imminent | 1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb

General

Target

1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb.exe
Size

320KB
MD5

4220a0e8153d9bec257da70683c42cb4
SHA1

ad5ada0f306bb4e77bbbc3c274fd3a338a2c39e4
SHA256

1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb
SHA512

5fcc3cb36f0d158e3ff41caf026c6da6ee95fc07d8e993b09594d3a4065dec7f16bb68eb45f2deb25e115c3aefffd6164daa9cd3c308548b1e306b42a72b9e26

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 1 IoCs

pid	Process
676	1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb.exe

Loads dropped DLL 2 IoCs

pid	Process
1904	1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb.exe
1904	1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1532	PING.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1904	1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb.exe
Token: SeDebugPrivilege	676	1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb.exe
Token: 33	676	1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb.exe
Token: SeIncBasePriorityPrivilege	676	1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
676	1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 676	1904	1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb.exe	28
PID 1904 wrote to memory of 676	1904	1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb.exe	28
PID 1904 wrote to memory of 676	1904	1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb.exe	28
PID 1904 wrote to memory of 676	1904	1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb.exe	28
PID 1904 wrote to memory of 844	1904	1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb.exe	29
PID 1904 wrote to memory of 844	1904	1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb.exe	29
PID 1904 wrote to memory of 844	1904	1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb.exe	29
PID 1904 wrote to memory of 844	1904	1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb.exe	29
PID 844 wrote to memory of 1532	844	cmd.exe	31
PID 844 wrote to memory of 1532	844	cmd.exe	31
PID 844 wrote to memory of 1532	844	cmd.exe	31
PID 844 wrote to memory of 1532	844	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb.exe
"C:\Users\Admin\AppData\Local\Temp\1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb\1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb.exe
  "C:\Users\Admin\AppData\Local\Temp\1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb\1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:1532

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb\1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb.exe

Filesize
320KB

MD5
4220a0e8153d9bec257da70683c42cb4

SHA1
ad5ada0f306bb4e77bbbc3c274fd3a338a2c39e4

SHA256
1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb

SHA512
5fcc3cb36f0d158e3ff41caf026c6da6ee95fc07d8e993b09594d3a4065dec7f16bb68eb45f2deb25e115c3aefffd6164daa9cd3c308548b1e306b42a72b9e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb\1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb.exe

Filesize
320KB

MD5
4220a0e8153d9bec257da70683c42cb4

SHA1
ad5ada0f306bb4e77bbbc3c274fd3a338a2c39e4

SHA256
1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb

SHA512
5fcc3cb36f0d158e3ff41caf026c6da6ee95fc07d8e993b09594d3a4065dec7f16bb68eb45f2deb25e115c3aefffd6164daa9cd3c308548b1e306b42a72b9e26

Download Submit
\Users\Admin\AppData\Local\Temp\1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb\1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb.exe

Filesize
320KB

MD5
4220a0e8153d9bec257da70683c42cb4

SHA1
ad5ada0f306bb4e77bbbc3c274fd3a338a2c39e4

SHA256
1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb

SHA512
5fcc3cb36f0d158e3ff41caf026c6da6ee95fc07d8e993b09594d3a4065dec7f16bb68eb45f2deb25e115c3aefffd6164daa9cd3c308548b1e306b42a72b9e26

Download Submit
\Users\Admin\AppData\Local\Temp\1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb\1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb.exe

Filesize
320KB

MD5
4220a0e8153d9bec257da70683c42cb4

SHA1
ad5ada0f306bb4e77bbbc3c274fd3a338a2c39e4

SHA256
1844736c9adbe4513f56f0790427ffc64f68bcd51b0d86ebf683388ed6d74feb

SHA512
5fcc3cb36f0d158e3ff41caf026c6da6ee95fc07d8e993b09594d3a4065dec7f16bb68eb45f2deb25e115c3aefffd6164daa9cd3c308548b1e306b42a72b9e26

Download Submit
memory/676-66-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/676-67-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1904-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/1904-56-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1904-55-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1904-65-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing