imminent | 4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95

Analysis

max time kernel
165s
max time network
222s
platform
windows7_x64
resource
win7-20220414-en
submitted
12-07-2022 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe
Size

387KB
MD5

4b66d7bf224196da8a0a5eeb040e1a0d
SHA1

0e149b61f868b3561f495eca8a9754705a1b132e
SHA256

4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95
SHA512

ed9c4027971a6abccf5d3e1286e858a3da33741328097d92bc650c7272b6e929c3b08fdb4a07d1bf3b8b6e15c56a12d7b6994e1102517e453ebf27ba2aa5c79a

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 2 IoCs

pid	Process
944	tmp.exe
1980	svhost.exe

Loads dropped DLL 6 IoCs

pid	Process
2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe
2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe
2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe
1388	dw20.exe
1388	dw20.exe
1388	dw20.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2032 set thread context of 1980	2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1572	timeout.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\Update\Updater.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe
2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe
2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe
2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
944	tmp.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe
Token: SeDebugPrivilege	944	tmp.exe
Token: 33	944	tmp.exe
Token: SeIncBasePriorityPrivilege	944	tmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
944	tmp.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1712	2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe	28
PID 2032 wrote to memory of 1712	2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe	28
PID 2032 wrote to memory of 1712	2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe	28
PID 2032 wrote to memory of 1712	2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe	28
PID 1712 wrote to memory of 1288	1712	cmd.exe	30
PID 1712 wrote to memory of 1288	1712	cmd.exe	30
PID 1712 wrote to memory of 1288	1712	cmd.exe	30
PID 1712 wrote to memory of 1288	1712	cmd.exe	30
PID 2032 wrote to memory of 944	2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe	31
PID 2032 wrote to memory of 944	2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe	31
PID 2032 wrote to memory of 944	2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe	31
PID 2032 wrote to memory of 944	2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe	31
PID 2032 wrote to memory of 1980	2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe	32
PID 2032 wrote to memory of 1980	2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe	32
PID 2032 wrote to memory of 1980	2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe	32
PID 2032 wrote to memory of 1980	2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe	32
PID 2032 wrote to memory of 1980	2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe	32
PID 2032 wrote to memory of 1980	2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe	32
PID 2032 wrote to memory of 1980	2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe	32
PID 2032 wrote to memory of 1980	2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe	32
PID 2032 wrote to memory of 1980	2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe	32
PID 2032 wrote to memory of 1780	2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe	34
PID 2032 wrote to memory of 1780	2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe	34
PID 2032 wrote to memory of 1780	2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe	34
PID 2032 wrote to memory of 1780	2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe	34
PID 2032 wrote to memory of 1780	2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe	34
PID 2032 wrote to memory of 1780	2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe	34
PID 2032 wrote to memory of 1780	2032	4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe	34
PID 1980 wrote to memory of 1388	1980	svhost.exe	33
PID 1980 wrote to memory of 1388	1980	svhost.exe	33
PID 1980 wrote to memory of 1388	1980	svhost.exe	33
PID 1980 wrote to memory of 1388	1980	svhost.exe	33
PID 1780 wrote to memory of 1572	1780	cmd.exe	36
PID 1780 wrote to memory of 1572	1780	cmd.exe	36
PID 1780 wrote to memory of 1572	1780	cmd.exe	36
PID 1780 wrote to memory of 1572	1780	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe
"C:\Users\Admin\AppData\Local\Temp\4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Update\Updater.exe.lnk" /f
    3⤵
    PID:1288
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:944
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 392
    3⤵
    - Loads dropped DLL
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\Update\Updater.exe.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 180
    3⤵
    - Delays execution with timeout.exe
    PID:1572

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Update\Updater.exe

Filesize
387KB

MD5
4b66d7bf224196da8a0a5eeb040e1a0d

SHA1
0e149b61f868b3561f495eca8a9754705a1b132e

SHA256
4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95

SHA512
ed9c4027971a6abccf5d3e1286e858a3da33741328097d92bc650c7272b6e929c3b08fdb4a07d1bf3b8b6e15c56a12d7b6994e1102517e453ebf27ba2aa5c79a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update\Updater.exe.bat

Filesize
194B

MD5
e9aa18d65a46c29f541659d8c50ffb69

SHA1
1c96de6414501b277396e128525f4db5bde1eaef

SHA256
c8bbc82d2aaf9b0506d83a4b41b3acc6ab9a77fee1706544569e179f21b3b2a9

SHA512
8418b43c5086913c1989d7b7881d8ec7479c3572f4fef2676530b2f43a5184edbeea5536b91c50480bf6b748e70eeb7a71d7551583db2e785492493d62299afe

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
85KB

MD5
2e5f1cf69f92392f8829fc9c9263ae9b

SHA1
97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

SHA256
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

SHA512
f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
85KB

MD5
2e5f1cf69f92392f8829fc9c9263ae9b

SHA1
97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

SHA256
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

SHA512
f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
322KB

MD5
7d596e849f4a2fa6478d4d3f5dc83e13

SHA1
02c7f54a7b10f3aeb0c4582ffa6b3eb357827b87

SHA256
f7ab67cef3dc598a937745b18685591096a95c076555598d69f0a8c4975f0064

SHA512
b0dbd754a2e837ef2f9098a48b61861575e96393ad2ced90e70052007267046f068c9ffb5fb3c645cd28e5fb3d66c7c3eee6bf8324035b402b13d51f49cfeee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
322KB

MD5
7d596e849f4a2fa6478d4d3f5dc83e13

SHA1
02c7f54a7b10f3aeb0c4582ffa6b3eb357827b87

SHA256
f7ab67cef3dc598a937745b18685591096a95c076555598d69f0a8c4975f0064

SHA512
b0dbd754a2e837ef2f9098a48b61861575e96393ad2ced90e70052007267046f068c9ffb5fb3c645cd28e5fb3d66c7c3eee6bf8324035b402b13d51f49cfeee3

Download Submit
\Users\Admin\AppData\Local\Temp\Update\Updater.exe

Filesize
387KB

MD5
4b66d7bf224196da8a0a5eeb040e1a0d

SHA1
0e149b61f868b3561f495eca8a9754705a1b132e

SHA256
4a7aaa4411e687109a080a9a5f9f0909d8ef9d21418d2102cb80973df4d39d95

SHA512
ed9c4027971a6abccf5d3e1286e858a3da33741328097d92bc650c7272b6e929c3b08fdb4a07d1bf3b8b6e15c56a12d7b6994e1102517e453ebf27ba2aa5c79a

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
85KB

MD5
2e5f1cf69f92392f8829fc9c9263ae9b

SHA1
97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

SHA256
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

SHA512
f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
85KB

MD5
2e5f1cf69f92392f8829fc9c9263ae9b

SHA1
97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

SHA256
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

SHA512
f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
85KB

MD5
2e5f1cf69f92392f8829fc9c9263ae9b

SHA1
97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

SHA256
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

SHA512
f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
85KB

MD5
2e5f1cf69f92392f8829fc9c9263ae9b

SHA1
97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

SHA256
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

SHA512
f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
322KB

MD5
7d596e849f4a2fa6478d4d3f5dc83e13

SHA1
02c7f54a7b10f3aeb0c4582ffa6b3eb357827b87

SHA256
f7ab67cef3dc598a937745b18685591096a95c076555598d69f0a8c4975f0064

SHA512
b0dbd754a2e837ef2f9098a48b61861575e96393ad2ced90e70052007267046f068c9ffb5fb3c645cd28e5fb3d66c7c3eee6bf8324035b402b13d51f49cfeee3

Download Submit
memory/944-90-0x0000000004C80000-0x0000000004D2E000-memory.dmp

Filesize
696KB

Download
memory/944-89-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/944-86-0x0000000001260000-0x00000000012B6000-memory.dmp

Filesize
344KB

Download
memory/944-91-0x0000000000570000-0x0000000000598000-memory.dmp

Filesize
160KB

Download
memory/944-96-0x0000000000AB0000-0x0000000000AC6000-memory.dmp

Filesize
88KB

Download
memory/1980-68-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1980-95-0x0000000075010000-0x00000000755BB000-memory.dmp

Filesize
5.7MB

Download
memory/1980-70-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1980-74-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1980-69-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1980-79-0x0000000075010000-0x00000000755BB000-memory.dmp

Filesize
5.7MB

Download
memory/1980-66-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1980-65-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1980-76-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2032-54-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/2032-94-0x0000000075010000-0x00000000755BB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-93-0x0000000075010000-0x00000000755BB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-55-0x0000000075010000-0x00000000755BB000-memory.dmp

Filesize
5.7MB

Download