imminent | 35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b

General

Target

35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe
Size

523KB
MD5

41a3e0dd6ab0f5f9539fb73d240c0a2d
SHA1

adfc196561eedc3ae9eb93a0a804934e5d971a05
SHA256

35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b
SHA512

c103ddcfabd7bd01537a34ef9766485fb7d47af183e20f5e87b54420a100626b13cd65b83c2d07abf76ae2df1813c200b4547e61ba6956134a232680a3a6cda6

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1972 set thread context of 1300	1972	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1108	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1300	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe
Token: 33	1300	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe
Token: SeIncBasePriorityPrivilege	1300	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1300	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1108	1972	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe	27
PID 1972 wrote to memory of 1108	1972	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe	27
PID 1972 wrote to memory of 1108	1972	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe	27
PID 1972 wrote to memory of 1108	1972	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe	27
PID 1972 wrote to memory of 1300	1972	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe	29
PID 1972 wrote to memory of 1300	1972	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe	29
PID 1972 wrote to memory of 1300	1972	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe	29
PID 1972 wrote to memory of 1300	1972	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe	29
PID 1972 wrote to memory of 1300	1972	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe	29
PID 1972 wrote to memory of 1300	1972	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe	29
PID 1972 wrote to memory of 1300	1972	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe	29
PID 1972 wrote to memory of 1300	1972	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe	29
PID 1972 wrote to memory of 1300	1972	35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe	29

C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe
"C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbRezOawnhi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp31FA.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1108
- C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe
  "C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1300

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp31FA.tmp

Filesize
1KB

MD5
2566e055b3f059478c39cd0c52aa3ea0

SHA1
2a4a4a40197c1fc22c23152350e502a483b7ba7e

SHA256
fc7c29184c63bb28aff0cae3ee27280e90eabdcd8d49aa669a65660f3252d6eb

SHA512
cd689165e2f58d571d16c7f3f2c44bdcf0819b779d07649b5cd08afa48a63b229759e5f01c1f4b4e81cf907c286b30845caeabdef7a3c9a065aaa36ea34d1d87

Download Submit
memory/1300-63-0x0000000000080000-0x00000000000D6000-memory.dmp

Filesize
344KB

Download
memory/1300-78-0x0000000074D60000-0x000000007530B000-memory.dmp

Filesize
5.7MB

Download
memory/1300-59-0x0000000000080000-0x00000000000D6000-memory.dmp

Filesize
344KB

Download
memory/1300-60-0x0000000000080000-0x00000000000D6000-memory.dmp

Filesize
344KB

Download
memory/1300-62-0x0000000000080000-0x00000000000D6000-memory.dmp

Filesize
344KB

Download
memory/1300-77-0x0000000074D60000-0x000000007530B000-memory.dmp

Filesize
5.7MB

Download
memory/1300-74-0x0000000000080000-0x00000000000D6000-memory.dmp

Filesize
344KB

Download
memory/1300-66-0x0000000000080000-0x00000000000D6000-memory.dmp

Filesize
344KB

Download
memory/1300-67-0x0000000000080000-0x00000000000D6000-memory.dmp

Filesize
344KB

Download
memory/1300-71-0x0000000000080000-0x00000000000D6000-memory.dmp

Filesize
344KB

Download
memory/1972-56-0x0000000074D60000-0x000000007530B000-memory.dmp

Filesize
5.7MB

Download
memory/1972-76-0x0000000074D60000-0x000000007530B000-memory.dmp

Filesize
5.7MB

Download
memory/1972-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1972-55-0x0000000074D60000-0x000000007530B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads