imminent | 644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c

General

Target

644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe
Size

1.0MB
MD5

bf41f994a287a74be5fa1b9bbef61e25
SHA1

6dad025caf3ab68aeba93b079356eeb9edc36d16
SHA256

644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c
SHA512

ccc28c30cb0cc380aecf6067b66312e423341dd46112652b69137dd333f4683dfa779c2509e97f7c39a61f5e7ee647ff04016407e5a98a3738b5cf2c6d946294

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 1 IoCs

pid	Process
3428	csrsss.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrsss.exe.lnk	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	csrsss.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	csrsss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2912 set thread context of 3428	2912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	85

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	csrsss.exe
File created	C:\Windows\assembly\Desktop.ini	csrsss.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	csrsss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4508	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe
2912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe
2912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3428	csrsss.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe
Token: SeDebugPrivilege	3428	csrsss.exe
Token: 33	3428	csrsss.exe
Token: SeIncBasePriorityPrivilege	3428	csrsss.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3428	csrsss.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 1612	2912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	82
PID 2912 wrote to memory of 1612	2912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	82
PID 2912 wrote to memory of 1612	2912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	82
PID 1612 wrote to memory of 1272	1612	cmd.exe	84
PID 1612 wrote to memory of 1272	1612	cmd.exe	84
PID 1612 wrote to memory of 1272	1612	cmd.exe	84
PID 2912 wrote to memory of 3428	2912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	85
PID 2912 wrote to memory of 3428	2912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	85
PID 2912 wrote to memory of 3428	2912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	85
PID 2912 wrote to memory of 3428	2912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	85
PID 2912 wrote to memory of 3428	2912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	85
PID 2912 wrote to memory of 3428	2912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	85
PID 2912 wrote to memory of 3428	2912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	85
PID 2912 wrote to memory of 3428	2912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	85
PID 2912 wrote to memory of 4536	2912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	86
PID 2912 wrote to memory of 4536	2912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	86
PID 2912 wrote to memory of 4536	2912	644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe	86
PID 4536 wrote to memory of 4508	4536	cmd.exe	88
PID 4536 wrote to memory of 4508	4536	cmd.exe	88
PID 4536 wrote to memory of 4508	4536	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe
"C:\Users\Admin\AppData\Local\Temp\644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Microsoft\csrsss.exe.lnk " /f
    3⤵
    PID:1272
- C:\Users\Admin\AppData\Local\Temp\csrsss.exe
  "C:\Users\Admin\AppData\Local\Temp\csrsss.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Microsoft\csrsss.exe.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 300
    3⤵
    - Delays execution with timeout.exe
    PID:4508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft\csrsss.exe

Filesize
1.0MB

MD5
bf41f994a287a74be5fa1b9bbef61e25

SHA1
6dad025caf3ab68aeba93b079356eeb9edc36d16

SHA256
644f92c3109e62bd989145af1f0879ef3b3fccc28f98d443a71bf8c52d46709c

SHA512
ccc28c30cb0cc380aecf6067b66312e423341dd46112652b69137dd333f4683dfa779c2509e97f7c39a61f5e7ee647ff04016407e5a98a3738b5cf2c6d946294

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\csrsss.exe.bat

Filesize
208B

MD5
f20919d9be671888ac2a4d7a0c3aa4ae

SHA1
1a1c34123521d4c7ad2a45508eee464020dbf1bb

SHA256
fd14bcdf0e40636dfbdcecf19d26c5177f4bd8ac28e2a16930b9e0c6e31de43b

SHA512
38c4e8665c5e37556ba6463a9abcda6922aff537796adaccfd9a0bb6c716776bdf38c2873ecdfb91260d012089e7aa44715ee660873dc901593054498e926343

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrsss.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrsss.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
memory/2912-130-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/2912-142-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/2912-143-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/3428-141-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/3428-144-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing