imminent | 0715e1cfab9d4e4f13610d788bac2cad2d412881a3917560ef61e0cc8cdcffa2

Analysis

max time kernel
174s
max time network
180s
platform
windows7_x64
resource
win7-20220414-en
submitted
31/05/2022, 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0715e1cfab9d4e4f13610d788bac2cad2d412881a3917560ef61e0cc8cdcffa2.exe
Size

718KB
MD5

d9b17b3e7884802a2dc2c46432b8ba99
SHA1

08e3bfb6fa24a6a1aebd579bb2307156478bfd8e
SHA256

0715e1cfab9d4e4f13610d788bac2cad2d412881a3917560ef61e0cc8cdcffa2
SHA512

d9c6f3338619350aa34343d570b62962f096770a1a402e9d01b04d1c3bd6438bee917ec3875917eb59ba81d4ef09c943cc1640f7cbaaf7cf52f7270bca42b7a1

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 1 IoCs

pid	Process
1492	o1710tdXI475lNr9hed.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\o1710tdXI475lNr9.exe.url	o1710tdXI475lNr9hed.exe

Loads dropped DLL 1 IoCs

pid	Process
1884	0715e1cfab9d4e4f13610d788bac2cad2d412881a3917560ef61e0cc8cdcffa2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1492 set thread context of 2012	1492	o1710tdXI475lNr9hed.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1492	o1710tdXI475lNr9hed.exe
1492	o1710tdXI475lNr9hed.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2012	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1492	o1710tdXI475lNr9hed.exe
Token: SeDebugPrivilege	2012	RegAsm.exe
Token: 33	2012	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2012	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2012	RegAsm.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1492	1884	0715e1cfab9d4e4f13610d788bac2cad2d412881a3917560ef61e0cc8cdcffa2.exe	27
PID 1884 wrote to memory of 1492	1884	0715e1cfab9d4e4f13610d788bac2cad2d412881a3917560ef61e0cc8cdcffa2.exe	27
PID 1884 wrote to memory of 1492	1884	0715e1cfab9d4e4f13610d788bac2cad2d412881a3917560ef61e0cc8cdcffa2.exe	27
PID 1884 wrote to memory of 1492	1884	0715e1cfab9d4e4f13610d788bac2cad2d412881a3917560ef61e0cc8cdcffa2.exe	27
PID 1492 wrote to memory of 1356	1492	o1710tdXI475lNr9hed.exe	28
PID 1492 wrote to memory of 1356	1492	o1710tdXI475lNr9hed.exe	28
PID 1492 wrote to memory of 1356	1492	o1710tdXI475lNr9hed.exe	28
PID 1492 wrote to memory of 1356	1492	o1710tdXI475lNr9hed.exe	28
PID 1356 wrote to memory of 1216	1356	csc.exe	30
PID 1356 wrote to memory of 1216	1356	csc.exe	30
PID 1356 wrote to memory of 1216	1356	csc.exe	30
PID 1356 wrote to memory of 1216	1356	csc.exe	30
PID 1492 wrote to memory of 2012	1492	o1710tdXI475lNr9hed.exe	31
PID 1492 wrote to memory of 2012	1492	o1710tdXI475lNr9hed.exe	31
PID 1492 wrote to memory of 2012	1492	o1710tdXI475lNr9hed.exe	31
PID 1492 wrote to memory of 2012	1492	o1710tdXI475lNr9hed.exe	31
PID 1492 wrote to memory of 2012	1492	o1710tdXI475lNr9hed.exe	31
PID 1492 wrote to memory of 2012	1492	o1710tdXI475lNr9hed.exe	31
PID 1492 wrote to memory of 2012	1492	o1710tdXI475lNr9hed.exe	31
PID 1492 wrote to memory of 2012	1492	o1710tdXI475lNr9hed.exe	31
PID 1492 wrote to memory of 2012	1492	o1710tdXI475lNr9hed.exe	31
PID 1492 wrote to memory of 2012	1492	o1710tdXI475lNr9hed.exe	31
PID 1492 wrote to memory of 2012	1492	o1710tdXI475lNr9hed.exe	31
PID 1492 wrote to memory of 2012	1492	o1710tdXI475lNr9hed.exe	31

C:\Users\Admin\AppData\Local\Temp\0715e1cfab9d4e4f13610d788bac2cad2d412881a3917560ef61e0cc8cdcffa2.exe
"C:\Users\Admin\AppData\Local\Temp\0715e1cfab9d4e4f13610d788bac2cad2d412881a3917560ef61e0cc8cdcffa2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Users\Admin\o1710tdXI475lNr9hed.exe
  C:\Users\Admin\o1710tdXI475lNr9hed.exe 1
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xl44013y\xl44013y.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FA5.tmp" "c:\Users\Admin\AppData\Local\Temp\xl44013y\CSC4596FC571AAB4A7D991E4E5B2DDA6AF.TMP"
      4⤵
      PID:1216
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2012

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6FA5.tmp

Filesize
1KB

MD5
41b93af2add169723ada1cb2dd46679d

SHA1
f06fbc9cca9454a3ab088d985cd4d87a9d8dd7c3

SHA256
e54110b1b79afd4c88bfd9e884ae1a8de7edc6983a1e6473aed176d3addc10ee

SHA512
bf4c30ce78ce10b5d58fddcc6e9a7b7e196d31448c4d115d64cde515e211c69004bd1c131db15866ca32e8e8c75c75da43be409522d37e8bb279855a372dc4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xl44013y\xl44013y.dll

Filesize
5KB

MD5
1d72f597936159cf0207d4dfd08c01a9

SHA1
cb63ca1866626e44b55fd1d90acdb0eeca548aaf

SHA256
31b5f36ee28fe87e06ab819a667ce11039fbbed43ea7a02cd78e260df1992044

SHA512
f5c8ad3c96ccf54dfcbeb607cdb51eb9e7658644c9fe3a0c22ddddaa1f0ad5e33b1ecbb1375d605ca9c576e44b94893883c777c914f427b6c4180a2a99c9fced

Download Submit
C:\Users\Admin\AppData\Local\Temp\xl44013y\xl44013y.pdb

Filesize
15KB

MD5
67cbfe4b790951115e78901d78e1d072

SHA1
34f498ccc7fafd52b5c576e3f755530eab678944

SHA256
754828c9fd35d3a57e232ffd7af0c83056c913f6192f001f6f25e56304b84c2e

SHA512
4f8a9fe35c172ea612d51f27421602c875d080d28939f213e4319bd5f71b5301bc61d1775bcc80d0f653046a62f5ebcacd5ceebe2bb9a2310fa29c390ddb2ef4

Download Submit
C:\Users\Admin\o1710tdXI475lNr9hed.exe

Filesize
503KB

MD5
be529ee01d75e90f8945e9e6fa9f9e77

SHA1
01edb6a9e46b1fc9bd3bda124ca0025806324b19

SHA256
c03164840f10969f895885c763519362339e44bc423979f32de5b06e5a686ee1

SHA512
ce6f501feb72db0676df852da3151243832623ca2c5b6d4f50917f76f7621d35bedd5a63737d3a3aefff1f00ee9b19ef578319babbfe1b32df8efc93685011be

Download Submit
C:\Users\Admin\o1710tdXI475lNr9hed.exe

Filesize
503KB

MD5
be529ee01d75e90f8945e9e6fa9f9e77

SHA1
01edb6a9e46b1fc9bd3bda124ca0025806324b19

SHA256
c03164840f10969f895885c763519362339e44bc423979f32de5b06e5a686ee1

SHA512
ce6f501feb72db0676df852da3151243832623ca2c5b6d4f50917f76f7621d35bedd5a63737d3a3aefff1f00ee9b19ef578319babbfe1b32df8efc93685011be

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xl44013y\CSC4596FC571AAB4A7D991E4E5B2DDA6AF.TMP

Filesize
1KB

MD5
92753f2ca038d2fee158b8ddf698a34c

SHA1
0281f928b2df3088ffcdea3128d87acf85a31a80

SHA256
327e0a739a67fcb972fdfcf435e0146574ef8eeca81ff090fc065913871ffa49

SHA512
a23262e604f44cefc8f635c776f85389f84b65cf61a2bf8773845c82b97c737c257029fdcc713729267efc7582978f6bc35b520d3170731b8a4ee855026ecb6b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xl44013y\xl44013y.0.cs

Filesize
2KB

MD5
ba57d6806ade52cdb76095c388a42430

SHA1
32bfe87b836a49d1f37ec7ee62ce6f497f7884c4

SHA256
d22622399d37fd082cab9d46269326ed5a3e85509c95f9c4befc20e59b86bbe5

SHA512
37409914c1da0f110058c81594eabd4f75051caa9f290ae4769f9b1cc2bbf53d1d516a6d581eb942f3b5f8962fbb6cbd1c6c0e644e4db12aa999fbb6f6413960

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xl44013y\xl44013y.cmdline

Filesize
224B

MD5
79cbae79f06c5840b5393b3cff6614ad

SHA1
5fd2993a4b7df991492d1726499a4e82b38ee3e0

SHA256
dea6d88c556ddcafbcf57c43c1a399a425fa0ee4c69fa0e6da8815b4668dca3d

SHA512
fa83e873199b8da83b7ec78f0a17b5be84cd99aadd6ba53b523e68a4ed7f2e2d43da0a9d9726d7e787a9e0c26a8826683c7ca3950500709c7422bf94e33be375

Download Submit
\Users\Admin\o1710tdXI475lNr9hed.exe

Filesize
503KB

MD5
be529ee01d75e90f8945e9e6fa9f9e77

SHA1
01edb6a9e46b1fc9bd3bda124ca0025806324b19

SHA256
c03164840f10969f895885c763519362339e44bc423979f32de5b06e5a686ee1

SHA512
ce6f501feb72db0676df852da3151243832623ca2c5b6d4f50917f76f7621d35bedd5a63737d3a3aefff1f00ee9b19ef578319babbfe1b32df8efc93685011be

Download Submit
memory/1492-71-0x0000000004990000-0x0000000004A12000-memory.dmp

Filesize
520KB

Download
memory/1492-61-0x00000000721A0000-0x000000007352F000-memory.dmp

Filesize
19.6MB

Download
memory/1492-70-0x0000000000910000-0x0000000000918000-memory.dmp

Filesize
32KB

Download
memory/1492-59-0x0000000000DA0000-0x0000000000E24000-memory.dmp

Filesize
528KB

Download
memory/1492-64-0x0000000071790000-0x00000000721A0000-memory.dmp

Filesize
10.1MB

Download
memory/1492-72-0x0000000000940000-0x000000000094C000-memory.dmp

Filesize
48KB

Download
memory/1492-74-0x0000000004B70000-0x0000000004BE8000-memory.dmp

Filesize
480KB

Download
memory/1492-90-0x0000000073D40000-0x0000000073F11000-memory.dmp

Filesize
1.8MB

Download
memory/1492-89-0x0000000070FB0000-0x0000000071790000-memory.dmp

Filesize
7.9MB

Download
memory/1492-87-0x0000000071790000-0x00000000721A0000-memory.dmp

Filesize
10.1MB

Download
memory/1492-85-0x00000000721A0000-0x000000007352F000-memory.dmp

Filesize
19.6MB

Download
memory/1884-54-0x0000000075D21000-0x0000000075D23000-memory.dmp

Filesize
8KB

Download
memory/2012-80-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2012-96-0x00000000727B0000-0x000000007294B000-memory.dmp

Filesize
1.6MB

Download
memory/2012-83-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2012-79-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2012-86-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2012-78-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2012-76-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2012-75-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2012-91-0x0000000070A00000-0x0000000070FAB000-memory.dmp

Filesize
5.7MB

Download
memory/2012-92-0x000000006FF00000-0x00000000709F8000-memory.dmp

Filesize
11.0MB

Download
memory/2012-93-0x0000000074000000-0x000000007479C000-memory.dmp

Filesize
7.6MB

Download
memory/2012-94-0x0000000073D90000-0x0000000073F18000-memory.dmp

Filesize
1.5MB

Download
memory/2012-95-0x0000000072950000-0x000000007352E000-memory.dmp

Filesize
11.9MB

Download
memory/2012-97-0x00000000737D0000-0x00000000738C1000-memory.dmp

Filesize
964KB

Download
memory/2012-99-0x0000000072160000-0x0000000072264000-memory.dmp

Filesize
1.0MB

Download
memory/2012-98-0x0000000072270000-0x00000000727A6000-memory.dmp

Filesize
5.2MB

Download
memory/2012-100-0x0000000071F30000-0x0000000071F6A000-memory.dmp

Filesize
232KB

Download
memory/2012-101-0x000000006FF00000-0x00000000709F8000-memory.dmp

Filesize
11.0MB

Download
memory/2012-102-0x0000000070A00000-0x0000000070FAB000-memory.dmp

Filesize
5.7MB

Download
memory/2012-103-0x0000000074000000-0x000000007479C000-memory.dmp

Filesize
7.6MB

Download
memory/2012-105-0x00000000727B0000-0x000000007294B000-memory.dmp

Filesize
1.6MB

Download
memory/2012-104-0x0000000072950000-0x000000007352E000-memory.dmp

Filesize
11.9MB

Download
memory/2012-106-0x0000000072160000-0x0000000072264000-memory.dmp

Filesize
1.0MB

Download
memory/2012-107-0x0000000071F30000-0x0000000071F6A000-memory.dmp

Filesize
232KB

Download