imminent | 2ca8b21a20da510fa7229c232046d5ef366e633e9c6151479a2cde822cde6059

Analysis

max time kernel
150s
max time network
43s
platform
windows7_x64
resource
win7-20220414-en
submitted
14/06/2022, 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ca8b21a20da510fa7229c232046d5ef366e633e9c6151479a2cde822cde6059.exe
Size

322KB
MD5

3cf9a1dec37e5b6a668e2b2e502f8d9e
SHA1

17497d2d85b1fe5b7a3c2cfeed9a2501e0aeadd6
SHA256

2ca8b21a20da510fa7229c232046d5ef366e633e9c6151479a2cde822cde6059
SHA512

087fa153799899ac1069ab937c0778c6d89d892716d7d25404bc9a52bebadbffd9bafe407788afb900ab43a0a82c69f7750fec6277776efd4cf1f28c303d64cc

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\unreal engine = "C:\\Users\\Admin\\AppData\\Roaming\\\\.exe"	2ca8b21a20da510fa7229c232046d5ef366e633e9c6151479a2cde822cde6059.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2016	2ca8b21a20da510fa7229c232046d5ef366e633e9c6151479a2cde822cde6059.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	2ca8b21a20da510fa7229c232046d5ef366e633e9c6151479a2cde822cde6059.exe
Token: 33	2016	2ca8b21a20da510fa7229c232046d5ef366e633e9c6151479a2cde822cde6059.exe
Token: SeIncBasePriorityPrivilege	2016	2ca8b21a20da510fa7229c232046d5ef366e633e9c6151479a2cde822cde6059.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2016	2ca8b21a20da510fa7229c232046d5ef366e633e9c6151479a2cde822cde6059.exe

C:\Users\Admin\AppData\Local\Temp\2ca8b21a20da510fa7229c232046d5ef366e633e9c6151479a2cde822cde6059.exe
"C:\Users\Admin\AppData\Local\Temp\2ca8b21a20da510fa7229c232046d5ef366e633e9c6151479a2cde822cde6059.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2016

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2016-54-0x0000000000920000-0x0000000000976000-memory.dmp

Filesize
344KB

Download
memory/2016-55-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2016-56-0x0000000004680000-0x000000000472E000-memory.dmp

Filesize
696KB

Download
memory/2016-57-0x00000000003F0000-0x0000000000418000-memory.dmp

Filesize
160KB

Download
memory/2016-58-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download
memory/2016-59-0x00000000004D0000-0x00000000004E6000-memory.dmp

Filesize
88KB

Download