imminent | 1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae

General

Target

1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe
Size

1.1MB
MD5

c8e7010fa9b25b9c4b8a2dec9627c2ff
SHA1

86108e00d38d5b4b2b01ec1370dc66893f79c9e1
SHA256

1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae
SHA512

14c99aacb27a31f103c4c7831e55a371ec502bc901476369fb50568f61fe37cc80717e0736d7a0d6ea7040462808df2727705e541e5a2cd7007b75daafdd96d7

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 1 IoCs

pid	Process
4876	svhost.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2220 set thread context of 4876	2220	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	80

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe
File opened for modification	C:\Windows\assembly	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe
File created	C:\Windows\assembly\Desktop.ini	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4424	timeout.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2220	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe
2220	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe
2220	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe
2220	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4876	svhost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe
Token: SeDebugPrivilege	4876	svhost.exe
Token: 33	4876	svhost.exe
Token: SeIncBasePriorityPrivilege	4876	svhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4876	svhost.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 3936	2220	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	77
PID 2220 wrote to memory of 3936	2220	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	77
PID 2220 wrote to memory of 3936	2220	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	77
PID 3936 wrote to memory of 2192	3936	cmd.exe	79
PID 3936 wrote to memory of 2192	3936	cmd.exe	79
PID 3936 wrote to memory of 2192	3936	cmd.exe	79
PID 2220 wrote to memory of 4876	2220	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	80
PID 2220 wrote to memory of 4876	2220	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	80
PID 2220 wrote to memory of 4876	2220	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	80
PID 2220 wrote to memory of 4876	2220	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	80
PID 2220 wrote to memory of 4876	2220	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	80
PID 2220 wrote to memory of 4876	2220	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	80
PID 2220 wrote to memory of 4876	2220	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	80
PID 2220 wrote to memory of 4876	2220	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	80
PID 2220 wrote to memory of 4184	2220	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	81
PID 2220 wrote to memory of 4184	2220	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	81
PID 2220 wrote to memory of 4184	2220	1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe	81
PID 4184 wrote to memory of 4424	4184	cmd.exe	83
PID 4184 wrote to memory of 4424	4184	cmd.exe	83
PID 4184 wrote to memory of 4424	4184	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe
"C:\Users\Admin\AppData\Local\Temp\1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
    3⤵
    PID:2192
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 300
    3⤵
    - Delays execution with timeout.exe
    PID:4424

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
1.1MB

MD5
c8e7010fa9b25b9c4b8a2dec9627c2ff

SHA1
86108e00d38d5b4b2b01ec1370dc66893f79c9e1

SHA256
1e640fce2c561f756b28af7a3e11c2622ac20b03660df83ffd5d14a437112bae

SHA512
14c99aacb27a31f103c4c7831e55a371ec502bc901476369fb50568f61fe37cc80717e0736d7a0d6ea7040462808df2727705e541e5a2cd7007b75daafdd96d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat

Filesize
204B

MD5
bfcbf382f036462e63f307ca4ae280c7

SHA1
ffe98d15fa5ea205220d6bc105e317253a6ea003

SHA256
2c3dd84c3ce3e529117e611d8caf4fc7f5a902840350f4ca524c251a2152c727

SHA512
1b912652cc989541b396df5fd6bf207a4cf4ed891dc6e3223b8d0497c19a2589cb644c4c96ca01d882a7643f240c566966d84e46d77e9ad33e05214f8f553d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
89KB

MD5
84c42d0f2c1ae761bef884638bc1eacd

SHA1
4353881e7f4e9c7610f4e0489183b55bb58bb574

SHA256
331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3

SHA512
43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
89KB

MD5
84c42d0f2c1ae761bef884638bc1eacd

SHA1
4353881e7f4e9c7610f4e0489183b55bb58bb574

SHA256
331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3

SHA512
43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87

Download Submit
memory/2220-130-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/2220-131-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/2220-143-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/4876-136-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4876-142-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download
memory/4876-144-0x00000000754D0000-0x0000000075A81000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing