imminent | fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166

General

Target

fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe
Size

581KB
MD5

c9283cb3c8902a8d255b8f2d76af829d
SHA1

053f6c1e2aeafe9cfdfb557f1c4842a3ed081c2c
SHA256

fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166
SHA512

ea7fc4962e8ee54756a419a76b446ac3f435ec15380407cd24b0c1f436b33eb88b39df5b8b05174d112065d7e99ee4e800f870b50f0733aaf8e026669e356993

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AmngKW.url	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 900 set thread context of 1988	900	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	30

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
900	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe
900	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1988	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	900	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe
Token: SeDebugPrivilege	1988	RegAsm.exe
Token: 33	1988	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1988	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1988	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 1088	900	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	27
PID 900 wrote to memory of 1088	900	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	27
PID 900 wrote to memory of 1088	900	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	27
PID 900 wrote to memory of 1088	900	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	27
PID 1088 wrote to memory of 1168	1088	csc.exe	29
PID 1088 wrote to memory of 1168	1088	csc.exe	29
PID 1088 wrote to memory of 1168	1088	csc.exe	29
PID 1088 wrote to memory of 1168	1088	csc.exe	29
PID 900 wrote to memory of 1988	900	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	30
PID 900 wrote to memory of 1988	900	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	30
PID 900 wrote to memory of 1988	900	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	30
PID 900 wrote to memory of 1988	900	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	30
PID 900 wrote to memory of 1988	900	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	30
PID 900 wrote to memory of 1988	900	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	30
PID 900 wrote to memory of 1988	900	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	30
PID 900 wrote to memory of 1988	900	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	30
PID 900 wrote to memory of 1988	900	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	30
PID 900 wrote to memory of 1988	900	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	30
PID 900 wrote to memory of 1988	900	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	30
PID 900 wrote to memory of 1988	900	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	30

C:\Users\Admin\AppData\Local\Temp\fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe
"C:\Users\Admin\AppData\Local\Temp\fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\413kvgzq\413kvgzq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF651.tmp" "c:\Users\Admin\AppData\Local\Temp\413kvgzq\CSC471E65CC69604E858F2FD6E97C96CB1.TMP"
    3⤵
    PID:1168
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1988

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\413kvgzq\413kvgzq.dll

Filesize
6KB

MD5
805efbc16049ec5d68605054b13826cb

SHA1
9301f24fa5f98ab20091b9ec903416c6d651c9c1

SHA256
c640abebcd15f01fa4c16dec14c437d330cb8a7e1fa1ab731c498f759701f88b

SHA512
4a808c45865672aae8f5351847dd4e78940fc558d3f33b52022d6ba57ace6017f2c25bdd7d66a9a6f680095f3b92209c6fc76cefb2b09ee4b4fbff4728febc64

Download Submit
C:\Users\Admin\AppData\Local\Temp\413kvgzq\413kvgzq.pdb

Filesize
15KB

MD5
9f44fb71e5ac93dbf5ca113147ceab67

SHA1
177a68ec092f6d81f4b04b62857089f22dfc6cc0

SHA256
64708b6ea425691a26868deb50b2ab5329fcb7b52a5837c33b2510a993b7ef4b

SHA512
c6f12275de7664e6bf48a6631291f191c95830a053ca77bebf03141eed410b753daa92dbe6fabda7c546e93168d9a2cf8e5432e5cf055f63fa8638106001399a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF651.tmp

Filesize
1KB

MD5
1b251f786fa4591b36b76fa2f0ec2c33

SHA1
cda6ada0102b336e002da34466116cbc00708be9

SHA256
164eb71a3434180eab490b2c109c02fd1fae795264ef37954768ab3afd17c76d

SHA512
b73c6ad7ea5022d979840ed5d64f2dad39fd0d3441e455b8f546bc7607effd9dd36abccffc01a363dcbf226851c80351a403ed1a75a171a6a0d34cef06af3dab

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\413kvgzq\413kvgzq.0.cs

Filesize
2KB

MD5
32b3f85274e58a135f05ad9e7a5d1b12

SHA1
0f02c0515184c5c36cfbb7e774e292694be65ca6

SHA256
1d9dbef86bdf14eca6deba25603e64b211596a97cb3597968a0b21ffebb4cea7

SHA512
4eefbbf2ce9563b50eafef878c155546b572578ef85f3bd7fc419b4553d84f407879e52876deef4f5b7e8390fffc514594a31d481e5ea2352c0c3c3784ee36ff

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\413kvgzq\413kvgzq.cmdline

Filesize
312B

MD5
e13913f1d8440bf700466c932d078648

SHA1
8fd723573053b0bddc7cf2e3cbfc32556f12b996

SHA256
b392032c4c45691b306d701030455314937183fdc61375fbd7980c7ca3051d60

SHA512
8c3e6dc20e046fc80fcb02f3e0e9134f59c38d6f83e1e4ff5d7d89bf8f8a7ec6f9cf235e1e0a14abe3bc5c52873e26d94ca8b7564740251b22d07562afda77f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\413kvgzq\CSC471E65CC69604E858F2FD6E97C96CB1.TMP

Filesize
1KB

MD5
fe7d3838b29b4122d69db1fc3b4654a6

SHA1
618f12469bf29808bfb6e15d537ad49d0e9b64b8

SHA256
449e56025ad0250e1617e1f004a2abdd96c4c07c608908c3560748a2c8922d5e

SHA512
64312f8a2f1b0730376964ea1e14276c80ec12fd22d1334e9ba6781c085a2a36d84bb68138f2d41bb86974957a3aa7d594137795d6dcc144f16decd2b96f25f0

Download Submit
memory/900-65-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/900-63-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/900-64-0x0000000004620000-0x0000000004680000-memory.dmp

Filesize
384KB

Download
memory/900-66-0x00000000754C1000-0x00000000754C3000-memory.dmp

Filesize
8KB

Download
memory/900-54-0x0000000000B10000-0x0000000000BA8000-memory.dmp

Filesize
608KB

Download
memory/900-67-0x0000000004A60000-0x0000000004AB6000-memory.dmp

Filesize
344KB

Download
memory/1988-69-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1988-68-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1988-72-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1988-71-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1988-73-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1988-76-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1988-78-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1988-80-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1988-81-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing