imminent | 431e42ed4df4f2ead4a87745376e92ac9b7ea51d08be4a5eefe151d1e9f25b57

General

Target

431e42ed4df4f2ead4a87745376e92ac9b7ea51d08be4a5eefe151d1e9f25b57.exe
Size

1.8MB
MD5

2cf781524cfc2de65a27fa5304d1db0f
SHA1

57177f7fd21c51aaf2cbcc96ac9e1f6f00cf5a65
SHA256

431e42ed4df4f2ead4a87745376e92ac9b7ea51d08be4a5eefe151d1e9f25b57
SHA512

50f2d0aebf1bbec70dcd6c13b894353c4f9946ac9afa7c5bd3996ce733f6f3d632e3d66cad782c008e2e5fce1e679dd35b76ed9701aaa5b3236122461ad010e6

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Deletes itself 1 IoCs

pid	Process
1120	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1980 set thread context of 1908	1980	431e42ed4df4f2ead4a87745376e92ac9b7ea51d08be4a5eefe151d1e9f25b57.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1524	timeout.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1908	RegAsm.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1980	431e42ed4df4f2ead4a87745376e92ac9b7ea51d08be4a5eefe151d1e9f25b57.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	RegAsm.exe
Token: 33	1908	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1908	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1980	431e42ed4df4f2ead4a87745376e92ac9b7ea51d08be4a5eefe151d1e9f25b57.exe
1980	431e42ed4df4f2ead4a87745376e92ac9b7ea51d08be4a5eefe151d1e9f25b57.exe
1980	431e42ed4df4f2ead4a87745376e92ac9b7ea51d08be4a5eefe151d1e9f25b57.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1980	431e42ed4df4f2ead4a87745376e92ac9b7ea51d08be4a5eefe151d1e9f25b57.exe
1980	431e42ed4df4f2ead4a87745376e92ac9b7ea51d08be4a5eefe151d1e9f25b57.exe
1980	431e42ed4df4f2ead4a87745376e92ac9b7ea51d08be4a5eefe151d1e9f25b57.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1908	RegAsm.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1908	1980	431e42ed4df4f2ead4a87745376e92ac9b7ea51d08be4a5eefe151d1e9f25b57.exe	27
PID 1980 wrote to memory of 1908	1980	431e42ed4df4f2ead4a87745376e92ac9b7ea51d08be4a5eefe151d1e9f25b57.exe	27
PID 1980 wrote to memory of 1908	1980	431e42ed4df4f2ead4a87745376e92ac9b7ea51d08be4a5eefe151d1e9f25b57.exe	27
PID 1980 wrote to memory of 1908	1980	431e42ed4df4f2ead4a87745376e92ac9b7ea51d08be4a5eefe151d1e9f25b57.exe	27
PID 1980 wrote to memory of 1908	1980	431e42ed4df4f2ead4a87745376e92ac9b7ea51d08be4a5eefe151d1e9f25b57.exe	27
PID 1980 wrote to memory of 1908	1980	431e42ed4df4f2ead4a87745376e92ac9b7ea51d08be4a5eefe151d1e9f25b57.exe	27
PID 1980 wrote to memory of 1908	1980	431e42ed4df4f2ead4a87745376e92ac9b7ea51d08be4a5eefe151d1e9f25b57.exe	27
PID 1980 wrote to memory of 1908	1980	431e42ed4df4f2ead4a87745376e92ac9b7ea51d08be4a5eefe151d1e9f25b57.exe	27
PID 1980 wrote to memory of 1120	1980	431e42ed4df4f2ead4a87745376e92ac9b7ea51d08be4a5eefe151d1e9f25b57.exe	28
PID 1980 wrote to memory of 1120	1980	431e42ed4df4f2ead4a87745376e92ac9b7ea51d08be4a5eefe151d1e9f25b57.exe	28
PID 1980 wrote to memory of 1120	1980	431e42ed4df4f2ead4a87745376e92ac9b7ea51d08be4a5eefe151d1e9f25b57.exe	28
PID 1980 wrote to memory of 1120	1980	431e42ed4df4f2ead4a87745376e92ac9b7ea51d08be4a5eefe151d1e9f25b57.exe	28
PID 1120 wrote to memory of 1524	1120	cmd.exe	30
PID 1120 wrote to memory of 1524	1120	cmd.exe	30
PID 1120 wrote to memory of 1524	1120	cmd.exe	30
PID 1120 wrote to memory of 1524	1120	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\431e42ed4df4f2ead4a87745376e92ac9b7ea51d08be4a5eefe151d1e9f25b57.exe
"C:\Users\Admin\AppData\Local\Temp\431e42ed4df4f2ead4a87745376e92ac9b7ea51d08be4a5eefe151d1e9f25b57.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1908
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c TimeOut 1 & Del /F "C:\Users\Admin\AppData\Local\Temp\431e42ed4df4f2ead4a87745376e92ac9b7ea51d08be4a5eefe151d1e9f25b57.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\SysWOW64\timeout.exe
    TimeOut 1
    3⤵
    - Delays execution with timeout.exe
    PID:1524

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1908-59-0x0000000073760000-0x0000000073D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1908-60-0x0000000073760000-0x0000000073D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1908-61-0x0000000073760000-0x0000000073D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1980-54-0x00000000768D1000-0x00000000768D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing