	1416	cmd.exe	85
PID 1416 wrote to memory of 2224	1416	cmd.exe	85
PID 1416 wrote to memory of 2224	1416	cmd.exe	85
PID 4552 wrote to memory of 4784	4552	Update.exe	86
PID 4552 wrote to memory of 4784	4552	Update.exe	86
PID 4552 wrote to memory of 4784	4552	Update.exe	86
PID 4784 wrote to memory of 1572	4784	cmd.exe	88
PID 4784 wrote to memory of 1572	4784	cmd.exe	88
PID 4784 wrote to memory of 1572	4784	cmd.exe	88
PID 4552 wrote to memory of 1776	4552	Update.exe	89
PID 4552 wrote to memory of 1776	4552	Update.exe	89
PID 4552 wrote to memory of 1776	4552	Update.exe	89
PID 4552 wrote to memory of 1776	4552	Update.exe	89
PID 4552 wrote to memory of 1776	4552	Update.exe	89
PID 4552 wrote to memory of 1776	4552	Update.exe	89
PID 4552 wrote to memory of 1776	4552	Update.exe	89
PID 4552 wrote to memory of 1776	4552	Update.exe	89

C:\Users\Admin\AppData\Local\Temp\0abdb818b937d098342fa7a1403a73d1aa5eeb2c72bc39afdba8cad9f76eec4f.exe
"C:\Users\Admin\AppData\Local\Temp\0abdb818b937d098342fa7a1403a73d1aa5eeb2c72bc39afdba8cad9f76eec4f.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update\Update.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update\Update.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1416
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        5⤵
        
        PID:2224
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4784
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1971931965.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:1572
  - - C:\Windows\Microsoft.net\Framework\v2.0.50727\regasm.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update\Update.exe"
      4⤵
      Drops desktop.ini file(s)
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1776

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1971931965.xml

Filesize
1KB

MD5
bdea2113e3ddcc12fe31a1e243723cea

SHA1
9526c0fe34d3252a2f59d75b2e7db63f0d222010

SHA256
0e5294589280eba0c1249a036c3dbc1f5524177e6950f454acc0f900feecbf74

SHA512
dd729184d9fea45e60238217cbc8ee9f303533bef36b5c3dde0e78f4226f9889770dfbbd3c3bf9ea73738d36b4b1570b3eb804ec1120301204fb9858ad8e1723

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update\Update.exe

Filesize
474KB

MD5
1e574b676befa0441d0a5755f2389b10

SHA1
3c18cd1e799d55ccc3af4abd6d1f4835cd8de349

SHA256
0abdb818b937d098342fa7a1403a73d1aa5eeb2c72bc39afdba8cad9f76eec4f

SHA512
1ef5d7a2222c4434902485c4618c7b1d1505e9acb4a64733133cf6158b1e9e4d1005efafee05308713356fef4100f9612df9ba1a714ed0135e562d5ca39233df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update\Update.exe

Filesize
474KB

MD5
1e574b676befa0441d0a5755f2389b10

SHA1
3c18cd1e799d55ccc3af4abd6d1f4835cd8de349

SHA256
0abdb818b937d098342fa7a1403a73d1aa5eeb2c72bc39afdba8cad9f76eec4f

SHA512
1ef5d7a2222c4434902485c4618c7b1d1505e9acb4a64733133cf6158b1e9e4d1005efafee05308713356fef4100f9612df9ba1a714ed0135e562d5ca39233df

Download Submit
memory/1776-153-0x0000000073A50000-0x00000000741F8000-memory.dmp

Filesize
7.7MB

Download
memory/1776-152-0x0000000075460000-0x0000000075A11000-memory.dmp

Filesize
5.7MB

Download
memory/1776-148-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1776-157-0x0000000074260000-0x0000000074D60000-memory.dmp

Filesize
11.0MB

Download
memory/1776-156-0x0000000073A50000-0x00000000741F8000-memory.dmp

Filesize
7.7MB

Download
memory/1776-155-0x0000000075460000-0x0000000075A11000-memory.dmp

Filesize
5.7MB

Download
memory/1776-154-0x0000000074260000-0x0000000074D60000-memory.dmp

Filesize
11.0MB

Download
memory/3848-138-0x0000000074260000-0x0000000074D60000-memory.dmp

Filesize
11.0MB

Download
memory/3848-130-0x0000000075460000-0x0000000075A11000-memory.dmp

Filesize
5.7MB

Download
memory/3848-131-0x0000000074260000-0x0000000074D60000-memory.dmp

Filesize
11.0MB

Download
memory/3848-137-0x0000000073A50000-0x00000000741F8000-memory.dmp

Filesize
7.7MB

Download
memory/3848-136-0x0000000075460000-0x0000000075A11000-memory.dmp

Filesize
5.7MB

Download
memory/4552-151-0x0000000074260000-0x0000000074D60000-memory.dmp

Filesize
11.0MB

Download
memory/4552-150-0x0000000075460000-0x0000000075A11000-memory.dmp

Filesize
5.7MB

Download
memory/4552-149-0x0000000073A50000-0x00000000741F8000-memory.dmp

Filesize
7.7MB

Download
memory/4552-142-0x0000000074260000-0x0000000074D60000-memory.dmp

Filesize
11.0MB

Download
memory/4552-141-0x0000000075460000-0x0000000075A11000-memory.dmp

Filesize
5.7MB

Download
memory/4552-140-0x0000000073A50000-0x00000000741F8000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads