imminent | 2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf

General

Target

2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe
Size

425KB
MD5

ea513c4f1a235934efec22e2053deab9
SHA1

e3d202be06fcbae34909092f6a154637d38ca3db
SHA256

2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf
SHA512

3465db0765d508e11c127aa5d3c83040fa4a466bc8f2ad037be72c00e5fe5ec32b16a540c8b69f375cd81ddf4245ae900160e405bb06fa5a798a243595d507cf

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dNJoej.url	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1824 set thread context of 1800	1824	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	30

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1824	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe
1824	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1824	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe
Token: SeDebugPrivilege	1800	RegAsm.exe
Token: 33	1800	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1800	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1800	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 240	1824	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	27
PID 1824 wrote to memory of 240	1824	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	27
PID 1824 wrote to memory of 240	1824	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	27
PID 1824 wrote to memory of 240	1824	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	27
PID 240 wrote to memory of 1448	240	csc.exe	29
PID 240 wrote to memory of 1448	240	csc.exe	29
PID 240 wrote to memory of 1448	240	csc.exe	29
PID 240 wrote to memory of 1448	240	csc.exe	29
PID 1824 wrote to memory of 1800	1824	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	30
PID 1824 wrote to memory of 1800	1824	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	30
PID 1824 wrote to memory of 1800	1824	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	30
PID 1824 wrote to memory of 1800	1824	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	30
PID 1824 wrote to memory of 1800	1824	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	30
PID 1824 wrote to memory of 1800	1824	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	30
PID 1824 wrote to memory of 1800	1824	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	30
PID 1824 wrote to memory of 1800	1824	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	30
PID 1824 wrote to memory of 1800	1824	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	30
PID 1824 wrote to memory of 1800	1824	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	30
PID 1824 wrote to memory of 1800	1824	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	30
PID 1824 wrote to memory of 1800	1824	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	30

C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe
"C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vvva0ea1\vvva0ea1.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:240
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B8E.tmp" "c:\Users\Admin\AppData\Local\Temp\vvva0ea1\CSC9F5718CA42034171B9F4D49D7895F38.TMP"
    3⤵
    PID:1448
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1800

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8B8E.tmp

Filesize
1KB

MD5
55147fb7a02b13b50a7e2142c20c9617

SHA1
75d0e2d02c1760ec634204f3f209f8d343d12c11

SHA256
71582d70c2e49ad51324db2e6b20c17fde2cd0eb55748f1595736c640244f5f5

SHA512
5c48514296e71176b5bfa0df31579d4a2162bc258434dfda73992261f23bc52522349a1a355978ebb847cc70685637ab18be051282204048f075c74fc6ebecac

Download Submit
C:\Users\Admin\AppData\Local\Temp\vvva0ea1\vvva0ea1.dll

Filesize
12KB

MD5
71742fe1bdae7ee1f7fea0c4f72b347d

SHA1
54586f8e61112cc377e58747c6e589e52be2fa26

SHA256
45f9efce9e6473d3d0314ba423e1b3ed1d605aac6625362d7eb60d4b164dcd23

SHA512
c89b3eacd86f25089151bfb2926c92e046478e020b8fdef0665c4d263de2d949bad2ab3fde74811a87b1a1797338011d3c602123568a531b6012c4653bb2d0f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vvva0ea1\vvva0ea1.pdb

Filesize
39KB

MD5
cd666f98f05f6097d4f229f6b14aa248

SHA1
5ba6f88795a8f7b625343663e847c045c0b1cdd0

SHA256
67c4484b242b3c2862f2bf93d7df99eb6ac5644c7a991333451bde96f53f077b

SHA512
60ab6b8cf04937828ced6c80a7c2dbfdd492cda4aae0217a347ddcce5325bca716390efd5cc780076e3f1acf6ac34637c63d39522d706fa4166cdfd2d1ecad03

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vvva0ea1\CSC9F5718CA42034171B9F4D49D7895F38.TMP

Filesize
1KB

MD5
2718c1067c3d9d3528faecb9c875f444

SHA1
ec9d3e5dc5c221980a16da4e2481dc55a0a5159a

SHA256
e1455997bf636f2f30149d9636dad9c70a940816366cacea0d138a8bf42624ab

SHA512
e12b8499af77490d5305b74d16d14b968d4dddf9e9738d3e59d2f2efbbef7cc23a6fe1b4bf2e7911a0ebf74d6266623dc62bc872ecdb38c5e73fb23dbb87fabd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vvva0ea1\vvva0ea1.0.cs

Filesize
18KB

MD5
69dd8526926b988e8767808fc897b5ad

SHA1
cb336d7210fa47e4fa87f304c6148474aecbf8c1

SHA256
9e8ed9bb70322a0c886abf87320a9a2fb1c460d94b8a97983ddfe55ba79e5e67

SHA512
53bdcffe1e934189842d1c02238e115cfff5e090306a0f65f8c0b3cd593323f68bb990c2710cf8b23db91d47591da09887c0287212a3f29261d992ed80c0ee12

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vvva0ea1\vvva0ea1.cmdline

Filesize
312B

MD5
aa158ce0a397868f1ac2743fa3a4684f

SHA1
58494a8a44eebe51d8eaf7e8bbe3a383c7730c56

SHA256
c6e9692ff0324746ff2773311ff85bd8e63eadbd7bf47f591c26f1ebb1e3b4f9

SHA512
bd81b744313e7c1053c2e2e68424227cddd486e2a19ecea80101cdaeaffc3d74b3bb72e9c1f7334ee94125c02fb036958d0ff2bc509b5653f2a31c1892f27131

Download Submit
memory/1800-72-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1800-81-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/1800-80-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/1800-78-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1800-76-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1800-68-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1800-69-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1800-71-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1800-73-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1824-66-0x0000000075E41000-0x0000000075E43000-memory.dmp

Filesize
8KB

Download
memory/1824-54-0x0000000000B70000-0x0000000000BE0000-memory.dmp

Filesize
448KB

Download
memory/1824-67-0x0000000004EA0000-0x0000000004EF6000-memory.dmp

Filesize
344KB

Download
memory/1824-63-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/1824-65-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/1824-64-0x00000000041C0000-0x0000000004220000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing