imminent | 4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c

General

Target

4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c.exe
Size

669KB
MD5

10349a36cbd8aa3a5f13b3a591432218
SHA1

236083b08295a9ecfbc43f5c603d752f6b9ed868
SHA256

4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c
SHA512

cc0a78ff92497f9546fa13ca509135d874c23f3843efa5050345c8f691062184bfb7931fda958731d675a77c96f271f2b25d0a603547decef403f987f673d4b3

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 1 IoCs

pid	Process
1928	svhost.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe.lnk	4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c.exe

Loads dropped DLL 1 IoCs

pid	Process
1164	4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1164 set thread context of 1928	1164	4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\Windows\svchost.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1164	4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c.exe
1164	4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c.exe
1164	4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c.exe
1164	4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c.exe
1164	4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c.exe
1164	4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c.exe
1164	4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1164	4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c.exe
Token: SeDebugPrivilege	1928	svhost.exe
Token: 33	1928	svhost.exe
Token: SeIncBasePriorityPrivilege	1928	svhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1928	svhost.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 1068	1164	4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c.exe	27
PID 1164 wrote to memory of 1068	1164	4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c.exe	27
PID 1164 wrote to memory of 1068	1164	4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c.exe	27
PID 1164 wrote to memory of 1068	1164	4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c.exe	27
PID 1068 wrote to memory of 1984	1068	cmd.exe	29
PID 1068 wrote to memory of 1984	1068	cmd.exe	29
PID 1068 wrote to memory of 1984	1068	cmd.exe	29
PID 1068 wrote to memory of 1984	1068	cmd.exe	29
PID 1164 wrote to memory of 1928	1164	4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c.exe	30
PID 1164 wrote to memory of 1928	1164	4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c.exe	30
PID 1164 wrote to memory of 1928	1164	4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c.exe	30
PID 1164 wrote to memory of 1928	1164	4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c.exe	30
PID 1164 wrote to memory of 1928	1164	4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c.exe	30
PID 1164 wrote to memory of 1928	1164	4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c.exe	30
PID 1164 wrote to memory of 1928	1164	4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c.exe	30
PID 1164 wrote to memory of 1928	1164	4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c.exe	30
PID 1164 wrote to memory of 1928	1164	4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c.exe	30

C:\Users\Admin\AppData\Local\Temp\4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c.exe
"C:\Users\Admin\AppData\Local\Temp\4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Windows\svchost.exe.lnk" /f
    3⤵
    PID:1984
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1928

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Windows\svchost.exe

Filesize
669KB

MD5
10349a36cbd8aa3a5f13b3a591432218

SHA1
236083b08295a9ecfbc43f5c603d752f6b9ed868

SHA256
4584d37d138cbd2a0909c36485aa0ccd3b513a169aee5a486d7210a84f62f36c

SHA512
cc0a78ff92497f9546fa13ca509135d874c23f3843efa5050345c8f691062184bfb7931fda958731d675a77c96f271f2b25d0a603547decef403f987f673d4b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
85KB

MD5
2e5f1cf69f92392f8829fc9c9263ae9b

SHA1
97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

SHA256
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

SHA512
f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
85KB

MD5
2e5f1cf69f92392f8829fc9c9263ae9b

SHA1
97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

SHA256
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

SHA512
f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
85KB

MD5
2e5f1cf69f92392f8829fc9c9263ae9b

SHA1
97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

SHA256
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

SHA512
f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

Download Submit
memory/1164-54-0x0000000076391000-0x0000000076393000-memory.dmp

Filesize
8KB

Download
memory/1164-55-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/1164-56-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/1164-76-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-65-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1928-64-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1928-66-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1928-62-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1928-70-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1928-72-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1928-61-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1928-75-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-77-0x0000000074B90000-0x000000007513B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing