imminent | fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166

General

Target

fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe
Size

581KB
MD5

c9283cb3c8902a8d255b8f2d76af829d
SHA1

053f6c1e2aeafe9cfdfb557f1c4842a3ed081c2c
SHA256

fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166
SHA512

ea7fc4962e8ee54756a419a76b446ac3f435ec15380407cd24b0c1f436b33eb88b39df5b8b05174d112065d7e99ee4e800f870b50f0733aaf8e026669e356993

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AmngKW.url	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4748 set thread context of 4344	4748	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	83

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	RegAsm.exe
File created	C:\Windows\assembly\Desktop.ini	RegAsm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4748	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe
4748	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4344	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4748	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe
Token: SeDebugPrivilege	4344	RegAsm.exe
Token: 33	4344	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4344	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4344	RegAsm.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 2792	4748	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	81
PID 4748 wrote to memory of 2792	4748	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	81
PID 4748 wrote to memory of 2792	4748	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	81
PID 2792 wrote to memory of 8	2792	csc.exe	82
PID 2792 wrote to memory of 8	2792	csc.exe	82
PID 2792 wrote to memory of 8	2792	csc.exe	82
PID 4748 wrote to memory of 4344	4748	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	83
PID 4748 wrote to memory of 4344	4748	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	83
PID 4748 wrote to memory of 4344	4748	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	83
PID 4748 wrote to memory of 4344	4748	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	83
PID 4748 wrote to memory of 4344	4748	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	83
PID 4748 wrote to memory of 4344	4748	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	83
PID 4748 wrote to memory of 4344	4748	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	83
PID 4748 wrote to memory of 4344	4748	fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe	83

C:\Users\Admin\AppData\Local\Temp\fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe
"C:\Users\Admin\AppData\Local\Temp\fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x4oqqd4b\x4oqqd4b.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA899.tmp" "c:\Users\Admin\AppData\Local\Temp\x4oqqd4b\CSCBD9CAE4EF6974FF995B73BED73503DE1.TMP"
    3⤵
    PID:8
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4344

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA899.tmp

Filesize
1KB

MD5
58c5cd3c025efb963296aa6da575c406

SHA1
9bd5413e4083b685da2aace4f562ef54f962b704

SHA256
027ba769f9534e33163fa7caf9d2f99e1f05232d393f30d52faa97537a261b6b

SHA512
0a48613aa55447b2695e076e2ea839c3c8b58e15dc709995d4b18fa9eb2b7749c623193a0b85bdbdc776fe907959e90fc9e1c65b845ed7faeca72d8a90c92832

Download Submit
C:\Users\Admin\AppData\Local\Temp\x4oqqd4b\x4oqqd4b.dll

Filesize
6KB

MD5
5121a927bdd7857c784e9320f48e1b76

SHA1
989747fd05cf258e6dc5f94c8de9096bdfe2f7ac

SHA256
4504ff9fff39c38fa932942178c53dd2993ac07909610f524d5825d1c4319fc8

SHA512
acd54585d32e2ccba3778ba868febb36bc0bad7e678f6025ff0f066f6715054d2fbd94993fece04ae62f544cf8923f1c16c25af6396687a714e3925f0f6c0ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\x4oqqd4b\x4oqqd4b.pdb

Filesize
15KB

MD5
b0c73dca6da5a99867abf6cf6279d7af

SHA1
cbc0849c5ac69f2cb7148ea70fb6671449bf04f1

SHA256
721d9bb7329a250fbda7ddbe3e29ec152a072d2b4b7bb2c15aad67d130839953

SHA512
e849a298d3b821de7e8a04fc742cf2b791031635ba543b8637ef4c237a495283cb6e9dae7a919a923158da2e0b0f25415378cc545f37562c6061801a63802ca6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x4oqqd4b\CSCBD9CAE4EF6974FF995B73BED73503DE1.TMP

Filesize
1KB

MD5
b14d667d2d299d1deb387e01c9debebe

SHA1
0346633a3c303f5c9d363020ea9f74a3d59cfeaf

SHA256
9e138652790477a014bdd38ff01f4a7564a59882a44c2e2ca4d21fcbad7b464e

SHA512
8f1d2c60cc32c48067e457440f3bedcd59b2aa640c2c1df265fdd46c21181ccb82439b345de082868c96b17d8404f88a6a0c6234210e6d36432d5ed37e007f29

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x4oqqd4b\x4oqqd4b.0.cs

Filesize
2KB

MD5
32b3f85274e58a135f05ad9e7a5d1b12

SHA1
0f02c0515184c5c36cfbb7e774e292694be65ca6

SHA256
1d9dbef86bdf14eca6deba25603e64b211596a97cb3597968a0b21ffebb4cea7

SHA512
4eefbbf2ce9563b50eafef878c155546b572578ef85f3bd7fc419b4553d84f407879e52876deef4f5b7e8390fffc514594a31d481e5ea2352c0c3c3784ee36ff

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x4oqqd4b\x4oqqd4b.cmdline

Filesize
312B

MD5
8c92ced3c1eae4c3c083e9cd29dade68

SHA1
559bce0823362565e9f3b308752b2932d130e39f

SHA256
84b30407b2f03559384ad2db7502edd8f7ea28ad95e2ecad064e1c85d27347b2

SHA512
5644813126bd3ca32d4a9db8447fcf7007fe22c843384b668526c15bd2b8605295212f3567c50e4a0a35928a025def14944a203463a8a8605ad1e37e811fa943

Download Submit
memory/4344-142-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4344-143-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/4344-144-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/4748-130-0x0000000000DF0000-0x0000000000E88000-memory.dmp

Filesize
608KB

Download
memory/4748-139-0x0000000005790000-0x0000000005822000-memory.dmp

Filesize
584KB

Download
memory/4748-140-0x0000000005DE0000-0x0000000005E7C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing