imminent | 2189577239106b785b0c8345328c91256d79e1a96bcf5ea03e137fa9af05a7aa | Triage

Analysis

max time kernel
162s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
12/06/2022, 08:18

Sharing

Report Analysis Logs

General

Target

2189577239106b785b0c8345328c91256d79e1a96bcf5ea03e137fa9af05a7aa.exe
Size

321KB
MD5

268f5e3f31cf11398f5487a337b15238
SHA1

fb39ec670d61d8334644196a3f4f855477b6e854
SHA256

2189577239106b785b0c8345328c91256d79e1a96bcf5ea03e137fa9af05a7aa
SHA512

a009f0136d9ec33c4db10539facec3a54c1782c50a4872fe209878b05f492626df0ba2888611aa537ab05e477451929ff1a8a37b1c9a731ad6c32b38d079dad0

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	2189577239106b785b0c8345328c91256d79e1a96bcf5ea03e137fa9af05a7aa.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	2189577239106b785b0c8345328c91256d79e1a96bcf5ea03e137fa9af05a7aa.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	2189577239106b785b0c8345328c91256d79e1a96bcf5ea03e137fa9af05a7aa.exe
File opened for modification	C:\Windows\assembly	2189577239106b785b0c8345328c91256d79e1a96bcf5ea03e137fa9af05a7aa.exe
File created	C:\Windows\assembly\Desktop.ini	2189577239106b785b0c8345328c91256d79e1a96bcf5ea03e137fa9af05a7aa.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2692	2189577239106b785b0c8345328c91256d79e1a96bcf5ea03e137fa9af05a7aa.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	2189577239106b785b0c8345328c91256d79e1a96bcf5ea03e137fa9af05a7aa.exe
Token: 33	2692	2189577239106b785b0c8345328c91256d79e1a96bcf5ea03e137fa9af05a7aa.exe
Token: SeIncBasePriorityPrivilege	2692	2189577239106b785b0c8345328c91256d79e1a96bcf5ea03e137fa9af05a7aa.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2692	2189577239106b785b0c8345328c91256d79e1a96bcf5ea03e137fa9af05a7aa.exe

C:\Users\Admin\AppData\Local\Temp\2189577239106b785b0c8345328c91256d79e1a96bcf5ea03e137fa9af05a7aa.exe
"C:\Users\Admin\AppData\Local\Temp\2189577239106b785b0c8345328c91256d79e1a96bcf5ea03e137fa9af05a7aa.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2692

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2692-130-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download
memory/2692-131-0x0000000074F50000-0x0000000075501000-memory.dmp

Filesize
5.7MB

Download