imminent | 0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900

Analysis

max time kernel
151s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
30/05/2022, 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900.exe
Size

339KB
MD5

2fbd194b2d68b2cd446a33efb244e4b7
SHA1

3cd0c6228067bb8fbac20e04a18e46aef4ee2d9e
SHA256

0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900
SHA512

cb3276da5d5e371d5f697741ed0c215b038d946dcce1583a682c615c39b0aa07533376f095cf1eeac111e53adfe26d3118a618cca14bddd3866762b22960791d

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 1 IoCs

pid	Process
696	0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900.exe

Deletes itself 1 IoCs

pid	Process
1676	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1552	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
696	0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	876	0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900.exe
Token: SeDebugPrivilege	696	0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900.exe
Token: 33	696	0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900.exe
Token: SeIncBasePriorityPrivilege	696	0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
696	0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 696	876	0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900.exe	28
PID 876 wrote to memory of 696	876	0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900.exe	28
PID 876 wrote to memory of 696	876	0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900.exe	28
PID 876 wrote to memory of 1676	876	0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900.exe	29
PID 876 wrote to memory of 1676	876	0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900.exe	29
PID 876 wrote to memory of 1676	876	0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900.exe	29
PID 1676 wrote to memory of 1552	1676	cmd.exe	31
PID 1676 wrote to memory of 1552	1676	cmd.exe	31
PID 1676 wrote to memory of 1552	1676	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900.exe
"C:\Users\Admin\AppData\Local\Temp\0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876
- C:\Users\Admin\AppData\Local\Temp\0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900\0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900.exe
  "C:\Users\Admin\AppData\Local\Temp\0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900\0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:696
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:1552

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900\0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900.exe

Filesize
339KB

MD5
2fbd194b2d68b2cd446a33efb244e4b7

SHA1
3cd0c6228067bb8fbac20e04a18e46aef4ee2d9e

SHA256
0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900

SHA512
cb3276da5d5e371d5f697741ed0c215b038d946dcce1583a682c615c39b0aa07533376f095cf1eeac111e53adfe26d3118a618cca14bddd3866762b22960791d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900\0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900.exe

Filesize
339KB

MD5
2fbd194b2d68b2cd446a33efb244e4b7

SHA1
3cd0c6228067bb8fbac20e04a18e46aef4ee2d9e

SHA256
0966c6a01169b4863d1a0a33911f13b686f3bd5ca2978ad3ad8829cf40d16900

SHA512
cb3276da5d5e371d5f697741ed0c215b038d946dcce1583a682c615c39b0aa07533376f095cf1eeac111e53adfe26d3118a618cca14bddd3866762b22960791d

Download Submit
memory/696-87-0x000007FEF6A80000-0x000007FEF6BC3000-memory.dmp

Filesize
1.3MB

Download
memory/696-81-0x000007FEF6D70000-0x000007FEF6F7D000-memory.dmp

Filesize
2.1MB

Download
memory/696-98-0x000007FEFB150000-0x000007FEFB1A9000-memory.dmp

Filesize
356KB

Download
memory/696-97-0x0000000000A56000-0x0000000000A75000-memory.dmp

Filesize
124KB

Download
memory/696-96-0x000007FEF6360000-0x000007FEF64CC000-memory.dmp

Filesize
1.4MB

Download
memory/696-95-0x000007FEEF160000-0x000007FEF01F6000-memory.dmp

Filesize
16.6MB

Download
memory/696-94-0x000007FEF49B0000-0x000007FEF588C000-memory.dmp

Filesize
14.9MB

Download
memory/696-93-0x000007FEF6D70000-0x000007FEF6F7D000-memory.dmp

Filesize
2.1MB

Download
memory/696-92-0x000007FEF3F80000-0x000007FEF49A3000-memory.dmp

Filesize
10.1MB

Download
memory/696-91-0x000007FEFB150000-0x000007FEFB1A9000-memory.dmp

Filesize
356KB

Download
memory/696-90-0x0000000000A56000-0x0000000000A75000-memory.dmp

Filesize
124KB

Download
memory/696-89-0x000007FEF6360000-0x000007FEF64CC000-memory.dmp

Filesize
1.4MB

Download
memory/696-88-0x000007FEF38D0000-0x000007FEF3F75000-memory.dmp

Filesize
6.6MB

Download
memory/696-86-0x000007FEEF160000-0x000007FEF01F6000-memory.dmp

Filesize
16.6MB

Download
memory/696-71-0x000007FEF3F80000-0x000007FEF49A3000-memory.dmp

Filesize
10.1MB

Download
memory/696-85-0x000007FEF6750000-0x000007FEF6987000-memory.dmp

Filesize
2.2MB

Download
memory/696-82-0x000007FEF49B0000-0x000007FEF588C000-memory.dmp

Filesize
14.9MB

Download
memory/696-84-0x000000001AFF0000-0x000000001B009000-memory.dmp

Filesize
100KB

Download
memory/696-83-0x000007FEEF160000-0x000007FEF01F6000-memory.dmp

Filesize
16.6MB

Download
memory/696-76-0x000007FEF3F80000-0x000007FEF49A3000-memory.dmp

Filesize
10.1MB

Download
memory/876-80-0x000007FEF76D0000-0x000007FEF7729000-memory.dmp

Filesize
356KB

Download
memory/876-56-0x000007FEF49B0000-0x000007FEF588C000-memory.dmp

Filesize
14.9MB

Download
memory/876-79-0x00000000020B6000-0x00000000020D5000-memory.dmp

Filesize
124KB

Download
memory/876-77-0x000007FEF66D0000-0x000007FEF683C000-memory.dmp

Filesize
1.4MB

Download
memory/876-55-0x000007FEF2EE0000-0x000007FEF3F76000-memory.dmp

Filesize
16.6MB

Download
memory/876-58-0x000007FEF6990000-0x000007FEF6BC7000-memory.dmp

Filesize
2.2MB

Download
memory/876-75-0x000007FEF49B0000-0x000007FEF588C000-memory.dmp

Filesize
14.9MB

Download
memory/876-74-0x000007FEF2EE0000-0x000007FEF3F76000-memory.dmp

Filesize
16.6MB

Download
memory/876-72-0x000007FEF3F80000-0x000007FEF49A3000-memory.dmp

Filesize
10.1MB

Download
memory/876-70-0x000007FEF6D70000-0x000007FEF6F7D000-memory.dmp

Filesize
2.1MB

Download
memory/876-54-0x000007FEF3F80000-0x000007FEF49A3000-memory.dmp

Filesize
10.1MB

Download
memory/876-73-0x000007FEF6990000-0x000007FEF6BC7000-memory.dmp

Filesize
2.2MB

Download
memory/876-59-0x0000000000B20000-0x0000000000B39000-memory.dmp

Filesize
100KB

Download
memory/876-57-0x000007FEF3F80000-0x000007FEF49A3000-memory.dmp

Filesize
10.1MB

Download
memory/876-65-0x000007FEF76D0000-0x000007FEF7729000-memory.dmp

Filesize
356KB

Download
memory/876-64-0x00000000020B6000-0x00000000020D5000-memory.dmp

Filesize
124KB

Download
memory/876-63-0x000007FEF66D0000-0x000007FEF683C000-memory.dmp

Filesize
1.4MB

Download
memory/876-62-0x000007FEEFB50000-0x000007FEF01F5000-memory.dmp

Filesize
6.6MB

Download
memory/876-61-0x000007FEF6840000-0x000007FEF6983000-memory.dmp

Filesize
1.3MB

Download
memory/876-60-0x000007FEF6D70000-0x000007FEF6F7D000-memory.dmp

Filesize
2.1MB

Download