imminent | 1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae

General

Target

1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe
Size

1.1MB
MD5

c8e7010fa9b25b9c4b8a2dec9627c2ff
SHA1

86108e00d38d5b4b2b01ec1370dc66893f79c9e1
SHA256

1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae
SHA512

14c99aacb27a31f103c4c7831e55a371ec502bc901476369fb50568f61fe37cc80717e0736d7a0d6ea7040462808df2727705e541e5a2cd7007b75daafdd96d7

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 1 IoCs

pid	Process
1792	svhost.exe

Loads dropped DLL 1 IoCs

pid	Process
1972	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1972 set thread context of 1792	1972	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
596	timeout.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1972	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe
1972	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe
1972	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe
1972	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1792	svhost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe
Token: SeDebugPrivilege	1792	svhost.exe
Token: 33	1792	svhost.exe
Token: SeIncBasePriorityPrivilege	1792	svhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1792	svhost.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1648	1972	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	28
PID 1972 wrote to memory of 1648	1972	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	28
PID 1972 wrote to memory of 1648	1972	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	28
PID 1972 wrote to memory of 1648	1972	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	28
PID 1648 wrote to memory of 940	1648	cmd.exe	30
PID 1648 wrote to memory of 940	1648	cmd.exe	30
PID 1648 wrote to memory of 940	1648	cmd.exe	30
PID 1648 wrote to memory of 940	1648	cmd.exe	30
PID 1972 wrote to memory of 1792	1972	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	31
PID 1972 wrote to memory of 1792	1972	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	31
PID 1972 wrote to memory of 1792	1972	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	31
PID 1972 wrote to memory of 1792	1972	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	31
PID 1972 wrote to memory of 1792	1972	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	31
PID 1972 wrote to memory of 1792	1972	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	31
PID 1972 wrote to memory of 1792	1972	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	31
PID 1972 wrote to memory of 1792	1972	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	31
PID 1972 wrote to memory of 1792	1972	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	31
PID 1972 wrote to memory of 1784	1972	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	33
PID 1972 wrote to memory of 1784	1972	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	33
PID 1972 wrote to memory of 1784	1972	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	33
PID 1972 wrote to memory of 1784	1972	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	33
PID 1784 wrote to memory of 596	1784	cmd.exe	35
PID 1784 wrote to memory of 596	1784	cmd.exe	35
PID 1784 wrote to memory of 596	1784	cmd.exe	35
PID 1784 wrote to memory of 596	1784	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe
"C:\Users\Admin\AppData\Local\Temp\1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
    3⤵
    PID:940
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 300
    3⤵
    - Delays execution with timeout.exe
    PID:596

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
1.1MB

MD5
c8e7010fa9b25b9c4b8a2dec9627c2ff

SHA1
86108e00d38d5b4b2b01ec1370dc66893f79c9e1

SHA256
1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae

SHA512
14c99aacb27a31f103c4c7831e55a371ec502bc901476369fb50568f61fe37cc80717e0736d7a0d6ea7040462808df2727705e541e5a2cd7007b75daafdd96d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat

Filesize
204B

MD5
bfcbf382f036462e63f307ca4ae280c7

SHA1
ffe98d15fa5ea205220d6bc105e317253a6ea003

SHA256
2c3dd84c3ce3e529117e611d8caf4fc7f5a902840350f4ca524c251a2152c727

SHA512
1b912652cc989541b396df5fd6bf207a4cf4ed891dc6e3223b8d0497c19a2589cb644c4c96ca01d882a7643f240c566966d84e46d77e9ad33e05214f8f553d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
85KB

MD5
2e5f1cf69f92392f8829fc9c9263ae9b

SHA1
97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

SHA256
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

SHA512
f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
85KB

MD5
2e5f1cf69f92392f8829fc9c9263ae9b

SHA1
97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

SHA256
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

SHA512
f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
85KB

MD5
2e5f1cf69f92392f8829fc9c9263ae9b

SHA1
97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

SHA256
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

SHA512
f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

Download Submit
memory/1792-69-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1792-65-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1792-64-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1792-71-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1792-63-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1792-61-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1792-60-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1792-77-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/1792-79-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/1972-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1972-55-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/1972-78-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing