imminent | 30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2

Analysis

max time kernel
178s
max time network
99s
platform
windows7_x64
resource
win7-20220414-en
submitted
21/06/2022, 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe
Size

624KB
MD5

26addb13f9096b2571b9b33c7fab01f3
SHA1

6b5586ff7d6918a26b8df8e69b1b53a6cbde1234
SHA256

30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2
SHA512

294fc6c142d8b587bbd712e26c5b903ffab00f18900908489668a6ebdd752dcf11e2166dc5ed7b400d7b7a5aa0ac2e3ca58333daa0fd28763e4aab78aabeaa6c

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YOdFDv.url	30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe

Loads dropped DLL 4 IoCs

pid	Process
1304	30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe
1304	30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe
1304	30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe
1304	30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1304 set thread context of 1084	1304	30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1304	30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe
1304	30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1304	30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe
Token: SeDebugPrivilege	1084	RegAsm.exe
Token: 33	1084	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1084	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1084	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 956	1304	30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe	28
PID 1304 wrote to memory of 956	1304	30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe	28
PID 1304 wrote to memory of 956	1304	30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe	28
PID 1304 wrote to memory of 956	1304	30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe	28
PID 956 wrote to memory of 1644	956	csc.exe	30
PID 956 wrote to memory of 1644	956	csc.exe	30
PID 956 wrote to memory of 1644	956	csc.exe	30
PID 956 wrote to memory of 1644	956	csc.exe	30
PID 1304 wrote to memory of 1084	1304	30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe	31
PID 1304 wrote to memory of 1084	1304	30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe	31
PID 1304 wrote to memory of 1084	1304	30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe	31
PID 1304 wrote to memory of 1084	1304	30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe	31
PID 1304 wrote to memory of 1084	1304	30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe	31
PID 1304 wrote to memory of 1084	1304	30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe	31
PID 1304 wrote to memory of 1084	1304	30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe	31
PID 1304 wrote to memory of 1084	1304	30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe	31
PID 1304 wrote to memory of 1084	1304	30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe	31
PID 1304 wrote to memory of 1084	1304	30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe	31
PID 1304 wrote to memory of 1084	1304	30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe	31
PID 1304 wrote to memory of 1084	1304	30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe	31

C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe
"C:\Users\Admin\AppData\Local\Temp\30ec5198eb3e9f6736a94237737b59f710041b1d37d3dd1e0cdeabaa110536d2.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kva1bd13\kva1bd13.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE966.tmp" "c:\Users\Admin\AppData\Local\Temp\kva1bd13\CSCEBA40E1F713E4A9D89EF6587A57E490.TMP"
    3⤵
    PID:1644
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1084

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:756

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE966.tmp

Filesize
1KB

MD5
c4fd28ef44119065453a187f613f9276

SHA1
9224bc5f3e0d811bcca3d2cfdb7e0adb8272aeb4

SHA256
ce543aff17ee9bbb5e3af12c3fda818039e47185e19ec2aa0a8bd5c2bd837b01

SHA512
2e2404ac31bfc5ffb8a14846167f0aa08e45b5d45ad8c6fcdcf352849afdedb053eee651912759a0c1125c9586aef4c743458869bbb607a7f0781c64f473a8c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kva1bd13\kva1bd13.exe

Filesize
24KB

MD5
568dfc9b6581abb3d27816660b48f5b3

SHA1
d8cf8cd34274f4af8429cd24a6ed03a3679d2145

SHA256
70f5b327a8aada53b151d57e9e07197681ee0dca0b82d8e1d48e6428b8b1c7ec

SHA512
2749cca5f502050d716b8d9968ff59bb3de2204d94ea4f295556afe7e4ae6da50a8ea3fa255a6559016657cde3a0cc8ba4aa670306843920a04517b746d8bfc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kva1bd13\kva1bd13.pdb

Filesize
81KB

MD5
cc2723a3d2fe86e467ef563d8d97fb69

SHA1
13f5aeb4fda28abbce1ff26a1910f75abba4ad64

SHA256
48ecafce1be22e16d8d5e9062aab28744bca75fb44a5b7da84e4c004c30b74d7

SHA512
403f7b9957e532ae3c24578e35f42fbd5d9db4fde39453a884290c62f54bf29fe12d370e0247d91b1a37a14a6b5958b5f65955187ae68950963b830cab40ce65

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kva1bd13\CSCEBA40E1F713E4A9D89EF6587A57E490.TMP

Filesize
1KB

MD5
8e9b75a79ff36c421d8cc8ceff3472cc

SHA1
c6157bfc576f91a7127fd2b931e387f673880b13

SHA256
9a089f65b9e4c8e584a43d0ecdf46252af95bbd32e454d1f8b6c684f14e7e947

SHA512
0b57b05eda9e04083a948e74ad8bc4adfb2cad1df25fa5cb4c5ed28b21835a1490a47bedf9b851d2d969925c6d766ace8b35100ba021b5c9f510b37f58da4586

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kva1bd13\kva1bd13.0.cs

Filesize
65KB

MD5
a0ab466f52a7447731f3f571e33dc5ce

SHA1
46e43682762604835718e4e46b0c8abd4f392900

SHA256
3584ca8e05e6280835c93957caf7c752b9f7b3e8ec7317eeaa82f2bc7853b470

SHA512
e9a467aadfe45a56a0665a91ff27fc81b6dae2999cc02eb29381e62fd613022bc02de3baf4b5469046913897b3f8f56d2084053fadf46f353c5f1370326a7a99

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kva1bd13\kva1bd13.cmdline

Filesize
299B

MD5
98ab2ff479af65b55aaa8b0ddbad8f6c

SHA1
7ba29c7e46f2c6dd72aa6114d6e904889f3367f2

SHA256
2b1dd606b230cf3a2b145337b254ed5702af4837c8eb94cf6172f5bdaf12227f

SHA512
407e57532739052cc068f4498493d81f674090ff4aaeae7971bb23e0a86bf8c2dd61dfa14f8204df0ef0c8753086b8dcd9b727f3449583b23d18cdd9d930be11

Download Submit
\Users\Admin\AppData\Local\Temp\kva1bd13\kva1bd13.exe

Filesize
24KB

MD5
568dfc9b6581abb3d27816660b48f5b3

SHA1
d8cf8cd34274f4af8429cd24a6ed03a3679d2145

SHA256
70f5b327a8aada53b151d57e9e07197681ee0dca0b82d8e1d48e6428b8b1c7ec

SHA512
2749cca5f502050d716b8d9968ff59bb3de2204d94ea4f295556afe7e4ae6da50a8ea3fa255a6559016657cde3a0cc8ba4aa670306843920a04517b746d8bfc3

Download Submit
\Users\Admin\AppData\Local\Temp\kva1bd13\kva1bd13.exe

Filesize
24KB

MD5
568dfc9b6581abb3d27816660b48f5b3

SHA1
d8cf8cd34274f4af8429cd24a6ed03a3679d2145

SHA256
70f5b327a8aada53b151d57e9e07197681ee0dca0b82d8e1d48e6428b8b1c7ec

SHA512
2749cca5f502050d716b8d9968ff59bb3de2204d94ea4f295556afe7e4ae6da50a8ea3fa255a6559016657cde3a0cc8ba4aa670306843920a04517b746d8bfc3

Download Submit
\Users\Admin\AppData\Local\Temp\kva1bd13\kva1bd13.exe

Filesize
24KB

MD5
568dfc9b6581abb3d27816660b48f5b3

SHA1
d8cf8cd34274f4af8429cd24a6ed03a3679d2145

SHA256
70f5b327a8aada53b151d57e9e07197681ee0dca0b82d8e1d48e6428b8b1c7ec

SHA512
2749cca5f502050d716b8d9968ff59bb3de2204d94ea4f295556afe7e4ae6da50a8ea3fa255a6559016657cde3a0cc8ba4aa670306843920a04517b746d8bfc3

Download Submit
\Users\Admin\AppData\Local\Temp\kva1bd13\kva1bd13.exe

Filesize
24KB

MD5
568dfc9b6581abb3d27816660b48f5b3

SHA1
d8cf8cd34274f4af8429cd24a6ed03a3679d2145

SHA256
70f5b327a8aada53b151d57e9e07197681ee0dca0b82d8e1d48e6428b8b1c7ec

SHA512
2749cca5f502050d716b8d9968ff59bb3de2204d94ea4f295556afe7e4ae6da50a8ea3fa255a6559016657cde3a0cc8ba4aa670306843920a04517b746d8bfc3

Download Submit
memory/1084-76-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1084-86-0x00000000746F0000-0x0000000074C9B000-memory.dmp

Filesize
5.7MB

Download
memory/1084-85-0x00000000746F0000-0x0000000074C9B000-memory.dmp

Filesize
5.7MB

Download
memory/1084-83-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1084-81-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1084-78-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1084-77-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1084-73-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1084-74-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1304-54-0x0000000001050000-0x00000000010F4000-memory.dmp

Filesize
656KB

Download
memory/1304-72-0x0000000004D20000-0x0000000004D76000-memory.dmp

Filesize
344KB

Download
memory/1304-71-0x00000000006E0000-0x00000000006EC000-memory.dmp

Filesize
48KB

Download
memory/1304-65-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/1304-70-0x0000000000E10000-0x0000000000E70000-memory.dmp

Filesize
384KB

Download
memory/1304-69-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1304-68-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download