imminent | 2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25

General

Target

2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe
Size

1.0MB
MD5

00d96b2925e451cfa8472648860c82f3
SHA1

1523eda532178724b3ae122b18b2038020df8cf7
SHA256

2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25
SHA512

a22a2b41f23dd4b2862496e6bac67cf9e86ea3c44bf66bc224a172bb9f39356fc7b119c77d7d2168d1aa06df53dbc5ab40a6d891dabcfbcaa246826023a08fdc

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MALJuv.url	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4556 set thread context of 696	4556	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	83

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	RegAsm.exe
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4556	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe
4556	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
696	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4556	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe
Token: SeDebugPrivilege	696	RegAsm.exe
Token: 33	696	RegAsm.exe
Token: SeIncBasePriorityPrivilege	696	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
696	RegAsm.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 3768	4556	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	80
PID 4556 wrote to memory of 3768	4556	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	80
PID 4556 wrote to memory of 3768	4556	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	80
PID 3768 wrote to memory of 2736	3768	csc.exe	82
PID 3768 wrote to memory of 2736	3768	csc.exe	82
PID 3768 wrote to memory of 2736	3768	csc.exe	82
PID 4556 wrote to memory of 696	4556	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	83
PID 4556 wrote to memory of 696	4556	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	83
PID 4556 wrote to memory of 696	4556	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	83
PID 4556 wrote to memory of 696	4556	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	83
PID 4556 wrote to memory of 696	4556	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	83
PID 4556 wrote to memory of 696	4556	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	83
PID 4556 wrote to memory of 696	4556	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	83
PID 4556 wrote to memory of 696	4556	2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe	83

C:\Users\Admin\AppData\Local\Temp\2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe
"C:\Users\Admin\AppData\Local\Temp\2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0rkxrlpo\0rkxrlpo.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB088.tmp" "c:\Users\Admin\AppData\Local\Temp\0rkxrlpo\CSCC63713C99A4F4447922FAF6A92FC7E3E.TMP"
    3⤵
    PID:2736
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:696

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0rkxrlpo\0rkxrlpo.dll

Filesize
24KB

MD5
e5faf873eba79493d5efb9850b69dffb

SHA1
184b0e2aa7638cb3110fc23f8cbee178bf50a79f

SHA256
97dc5d80a4ebdfe1bed23135d9ffe0c90cf474640310b043dea2810f26179cdc

SHA512
264d5d2d2f25f9387071db7ed0a1a2ffeb809ba3941d3aa602a838ee7f41dab4a75634261e98493a6ac1f245e147921dcc5c8b93c33edd9f47be18ab7cb3961c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0rkxrlpo\0rkxrlpo.pdb

Filesize
83KB

MD5
764a7716cfb5194ada1150e8620e8bd8

SHA1
39e9120e827d2efbda1df3dc49ca1cddfbcadaa7

SHA256
8406cf6a7c368bfb39c92df618b290e669e4bce32a39b03e3bbdd9fe53a49c1e

SHA512
7b3795009e06d57e361d5bc19efc26aca1813f012b44a3bd39d87a42928c3d481be993fa078527bdf5f7cf7710c34ad521798cf607a86d2e703d2f1fda1e89a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB088.tmp

Filesize
1KB

MD5
6dfe601e918f1f1251edccb85d536f08

SHA1
bd4aceb9b57d0cf33092f2f726d7b21cd7d24f01

SHA256
10e5cd9631a6ba1d8f24dd6ecae94d0eaac63ea91a2bac01b55cb47da1320efc

SHA512
11eb158ed3e10847b98af936b2d7bce4eca388b993261ddf3bd426947916032c66d8a2315759d850af54a3d9b626a3a94f241801a539721746b076690b31cb25

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0rkxrlpo\0rkxrlpo.0.cs

Filesize
62KB

MD5
e5dd8220d0289c5c42153bb8a88f21b5

SHA1
0a370af3c4ddc1b4be1d5e0b748850b82dfd0c6c

SHA256
f4ef08fc01a3936434d6e4475f40f2e81b168e26827117da560e6f169e5754fc

SHA512
630d78780ef789d587a91d98c081dc257efe9dd1514d905f9fae5cff2c0e59fa5227d15567088ae41c5f4ac7f06bb61c899f9eeac4085926e619a97ce3adb956

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0rkxrlpo\0rkxrlpo.cmdline

Filesize
312B

MD5
70ec0cdc336ae9e0cd6e0336757ddcce

SHA1
6edf58dd732a65825b50c28ab46fa161bf33b80e

SHA256
154fb756c00ce5f61f2359412630180221f8ee404b1e612d6da70df8a8f593a8

SHA512
4a845d1ef6fed4eeede246db743bb82e9474a82bfec1ffd50f1663a0d8a7c7cba125e3a50131151c53ae213c4e1dbe70ddd4755c3b4ba088986e056787c516a5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0rkxrlpo\CSCC63713C99A4F4447922FAF6A92FC7E3E.TMP

Filesize
1KB

MD5
df86a0e9dcbb5289eb56082c6c40631a

SHA1
fbf1979a0c5cea215e30903d02ef90bbccf9a46a

SHA256
e96f7c57790e644c417b8d47b5e6a157e486c1dbaf57cca8231891183d403144

SHA512
ff382b1c639c604f50af9eaa07ccfa92eb2b3090755f1b28010e496a991d80da34d41318e0def0773f73afb460a8d9c3c916c4ea182e9648127437ece25e772e

Download Submit
memory/696-142-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/696-143-0x0000000074F00000-0x00000000754B1000-memory.dmp

Filesize
5.7MB

Download
memory/696-144-0x0000000074F00000-0x00000000754B1000-memory.dmp

Filesize
5.7MB

Download
memory/4556-130-0x00000000004E0000-0x00000000005EE000-memory.dmp

Filesize
1.1MB

Download
memory/4556-139-0x0000000005040000-0x00000000050D2000-memory.dmp

Filesize
584KB

Download
memory/4556-140-0x00000000056A0000-0x000000000573C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing