imminent | 4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03

General

Target

4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe
Size

580KB
MD5

012e9426b4cbd911d4583df40eab3593
SHA1

af0c41120b3ed28bc12973f4a8e8c7d276c01eaf
SHA256

4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03
SHA512

6eb7f402de96fee21932afc851f6d3e2bc399c5587a53408094b365354d5f249b01c146b28fceb176ae4cabe97ccd6c56e13afb203c4817d67cf9f923d0bf497

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0DB82ByQ0pziwKZX.url	4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1984 set thread context of 1076	1984	4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe	30

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1984	4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe
1984	4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1076	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe
Token: SeDebugPrivilege	1076	RegAsm.exe
Token: 33	1076	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1076	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1076	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1656	1984	4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe	27
PID 1984 wrote to memory of 1656	1984	4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe	27
PID 1984 wrote to memory of 1656	1984	4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe	27
PID 1984 wrote to memory of 1656	1984	4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe	27
PID 1656 wrote to memory of 1992	1656	csc.exe	29
PID 1656 wrote to memory of 1992	1656	csc.exe	29
PID 1656 wrote to memory of 1992	1656	csc.exe	29
PID 1656 wrote to memory of 1992	1656	csc.exe	29
PID 1984 wrote to memory of 1076	1984	4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe	30
PID 1984 wrote to memory of 1076	1984	4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe	30
PID 1984 wrote to memory of 1076	1984	4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe	30
PID 1984 wrote to memory of 1076	1984	4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe	30
PID 1984 wrote to memory of 1076	1984	4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe	30
PID 1984 wrote to memory of 1076	1984	4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe	30
PID 1984 wrote to memory of 1076	1984	4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe	30
PID 1984 wrote to memory of 1076	1984	4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe	30
PID 1984 wrote to memory of 1076	1984	4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe	30
PID 1984 wrote to memory of 1076	1984	4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe	30
PID 1984 wrote to memory of 1076	1984	4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe	30
PID 1984 wrote to memory of 1076	1984	4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe	30

C:\Users\Admin\AppData\Local\Temp\4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe
"C:\Users\Admin\AppData\Local\Temp\4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tzkowv1f\tzkowv1f.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES742.tmp" "c:\Users\Admin\AppData\Local\Temp\tzkowv1f\CSCDE2B2B7C0004B6CAD404ABCF1B62220.TMP"
    3⤵
    PID:1992
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1076

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES742.tmp

Filesize
1KB

MD5
a6af4e9a031bafda292420009402c39e

SHA1
74987a0c431f9fb8df42e8819602be6b1c60230e

SHA256
d938d638deb8d9787dc208771ae497aa94f771b75e4655bbc9229c3dae096e68

SHA512
0bb3d78505fbdeb75dc0cf209ca448d0deaeda4ed6b70bb828c468da3d150e573c81023b6e390b17421a9e9ad404a42ede7790b1944732cb214791eb69f8997a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tzkowv1f\tzkowv1f.dll

Filesize
26KB

MD5
44e03ce028184f9ba401c8c41476b0b7

SHA1
108ffb4a5a642207ca55972d175b8fc3098aff26

SHA256
7b9b1cf4a1628f585ef9b44c095dcbde755d20adf0b4515552f79cc56f084bf6

SHA512
9c57526bf61255df84a105022022190e719d69d032f3949b9f2a9803ef681bdc14b20dd5b9430bccaa16008947865b9ccae8b9bafa287d736d31a01417f114a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tzkowv1f\tzkowv1f.pdb

Filesize
85KB

MD5
b89b4b064b9704e75c4e431cba392992

SHA1
fae04ba057bcf974a3052af22114e7f7cec7dc41

SHA256
6d734a4a0586c8e2faf84703575b9d73b7a5f87194a5f5561335151b2a85b330

SHA512
b0a0dda064fda369a597cb2c2b2bbe9e022fe493ab7ba536d6d88f1e2553614e726f4972510ff6525c2cc9fcc822246ec87070b69ec8a8f0856fa5f3276cd827

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tzkowv1f\CSCDE2B2B7C0004B6CAD404ABCF1B62220.TMP

Filesize
1KB

MD5
119971468fe9cd06134d515e6b90765b

SHA1
039b9a7ebc9ab2b753aca2db4efa6d52a36da751

SHA256
985aa8a1294e911cd348e314e35047f3fe9564eca0604cc6a5e164c9bdd48af4

SHA512
e3f224cc59f8736c865eb7ec9e98cc9c666253a7ad8c53d715b816db753ef5afa8f5ba04d1ce6bf159555cc6efd5794fcc7c99650f56ce391521c75193524e5d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tzkowv1f\tzkowv1f.0.cs

Filesize
66KB

MD5
71289ce85c9cfbc682ad511b3157cec9

SHA1
95d05e2e86a8ced7499cddeed3cffbe37d33984f

SHA256
4f3ff6432aca7a4756312fe5f83d764901ccfac75efa56164f8152e22fb84f03

SHA512
9d427d2d34f54cdd30537e170444fa3883b56a4cf396716bd000a24fa4737be5945f646d78cd450336a9ed8c0cdb44a105814c46fc0f9886c675dcc244a2a79a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tzkowv1f\tzkowv1f.cmdline

Filesize
248B

MD5
0fd5291a9dde47988a867fcde2348d30

SHA1
9353392d949a060563dc65294d560e9a91ed9473

SHA256
0698668d90bb9e559b1d23f0b83f75fcf9430c1f55809fc91e4883dec7b2d50d

SHA512
52c62f0df81079125d973c7f13add04acd1ef439bbaf92fa23556880e5c72a61f37d5eeed36d5da6e46eb196b3f04195f47fb929fb746e6e85c0d29fc586e1b1

Download Submit
memory/1076-75-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1076-80-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1076-79-0x0000000074A50000-0x0000000074FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1076-78-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1076-77-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1076-72-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1076-68-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1076-70-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1076-71-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1076-67-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1984-66-0x0000000004F00000-0x0000000004F56000-memory.dmp

Filesize
344KB

Download
memory/1984-54-0x0000000001330000-0x00000000013C8000-memory.dmp

Filesize
608KB

Download
memory/1984-65-0x00000000002B0000-0x00000000002BC000-memory.dmp

Filesize
48KB

Download
memory/1984-64-0x0000000004CA0000-0x0000000004D00000-memory.dmp

Filesize
384KB

Download
memory/1984-63-0x0000000000210000-0x000000000021C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing