imminent | 0715e1cfab9d4e4f13610d788bac2cad2d412881a3917560ef61e0cc8cdcffa2

General

Target

0715e1cfab9d4e4f13610d788bac2cad2d412881a3917560ef61e0cc8cdcffa2.exe
Size

718KB
MD5

d9b17b3e7884802a2dc2c46432b8ba99
SHA1

08e3bfb6fa24a6a1aebd579bb2307156478bfd8e
SHA256

0715e1cfab9d4e4f13610d788bac2cad2d412881a3917560ef61e0cc8cdcffa2
SHA512

d9c6f3338619350aa34343d570b62962f096770a1a402e9d01b04d1c3bd6438bee917ec3875917eb59ba81d4ef09c943cc1640f7cbaaf7cf52f7270bca42b7a1

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 1 IoCs

pid	Process
1292	o1710tdXI475lNr9hed.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\o1710tdXI475lNr9.exe.url	o1710tdXI475lNr9hed.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1292 set thread context of 4108	1292	o1710tdXI475lNr9hed.exe	85

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	RegAsm.exe
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1292	o1710tdXI475lNr9hed.exe
1292	o1710tdXI475lNr9hed.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4108	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1292	o1710tdXI475lNr9hed.exe
Token: SeDebugPrivilege	4108	RegAsm.exe
Token: 33	4108	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4108	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4108	RegAsm.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 1292	2272	0715e1cfab9d4e4f13610d788bac2cad2d412881a3917560ef61e0cc8cdcffa2.exe	81
PID 2272 wrote to memory of 1292	2272	0715e1cfab9d4e4f13610d788bac2cad2d412881a3917560ef61e0cc8cdcffa2.exe	81
PID 2272 wrote to memory of 1292	2272	0715e1cfab9d4e4f13610d788bac2cad2d412881a3917560ef61e0cc8cdcffa2.exe	81
PID 1292 wrote to memory of 2896	1292	o1710tdXI475lNr9hed.exe	82
PID 1292 wrote to memory of 2896	1292	o1710tdXI475lNr9hed.exe	82
PID 1292 wrote to memory of 2896	1292	o1710tdXI475lNr9hed.exe	82
PID 2896 wrote to memory of 1860	2896	csc.exe	84
PID 2896 wrote to memory of 1860	2896	csc.exe	84
PID 2896 wrote to memory of 1860	2896	csc.exe	84
PID 1292 wrote to memory of 4108	1292	o1710tdXI475lNr9hed.exe	85
PID 1292 wrote to memory of 4108	1292	o1710tdXI475lNr9hed.exe	85
PID 1292 wrote to memory of 4108	1292	o1710tdXI475lNr9hed.exe	85
PID 1292 wrote to memory of 4108	1292	o1710tdXI475lNr9hed.exe	85
PID 1292 wrote to memory of 4108	1292	o1710tdXI475lNr9hed.exe	85
PID 1292 wrote to memory of 4108	1292	o1710tdXI475lNr9hed.exe	85
PID 1292 wrote to memory of 4108	1292	o1710tdXI475lNr9hed.exe	85
PID 1292 wrote to memory of 4108	1292	o1710tdXI475lNr9hed.exe	85

C:\Users\Admin\AppData\Local\Temp\0715e1cfab9d4e4f13610d788bac2cad2d412881a3917560ef61e0cc8cdcffa2.exe
"C:\Users\Admin\AppData\Local\Temp\0715e1cfab9d4e4f13610d788bac2cad2d412881a3917560ef61e0cc8cdcffa2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\o1710tdXI475lNr9hed.exe
  C:\Users\Admin\o1710tdXI475lNr9hed.exe 1
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\acknx2cn\acknx2cn.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDB42.tmp" "c:\Users\Admin\AppData\Local\Temp\acknx2cn\CSCBC2102CCE0E34108B089EAB5449B72B8.TMP"
      4⤵
      PID:1860
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - Drops desktop.ini file(s)
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4108

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDB42.tmp

Filesize
1KB

MD5
1a73aeeabc7148a53e17449b4b0b628b

SHA1
c9a0c62b53a93396da975f00a5cd4e8199848a23

SHA256
8a85775c0c929333935fde20fb8c000db438df8b2a7a91bb81f2d81c4ad46bad

SHA512
f5c70f500d452253205585e096812ccb5b9185848d3d28de549b01a71be7f53d8f0f5e7a99168c24b14254950afd92d8112b4d2014d2b770bcf32be99cb62462

Download Submit
C:\Users\Admin\AppData\Local\Temp\acknx2cn\acknx2cn.dll

Filesize
5KB

MD5
5ec3db463682f5818629cad773201cde

SHA1
6206ef38c9252b9916376a56d22a2c3a0f913d41

SHA256
0fd1498cd077eca3dca3f4cae7cc2cdfaec1074c54383bb93a53d09a60f68ec0

SHA512
8eb7f0bb041776a4a0570bfc1a7bd738d284318091862700e0c37533f2fb379131cd4a634b7e66c1bc5388ba95ad29029c15a940ae2f0d942462e6a163817493

Download Submit
C:\Users\Admin\AppData\Local\Temp\acknx2cn\acknx2cn.pdb

Filesize
15KB

MD5
e303004380e1a2c543f620ba9e9efc8e

SHA1
890af0ce3494d1d4db9ea08f29efe1cd3323deef

SHA256
55fb7073d511dc6b839a9208a8db2ef40398a7aa47394cc1ee88b8ea3223d854

SHA512
87200cbbc0bf4a68bd0217965fa32f6e91d7ab538bb8c12db2b963a995a8f89bd2889334d732fe55193cc4f42ebdba394244acd3e01932f5c334ccfdce292e98

Download Submit
C:\Users\Admin\o1710tdXI475lNr9hed.exe

Filesize
503KB

MD5
be529ee01d75e90f8945e9e6fa9f9e77

SHA1
01edb6a9e46b1fc9bd3bda124ca0025806324b19

SHA256
c03164840f10969f895885c763519362339e44bc423979f32de5b06e5a686ee1

SHA512
ce6f501feb72db0676df852da3151243832623ca2c5b6d4f50917f76f7621d35bedd5a63737d3a3aefff1f00ee9b19ef578319babbfe1b32df8efc93685011be

Download Submit
C:\Users\Admin\o1710tdXI475lNr9hed.exe

Filesize
503KB

MD5
be529ee01d75e90f8945e9e6fa9f9e77

SHA1
01edb6a9e46b1fc9bd3bda124ca0025806324b19

SHA256
c03164840f10969f895885c763519362339e44bc423979f32de5b06e5a686ee1

SHA512
ce6f501feb72db0676df852da3151243832623ca2c5b6d4f50917f76f7621d35bedd5a63737d3a3aefff1f00ee9b19ef578319babbfe1b32df8efc93685011be

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\acknx2cn\CSCBC2102CCE0E34108B089EAB5449B72B8.TMP

Filesize
1KB

MD5
fd03b2fc18eee552cccf6e607c6b4838

SHA1
2fbfcf77bfdf0e8938cf47c9352f5f20c353292e

SHA256
0cf366417e22f5dee4cc133c54b5aea081b2ae8a28c1c86ddac49b7e639ddc3f

SHA512
85972f88d0554b43cd107cf89e2ee3a4578f457e61e1c090986e0acbebd13413c766e701a394773fdfb127d72e9539b26076ba9a75f8bbf5b49e1734729f8b6d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\acknx2cn\acknx2cn.0.cs

Filesize
2KB

MD5
ba57d6806ade52cdb76095c388a42430

SHA1
32bfe87b836a49d1f37ec7ee62ce6f497f7884c4

SHA256
d22622399d37fd082cab9d46269326ed5a3e85509c95f9c4befc20e59b86bbe5

SHA512
37409914c1da0f110058c81594eabd4f75051caa9f290ae4769f9b1cc2bbf53d1d516a6d581eb942f3b5f8962fbb6cbd1c6c0e644e4db12aa999fbb6f6413960

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\acknx2cn\acknx2cn.cmdline

Filesize
224B

MD5
76c0f5684f25261288af23d1a5cd3c9d

SHA1
d1fa39cac47b061cc016c9c0a49fc8aa5e73eb83

SHA256
e8d4791b3e4a25109875b683ae022a7c432ca8e89a4f578ef7af9acdf837c06a

SHA512
b97e324d0f8cc06a45f571714e921b1db0be2f32f29b902b85ade7c16f9cd6e174e132d7764bda2948c9e4fa38eddac5d333d94e67bba599a7e94133d2187564

Download Submit
memory/1292-133-0x0000000000AB0000-0x0000000000B34000-memory.dmp

Filesize
528KB

Download
memory/1292-142-0x0000000005710000-0x00000000057AC000-memory.dmp

Filesize
624KB

Download
memory/4108-144-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4108-145-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/4108-146-0x0000000073920000-0x0000000074420000-memory.dmp

Filesize
11.0MB

Download
memory/4108-147-0x0000000073040000-0x00000000737E8000-memory.dmp

Filesize
7.7MB

Download
memory/4108-148-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/4108-149-0x0000000073920000-0x0000000074420000-memory.dmp

Filesize
11.0MB

Download
memory/4108-150-0x0000000073040000-0x00000000737E8000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing