imminent | 40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960

General

Target

40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe
Size

396KB
MD5

d57936bcb77083154b0d281737e75cb0
SHA1

76d098c9868bae3185d7422aa31404b33d964fbe
SHA256

40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960
SHA512

77e76694dc968ccb4f7c84f68623478dfee1de72e1b33dbd09b2924ab619c50ea28b5e371c56a7991eb1f7163754d4699e0d2d9aeddcc154550bf56e9bced557

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dNkTXF.url	40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1272 set thread context of 4388	1272	40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe	85

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	RegAsm.exe
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1272	40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe
1272	40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4388	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1272	40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe
Token: SeDebugPrivilege	4388	RegAsm.exe
Token: 33	4388	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4388	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4388	RegAsm.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 2172	1272	40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe	82
PID 1272 wrote to memory of 2172	1272	40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe	82
PID 1272 wrote to memory of 2172	1272	40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe	82
PID 2172 wrote to memory of 2600	2172	csc.exe	84
PID 2172 wrote to memory of 2600	2172	csc.exe	84
PID 2172 wrote to memory of 2600	2172	csc.exe	84
PID 1272 wrote to memory of 4388	1272	40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe	85
PID 1272 wrote to memory of 4388	1272	40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe	85
PID 1272 wrote to memory of 4388	1272	40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe	85
PID 1272 wrote to memory of 4388	1272	40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe	85
PID 1272 wrote to memory of 4388	1272	40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe	85
PID 1272 wrote to memory of 4388	1272	40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe	85
PID 1272 wrote to memory of 4388	1272	40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe	85
PID 1272 wrote to memory of 4388	1272	40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe	85

C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe
"C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j2gpao2o\j2gpao2o.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES76D6.tmp" "c:\Users\Admin\AppData\Local\Temp\j2gpao2o\CSC738E3168490D4CBF8A67465E693F2E2.TMP"
    3⤵
    PID:2600
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4388

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2184

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES76D6.tmp

Filesize
1KB

MD5
707e74575731c8e99181d3b0757906ed

SHA1
3b7392a69d6c2332985ff2f24ce3485646566ab7

SHA256
b9c0560a84fc73da6ef4f6c7310b61b610550a9f45077672b0710e07e89f3a01

SHA512
761943e9dbe63ac98ce2d96da9725295e7e4e2487df36d1a278cb2a333a7b1c08f33b4e52443372d61c9901b07125471dff58f31128f0f9847c4749c9645ea58

Download Submit
C:\Users\Admin\AppData\Local\Temp\j2gpao2o\j2gpao2o.dll

Filesize
7KB

MD5
b07cbed381421051e55ad3c0bd69b00c

SHA1
872ff262f3804918c5c112c5b7c092d1646410b6

SHA256
175dc95340e01ffd45e144513371919967c38ba5754cd17be5566dff628be3ab

SHA512
b0460052015df2309f828e895654747ab98de8ee7ea9ed514fbf65e7737fdec4c905043b6fc20e057b85712ef6a004f772129eff3a0e9e57541880d5ae413ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\j2gpao2o\j2gpao2o.pdb

Filesize
23KB

MD5
5b00a4913e9597a0bc4a8487188f489f

SHA1
2db83388f23d26c863c8173b2534ca4fadc50205

SHA256
4ac253952526cd8306bad2ca373f5956e3e2abd9164c453497cb008b85944a90

SHA512
ed91f3df8edb7cac8feaff0aec3ac7afe8393c8b85881cb87efc94ba27e353ab67c9733f57ea2d29a1565030d2199e2125e56d0e10482a5b6212098b59ea49f3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j2gpao2o\CSC738E3168490D4CBF8A67465E693F2E2.TMP

Filesize
1KB

MD5
e2e0dcb03a7a70ead5b0445b17758de5

SHA1
b15a6ea45fab58ade725c69cf60f4d3ad80f2595

SHA256
dc2a0fa158f0eb10b831be34537cc98fcb0969c9e2e18ca65e391367b331e261

SHA512
9cace4381ac90daf0647aaece7125c2db70660b2f3463437c516ffad8d640bc582df8afc1fbfe98b5aa254e3e71a199b81a92caff3fd2987206323493c762925

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j2gpao2o\j2gpao2o.0.cs

Filesize
6KB

MD5
e33624188c3ee62dcff268d6a4da727a

SHA1
b4852044413774311dd91df1b3477b054ca18403

SHA256
ef0fb70ee3f15f43a0a8bbc4cdf8d0fccf944cb0f98287d03b163a18e591fd64

SHA512
643b3ab3fdb29f61bfe53ccc68511af33cf624d4cc32b9db39fce39e990d299f36c9b27d35fa73bc39c4285605aec09c0a71432293b4dfcc5779a729f9d0dea2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j2gpao2o\j2gpao2o.cmdline

Filesize
312B

MD5
d59465ad12157f44fff9ce8d9f61c8c3

SHA1
101bbac90b8edc268e71eaf2ae6bbe250da16abc

SHA256
19220ab762d7271e19192bbc385aed1b848cbe7d74d6a0ddd3b9b01ef059c6b4

SHA512
b9ea4f8d7ea5ae982c163345ee9c803391a9c565e99cf2bc91acaac7a3a550b8cc05d457985d69e537be5a25e6a6bd2f2a2bd522672844367afe117b6c1e2149

Download Submit
memory/1272-130-0x0000000000C70000-0x0000000000CD8000-memory.dmp

Filesize
416KB

Download
memory/1272-139-0x0000000005650000-0x00000000056E2000-memory.dmp

Filesize
584KB

Download
memory/1272-140-0x0000000005D90000-0x0000000005E2C000-memory.dmp

Filesize
624KB

Download
memory/4388-142-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4388-143-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/4388-144-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing