imminent | 644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c

General

Target

644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe
Size

1.0MB
MD5

bf41f994a287a74be5fa1b9bbef61e25
SHA1

6dad025caf3ab68aeba93b079356eeb9edc36d16
SHA256

644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c
SHA512

ccc28c30cb0cc380aecf6067b66312e423341dd46112652b69137dd333f4683dfa779c2509e97f7c39a61f5e7ee647ff04016407e5a98a3738b5cf2c6d946294

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 1 IoCs

pid	Process
1168	csrsss.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrsss.exe.lnk	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe

Loads dropped DLL 1 IoCs

pid	Process
1912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1912 set thread context of 1168	1912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1460	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe
1912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe
1912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1168	csrsss.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe
Token: SeDebugPrivilege	1168	csrsss.exe
Token: 33	1168	csrsss.exe
Token: SeIncBasePriorityPrivilege	1168	csrsss.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1168	csrsss.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 1288	1912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	28
PID 1912 wrote to memory of 1288	1912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	28
PID 1912 wrote to memory of 1288	1912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	28
PID 1912 wrote to memory of 1288	1912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	28
PID 1288 wrote to memory of 1376	1288	cmd.exe	30
PID 1288 wrote to memory of 1376	1288	cmd.exe	30
PID 1288 wrote to memory of 1376	1288	cmd.exe	30
PID 1288 wrote to memory of 1376	1288	cmd.exe	30
PID 1912 wrote to memory of 1168	1912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	31
PID 1912 wrote to memory of 1168	1912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	31
PID 1912 wrote to memory of 1168	1912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	31
PID 1912 wrote to memory of 1168	1912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	31
PID 1912 wrote to memory of 1168	1912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	31
PID 1912 wrote to memory of 1168	1912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	31
PID 1912 wrote to memory of 1168	1912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	31
PID 1912 wrote to memory of 1168	1912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	31
PID 1912 wrote to memory of 1168	1912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	31
PID 1912 wrote to memory of 1708	1912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	32
PID 1912 wrote to memory of 1708	1912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	32
PID 1912 wrote to memory of 1708	1912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	32
PID 1912 wrote to memory of 1708	1912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	32
PID 1708 wrote to memory of 1460	1708	cmd.exe	34
PID 1708 wrote to memory of 1460	1708	cmd.exe	34
PID 1708 wrote to memory of 1460	1708	cmd.exe	34
PID 1708 wrote to memory of 1460	1708	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe
"C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Microsoft\csrsss.exe.lnk " /f
    3⤵
    PID:1376
- C:\Users\Admin\AppData\Local\Temp\csrsss.exe
  "C:\Users\Admin\AppData\Local\Temp\csrsss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1168
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\Microsoft\csrsss.exe.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 300
    3⤵
    - Delays execution with timeout.exe
    PID:1460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft\csrsss.exe

Filesize
1.0MB

MD5
bf41f994a287a74be5fa1b9bbef61e25

SHA1
6dad025caf3ab68aeba93b079356eeb9edc36d16

SHA256
644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c

SHA512
ccc28c30cb0cc380aecf6067b66312e423341dd46112652b69137dd333f4683dfa779c2509e97f7c39a61f5e7ee647ff04016407e5a98a3738b5cf2c6d946294

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\csrsss.exe.bat

Filesize
208B

MD5
f20919d9be671888ac2a4d7a0c3aa4ae

SHA1
1a1c34123521d4c7ad2a45508eee464020dbf1bb

SHA256
fd14bcdf0e40636dfbdcecf19d26c5177f4bd8ac28e2a16930b9e0c6e31de43b

SHA512
38c4e8665c5e37556ba6463a9abcda6922aff537796adaccfd9a0bb6c716776bdf38c2873ecdfb91260d012089e7aa44715ee660873dc901593054498e926343

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrsss.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrsss.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
\Users\Admin\AppData\Local\Temp\csrsss.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
memory/1168-69-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1168-61-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1168-71-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1168-74-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1168-64-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1168-65-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1168-63-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1168-80-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1168-60-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1912-75-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1912-55-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1912-79-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1912-54-0x0000000076721000-0x0000000076723000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing