imminent | 2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25

Analysis

max time kernel
150s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
15/06/2022, 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe
Size

1.0MB
MD5

00d96b2925e451cfa8472648860c82f3
SHA1

1523eda532178724b3ae122b18b2038020df8cf7
SHA256

2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25
SHA512

a22a2b41f23dd4b2862496e6bac67cf9e86ea3c44bf66bc224a172bb9f39356fc7b119c77d7d2168d1aa06df53dbc5ab40a6d891dabcfbcaa246826023a08fdc

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MALJuv.url	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1180 set thread context of 1248	1180	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	32

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1180	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe
1180	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe
1180	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1248	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1180	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe
Token: SeDebugPrivilege	1248	RegAsm.exe
Token: 33	1248	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1248	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1248	RegAsm.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 2032	1180	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	28
PID 1180 wrote to memory of 2032	1180	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	28
PID 1180 wrote to memory of 2032	1180	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	28
PID 1180 wrote to memory of 2032	1180	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	28
PID 2032 wrote to memory of 2012	2032	csc.exe	30
PID 2032 wrote to memory of 2012	2032	csc.exe	30
PID 2032 wrote to memory of 2012	2032	csc.exe	30
PID 2032 wrote to memory of 2012	2032	csc.exe	30
PID 1180 wrote to memory of 984	1180	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	31
PID 1180 wrote to memory of 984	1180	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	31
PID 1180 wrote to memory of 984	1180	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	31
PID 1180 wrote to memory of 984	1180	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	31
PID 1180 wrote to memory of 984	1180	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	31
PID 1180 wrote to memory of 984	1180	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	31
PID 1180 wrote to memory of 984	1180	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	31
PID 1180 wrote to memory of 1248	1180	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	32
PID 1180 wrote to memory of 1248	1180	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	32
PID 1180 wrote to memory of 1248	1180	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	32
PID 1180 wrote to memory of 1248	1180	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	32
PID 1180 wrote to memory of 1248	1180	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	32
PID 1180 wrote to memory of 1248	1180	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	32
PID 1180 wrote to memory of 1248	1180	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	32
PID 1180 wrote to memory of 1248	1180	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	32
PID 1180 wrote to memory of 1248	1180	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	32
PID 1180 wrote to memory of 1248	1180	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	32
PID 1180 wrote to memory of 1248	1180	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	32
PID 1180 wrote to memory of 1248	1180	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	32

C:\Users\Admin\AppData\Local\Temp\2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe
"C:\Users\Admin\AppData\Local\Temp\2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g0jza0mz\g0jza0mz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF7B8.tmp" "c:\Users\Admin\AppData\Local\Temp\g0jza0mz\CSCEF8830EFB02F43AA87C7606F54B15EC.TMP"
    3⤵
    PID:2012
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:984
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1248

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF7B8.tmp

Filesize
1KB

MD5
e280916bea8d37a5f5651e9e060ff6a2

SHA1
edfc1f3048d4cf54961a4ba1928044eb5c56e813

SHA256
7ec95722bd36f25b5abccf9aa11b8200d8840ccb99e37b994c65354a62019faa

SHA512
489de9ca4a1ff75701f39433f8763247739151b7fc3fb3701d236c7df94cfaf72411ec2213c3ac9ab288f000141bc9af069b12ecdc177ab3669eb476ad4dda39

Download Submit
C:\Users\Admin\AppData\Local\Temp\g0jza0mz\g0jza0mz.dll

Filesize
24KB

MD5
9ce98bb5e2fff8edb92c45a189fcc4a4

SHA1
aa8296aa7930bf80ff5c1e6f265d91f4635a5628

SHA256
1f2f8d9dab92d2facc26f82cf4358d5bc918153a997c1ac3b5551b933b4c9e1c

SHA512
9c3deac32442b49739214c23de2a86d1261198ad2616a03eeb2faf3dc52edc31bcae9699e9e1cd24ac26aaf803e0adf2311c2ab0ea44bce6bfb39d220cdbe682

Download Submit
C:\Users\Admin\AppData\Local\Temp\g0jza0mz\g0jza0mz.pdb

Filesize
83KB

MD5
c3647f38c0edc13a26638432a878c41e

SHA1
017f17c8cb1f671df9526550deac42362f48a0dc

SHA256
cb2fcd78711c00ed64519e44d7c0d1b06625976e4e31018b714b6dc0751167de

SHA512
858783b6b1bcde62a398ce0a0b278d9eda6c439779557eadb65d6ad5eb7c368106124ae8c859a5705271011346b8c26e94cb272bb8af0f680d1d0a5e74d3b387

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g0jza0mz\CSCEF8830EFB02F43AA87C7606F54B15EC.TMP

Filesize
1KB

MD5
ef4096a4b9ff1c84d13da35bdc764942

SHA1
6a0f81d4ce1ee8bd65e3656a28328369809b227d

SHA256
d71a0b63fe6dda03cac74e6caa08c2b115a0273be5a9b8df2f55a9e432cc744c

SHA512
5190157b5037615ef51ab1485ea4915ac14ad231156e457bfce1994dc00d145611eecd1dc08e3e7b0377d2a9fa5a13faedfa40d272ebc17ca563bdcceb97ae68

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g0jza0mz\g0jza0mz.0.cs

Filesize
62KB

MD5
e5dd8220d0289c5c42153bb8a88f21b5

SHA1
0a370af3c4ddc1b4be1d5e0b748850b82dfd0c6c

SHA256
f4ef08fc01a3936434d6e4475f40f2e81b168e26827117da560e6f169e5754fc

SHA512
630d78780ef789d587a91d98c081dc257efe9dd1514d905f9fae5cff2c0e59fa5227d15567088ae41c5f4ac7f06bb61c899f9eeac4085926e619a97ce3adb956

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g0jza0mz\g0jza0mz.cmdline

Filesize
312B

MD5
8966c6bda0651e5267aebfadf26e2daf

SHA1
37b60a2c79e8d2587271972cb0e0dbbd15b822a0

SHA256
38aac28786f4fa18fc72301eac3c61075096e2d060ced8d0d674d7a078e39ef6

SHA512
cffa108babd8e92cb7ae70d078f5aa07fd0d1b4384e03482d3dff9af29913b4e4ac497c81daa0c7149594cd627a320ee557ce62a2a2455da24f5fa80d708ad71

Download Submit
memory/1180-66-0x0000000076C81000-0x0000000076C83000-memory.dmp

Filesize
8KB

Download
memory/1180-54-0x0000000000E70000-0x0000000000F7E000-memory.dmp

Filesize
1.1MB

Download
memory/1180-67-0x0000000004B70000-0x0000000004BC6000-memory.dmp

Filesize
344KB

Download
memory/1180-63-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/1180-64-0x0000000004B10000-0x0000000004B70000-memory.dmp

Filesize
384KB

Download
memory/1180-65-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/1248-69-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1248-68-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1248-71-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1248-72-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1248-73-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1248-76-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1248-78-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1248-80-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download
memory/1248-81-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download