imminent | 34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4

General

Target

34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe
Size

854KB
MD5

f5081dc1115e74ceee116f089cfe8b96
SHA1

36085d6cf0ef3cc3f24f8efe4ee7286f28a0d28c
SHA256

34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4
SHA512

776c0a4c34ef55a316309547fcfdd93910f381ae7be3bdddb82247f3255f2430fd07faf143bdb02e1db8f7112b7bcd265c6a2f5fd4abd8bced46e3171527adb0

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tcQMAw.url	34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 964 set thread context of 744	964	34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
964	34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe
964	34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	964	34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe
Token: SeDebugPrivilege	744	RegAsm.exe
Token: 33	744	RegAsm.exe
Token: SeIncBasePriorityPrivilege	744	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
744	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 2004	964	34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe	28
PID 964 wrote to memory of 2004	964	34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe	28
PID 964 wrote to memory of 2004	964	34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe	28
PID 964 wrote to memory of 2004	964	34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe	28
PID 2004 wrote to memory of 2036	2004	csc.exe	30
PID 2004 wrote to memory of 2036	2004	csc.exe	30
PID 2004 wrote to memory of 2036	2004	csc.exe	30
PID 2004 wrote to memory of 2036	2004	csc.exe	30
PID 964 wrote to memory of 744	964	34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe	31
PID 964 wrote to memory of 744	964	34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe	31
PID 964 wrote to memory of 744	964	34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe	31
PID 964 wrote to memory of 744	964	34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe	31
PID 964 wrote to memory of 744	964	34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe	31
PID 964 wrote to memory of 744	964	34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe	31
PID 964 wrote to memory of 744	964	34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe	31
PID 964 wrote to memory of 744	964	34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe	31
PID 964 wrote to memory of 744	964	34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe	31
PID 964 wrote to memory of 744	964	34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe	31
PID 964 wrote to memory of 744	964	34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe	31
PID 964 wrote to memory of 744	964	34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe	31

C:\Users\Admin\AppData\Local\Temp\34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe
"C:\Users\Admin\AppData\Local\Temp\34fac25089c3b96f743705ffdd7ed3ef5213915c4fdaefa8a0cb5c984a3525c4.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f3jbiw1y\f3jbiw1y.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES951F.tmp" "c:\Users\Admin\AppData\Local\Temp\f3jbiw1y\CSCBEF9B7841F654C6E9C7759B3FBFF2A2B.TMP"
    3⤵
    PID:2036
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:744

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES951F.tmp

Filesize
1KB

MD5
7e7e4c5d7d7d527896d9802536c465b4

SHA1
378534883b5323269cb80d6372c4330a0aedd615

SHA256
6757a861fa0b57455fbd561e7a9bbc9ea07f6ec9522c9d084388470e0e597dbb

SHA512
0f4aa85dd68e67cba2e2c207048bca5051fc74480a64ceb0c225a9e6c6b156669a4cae7d3e00388b7b4d21510e4656ad5233906e4ce08405d2603080f812fdc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3jbiw1y\f3jbiw1y.dll

Filesize
12KB

MD5
a575ea6aab41e342f71b43ce945335d7

SHA1
8a93b803fdc7406d4b22a6f37bcd4186a79027e9

SHA256
603509c4f9bd4df3aca4e1853eca4b2196e7b48019a371e1de44b6843d7931ea

SHA512
f963f882f43b9b209441fba62a2b42dc541fbc5b9444b464469be11eb6873473429560657196932b946ed181789d1344fcfacfcb17242e96c4c84a8cb10ff297

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3jbiw1y\f3jbiw1y.pdb

Filesize
39KB

MD5
6921bb0f97f211dfcf7e88e12c576caf

SHA1
bf5fd529bc899703d70c60d29179a2d80f24cc86

SHA256
d0cc58443c13ce5922f80c835662aae1097552d91630f5ee149fa123f3d9534d

SHA512
d90943e9fcf4fce04a0a15db81665071ea1b78bc1851181e15ffe69d71e497654bfc44bb49f10e79d11b990fb9032f8922f8aab906be730d6c0cb6b8dd90666d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f3jbiw1y\CSCBEF9B7841F654C6E9C7759B3FBFF2A2B.TMP

Filesize
1KB

MD5
f6a5cff5bfb08db67bf3655fc91effd0

SHA1
a451bf8f937f7392f0a53998d7020308d049b13a

SHA256
b71ade6d9a772c33de64b7fc24ba4277cb865c7a022d6ef45da733c309fb268f

SHA512
e23fa8b5cb4dda7d38ff51cde63338783c89b184544de6d3730ac9d29a3c781d4540acdf8898684f9a6eff579f0e5870912a7a253f7ddeda7c7041fff649c1d6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f3jbiw1y\f3jbiw1y.0.cs

Filesize
18KB

MD5
096b1fa2af5a25c5b40610fe88219eb6

SHA1
fdc4272a990a72444bbb381af8bab487968f49b0

SHA256
a3cca5c4decede9d932aa43a21462c42fb3983af12aa6cf3c253fe47e44018bd

SHA512
ae7204895b5ead2b96b0fe9fb67bc25adf7ca3c421d9a5c9ae2fb3276078b6f4110e9fac919416e96c037fff8143916a3c7f1fc981b8e4584e5a6794f0e92793

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f3jbiw1y\f3jbiw1y.cmdline

Filesize
312B

MD5
5e2b454c6f97873ec3bce00ab9a450d5

SHA1
1631467a4faf1c0057d98fad2a056bc27ae9091f

SHA256
5584155d42c553f61d666761a74501c9fe3c55162676f5a4a1d64d679dee8319

SHA512
2d94cfc92afd29197b5e56ef625f90f140d7b57e5c411ae154a853b07492c2af29a37930dd03c957897f1887d7404312c564de31b6b9010e369d9716f77363f5

Download Submit
memory/744-73-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/744-81-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/744-80-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/744-76-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/744-78-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/744-72-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/744-71-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/744-68-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/744-69-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/964-67-0x00000000048D0000-0x0000000004926000-memory.dmp

Filesize
344KB

Download
memory/964-66-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/964-54-0x0000000001120000-0x00000000011FC000-memory.dmp

Filesize
880KB

Download
memory/964-65-0x00000000002B0000-0x00000000002BC000-memory.dmp

Filesize
48KB

Download
memory/964-64-0x00000000010A0000-0x0000000001100000-memory.dmp

Filesize
384KB

Download
memory/964-63-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing