imminent | 2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf

General

Target

2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe
Size

425KB
MD5

ea513c4f1a235934efec22e2053deab9
SHA1

e3d202be06fcbae34909092f6a154637d38ca3db
SHA256

2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf
SHA512

3465db0765d508e11c127aa5d3c83040fa4a466bc8f2ad037be72c00e5fe5ec32b16a540c8b69f375cd81ddf4245ae900160e405bb06fa5a798a243595d507cf

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dNJoej.url	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4596 set thread context of 4092	4596	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	83

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	RegAsm.exe
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4596	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe
4596	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe
4596	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe
4596	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4092	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4596	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe
Token: SeDebugPrivilege	4092	RegAsm.exe
Token: 33	4092	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4092	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4092	RegAsm.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 4520	4596	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	79
PID 4596 wrote to memory of 4520	4596	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	79
PID 4596 wrote to memory of 4520	4596	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	79
PID 4520 wrote to memory of 3412	4520	csc.exe	81
PID 4520 wrote to memory of 3412	4520	csc.exe	81
PID 4520 wrote to memory of 3412	4520	csc.exe	81
PID 4596 wrote to memory of 2252	4596	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	82
PID 4596 wrote to memory of 2252	4596	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	82
PID 4596 wrote to memory of 2252	4596	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	82
PID 4596 wrote to memory of 4092	4596	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	83
PID 4596 wrote to memory of 4092	4596	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	83
PID 4596 wrote to memory of 4092	4596	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	83
PID 4596 wrote to memory of 4092	4596	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	83
PID 4596 wrote to memory of 4092	4596	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	83
PID 4596 wrote to memory of 4092	4596	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	83
PID 4596 wrote to memory of 4092	4596	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	83
PID 4596 wrote to memory of 4092	4596	2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe	83

C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe
"C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pbfnjv5r\pbfnjv5r.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6556.tmp" "c:\Users\Admin\AppData\Local\Temp\pbfnjv5r\CSCDD4ED26E253E4288A6FCDC2D874C429.TMP"
    3⤵
    PID:3412
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4092

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2128

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6556.tmp

Filesize
1KB

MD5
6de5ff8cfe90ef8e9b3fe404450e6157

SHA1
2be191d869cb778c69ecdf97193ef186912d4571

SHA256
ec45a392a42de4edd87c664368eb50ff916249c9495565d6df2e8b504aaa7f10

SHA512
ee00452a5823308b634a2b02144f47ee96bd1dd7a75829ee1617db0ba5aec9db6efadc9afb53ff6f4dc583cd376c427d39f5dd4f7a1a8b1eaab499e7b8b62d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pbfnjv5r\pbfnjv5r.dll

Filesize
12KB

MD5
4b87584cc52bb8d9ee7323aefcef5568

SHA1
5ae7112e89093b96e4e69682411d4ce0e079c399

SHA256
d2caf200696a99f5870248c4d331d4106d86e7a87def9d71cd7dfaa02c859252

SHA512
ea4d5c043922adea28d4cc9178fabec2f438245555db02858475dd726ea0d9de3a8c617750899a2f76cbf721b5f6e36770bda9f8309396f37f0a8c00da4f46bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pbfnjv5r\pbfnjv5r.pdb

Filesize
39KB

MD5
69f8be3a4fb01a7db00a5a03eb8d0326

SHA1
e9383224ddd3e920935e81a7dfc55adb893b698a

SHA256
1c853c29f74827098b61e498b8acbfebe61dec52d95b80429d1401b5256aa6cc

SHA512
2cd04c785f482ede1ccb585a49b1aeaed794b729220b9210d1167bb5ef65b6121f277027cc15bfefe1befd91088cb8a775cedde5b7be449a59c9e83220c096e0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pbfnjv5r\CSCDD4ED26E253E4288A6FCDC2D874C429.TMP

Filesize
1KB

MD5
22905d3b248cce6603ce0e27330ec7bb

SHA1
345f43b9164e1f104c0c1e06ccd65c9242c46872

SHA256
8942d9317f4c45401215e1c848c8832b5ca02b5e35b34f67eb53e9e34761c04f

SHA512
0e09936185fa45f14ed9f4f70a56b8854c62dbf68f9ff10476af846a5cffc90abcc84e7c4e3b7e9bef91455bfb19cbc255f57b16741db9ef6a2b077293decdda

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pbfnjv5r\pbfnjv5r.0.cs

Filesize
18KB

MD5
69dd8526926b988e8767808fc897b5ad

SHA1
cb336d7210fa47e4fa87f304c6148474aecbf8c1

SHA256
9e8ed9bb70322a0c886abf87320a9a2fb1c460d94b8a97983ddfe55ba79e5e67

SHA512
53bdcffe1e934189842d1c02238e115cfff5e090306a0f65f8c0b3cd593323f68bb990c2710cf8b23db91d47591da09887c0287212a3f29261d992ed80c0ee12

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pbfnjv5r\pbfnjv5r.cmdline

Filesize
312B

MD5
cca11bad5e20d0f747e16a7acbbf9a1d

SHA1
344a4d56af2078bcf1c8b5dfe7142ce9eda37f33

SHA256
b516688ed08911187be55a0658bd79a5976e4fb71b96683d827655196c8134f9

SHA512
9ec56170be571df70fbd9b9a109555b87de8c112d2151b07c419a32dfa65f28d391b087fca3417b60c0cb0da056bd202a8d485e86c8eabc442c38142f239f9cd

Download Submit
memory/4092-143-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4092-144-0x0000000074AE0000-0x0000000075091000-memory.dmp

Filesize
5.7MB

Download
memory/4092-145-0x0000000074AE0000-0x0000000075091000-memory.dmp

Filesize
5.7MB

Download
memory/4596-130-0x0000000000860000-0x00000000008D0000-memory.dmp

Filesize
448KB

Download
memory/4596-139-0x0000000005240000-0x00000000052D2000-memory.dmp

Filesize
584KB

Download
memory/4596-140-0x0000000005920000-0x00000000059BC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing