imminent | 56effa221e16c85780a61c9cdfa3eb035778263647daf4a6d22cac864fc4e83d

General

Target

56effa221e16c85780a61c9cdfa3eb035778263647daf4a6d22cac864fc4e83d.exe
Size

677KB
MD5

a424ac35a02c4ac8e5632ecd3cde19ea
SHA1

607e38eacc8b6594292dbb21adf5ea01c8d7f2c5
SHA256

56effa221e16c85780a61c9cdfa3eb035778263647daf4a6d22cac864fc4e83d
SHA512

ca1f5097624eb26d84a33b128fd387a9ce620f0b736002c4ae7ee6da981f110eed687dc5f191f0be2647f82c079b74728a7891b4f3f7eaa69fecd70eab54c79c

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bWHCtA.url	56effa221e16c85780a61c9cdfa3eb035778263647daf4a6d22cac864fc4e83d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1000 set thread context of 944	1000	56effa221e16c85780a61c9cdfa3eb035778263647daf4a6d22cac864fc4e83d.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1000	56effa221e16c85780a61c9cdfa3eb035778263647daf4a6d22cac864fc4e83d.exe
1000	56effa221e16c85780a61c9cdfa3eb035778263647daf4a6d22cac864fc4e83d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
944	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1000	56effa221e16c85780a61c9cdfa3eb035778263647daf4a6d22cac864fc4e83d.exe
Token: SeDebugPrivilege	944	RegAsm.exe
Token: 33	944	RegAsm.exe
Token: SeIncBasePriorityPrivilege	944	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
944	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 1712	1000	56effa221e16c85780a61c9cdfa3eb035778263647daf4a6d22cac864fc4e83d.exe	28
PID 1000 wrote to memory of 1712	1000	56effa221e16c85780a61c9cdfa3eb035778263647daf4a6d22cac864fc4e83d.exe	28
PID 1000 wrote to memory of 1712	1000	56effa221e16c85780a61c9cdfa3eb035778263647daf4a6d22cac864fc4e83d.exe	28
PID 1000 wrote to memory of 1712	1000	56effa221e16c85780a61c9cdfa3eb035778263647daf4a6d22cac864fc4e83d.exe	28
PID 1712 wrote to memory of 2004	1712	csc.exe	30
PID 1712 wrote to memory of 2004	1712	csc.exe	30
PID 1712 wrote to memory of 2004	1712	csc.exe	30
PID 1712 wrote to memory of 2004	1712	csc.exe	30
PID 1000 wrote to memory of 944	1000	56effa221e16c85780a61c9cdfa3eb035778263647daf4a6d22cac864fc4e83d.exe	31
PID 1000 wrote to memory of 944	1000	56effa221e16c85780a61c9cdfa3eb035778263647daf4a6d22cac864fc4e83d.exe	31
PID 1000 wrote to memory of 944	1000	56effa221e16c85780a61c9cdfa3eb035778263647daf4a6d22cac864fc4e83d.exe	31
PID 1000 wrote to memory of 944	1000	56effa221e16c85780a61c9cdfa3eb035778263647daf4a6d22cac864fc4e83d.exe	31
PID 1000 wrote to memory of 944	1000	56effa221e16c85780a61c9cdfa3eb035778263647daf4a6d22cac864fc4e83d.exe	31
PID 1000 wrote to memory of 944	1000	56effa221e16c85780a61c9cdfa3eb035778263647daf4a6d22cac864fc4e83d.exe	31
PID 1000 wrote to memory of 944	1000	56effa221e16c85780a61c9cdfa3eb035778263647daf4a6d22cac864fc4e83d.exe	31
PID 1000 wrote to memory of 944	1000	56effa221e16c85780a61c9cdfa3eb035778263647daf4a6d22cac864fc4e83d.exe	31
PID 1000 wrote to memory of 944	1000	56effa221e16c85780a61c9cdfa3eb035778263647daf4a6d22cac864fc4e83d.exe	31
PID 1000 wrote to memory of 944	1000	56effa221e16c85780a61c9cdfa3eb035778263647daf4a6d22cac864fc4e83d.exe	31
PID 1000 wrote to memory of 944	1000	56effa221e16c85780a61c9cdfa3eb035778263647daf4a6d22cac864fc4e83d.exe	31
PID 1000 wrote to memory of 944	1000	56effa221e16c85780a61c9cdfa3eb035778263647daf4a6d22cac864fc4e83d.exe	31

C:\Users\Admin\AppData\Local\Temp\56effa221e16c85780a61c9cdfa3eb035778263647daf4a6d22cac864fc4e83d.exe
"C:\Users\Admin\AppData\Local\Temp\56effa221e16c85780a61c9cdfa3eb035778263647daf4a6d22cac864fc4e83d.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\br3u52uv\br3u52uv.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3BBA.tmp" "c:\Users\Admin\AppData\Local\Temp\br3u52uv\CSC449E4ECF4A5A428693753DF176ACDA9A.TMP"
    3⤵
    PID:2004
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:944

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3BBA.tmp

Filesize
1KB

MD5
ebd2f13360a5b434958bda5c7aa9ff8d

SHA1
4567a57b9db39ae0b77f92eb6d13a71d73e409f4

SHA256
25a48d887353c110e324124893c0656ccf248f3c8bc32aa82c3936991d4e06ef

SHA512
f62e55b5d89802f26ca347fc75e18b13830930f91cceb3ca2b1b09647853fde280262e61b283bcb01a135f5a4a1758ab991be319d9c7b8e512700b272780dfa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\br3u52uv\br3u52uv.dll

Filesize
9KB

MD5
b9ef68ccb3259a53eec8c0861d27576a

SHA1
d9b9bbbc90c7331ba765d760b22f59b6046de1ce

SHA256
b2716befbda9d080242793abc49be5b621a78b79f54de8c6b3832071df975cd6

SHA512
26108d9116b278de9f843cfb051158b503250e4bccc5e3500a4186b3d65952949925e5c4f81de3043701e948aba607d171d64e2f186a8abac7dc43fb0defe2f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\br3u52uv\br3u52uv.pdb

Filesize
29KB

MD5
c68e3ba45685efca89b293ab7ad4e631

SHA1
8f3a989d731d0a2496e6b5da1e9fb9f3c91b8bef

SHA256
8a1a3a6bfea26f30c50d5d63f528491d0f52ed18d8760fbf139aa205a54a8020

SHA512
f433eeefae89de688f1ce8765c21b2ed7c80d7941cd8353db34daa8dd2afffd13859f1adbe0c45f7e5922bc157b5578414165e8227f2a94bae61a4f17bc6fc8c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\br3u52uv\CSC449E4ECF4A5A428693753DF176ACDA9A.TMP

Filesize
1KB

MD5
7a56113d232f32bfd75a37730ad6eb7e

SHA1
12e214b45cf875298a07d9b416d711c0e8d9599e

SHA256
23e410cd79c4f1d9697bde779d9a70679a905c7d98f76d511d77dd26effe4279

SHA512
1a311c9cf788a8f3e9bca7872d26292eae4e37d36641ba001c5317bf29bdf435dc899fe3b6acff9627627d2e1399d11fd2a4133741c98b461b6e8273bede375e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\br3u52uv\br3u52uv.0.cs

Filesize
9KB

MD5
73dc8dc8fe28e85ba8fbdd932b7aa200

SHA1
50d893f49d27c91fcf2a2c8f015dde9db6426d14

SHA256
d48a58e104f6396aa1608d7f189e56232971ab3a457ef56a3271aad5ab2bacb0

SHA512
6947afe1d13b306e77b1fe8d85fb632bd34f9bbb5e94f4c00d89e9753c785b02ff95e0a051063194e7d04268f4ee14428c38902e1b639bd94fc5ef8ecd743d85

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\br3u52uv\br3u52uv.cmdline

Filesize
312B

MD5
c817a1590f6a16efd87949ce58b2e422

SHA1
92efba3c57052b5cc291f647422e8b1d6a859d6f

SHA256
134c6023bc008cc32c7f85513add865543651599bcfbd4e81cc036a489dfa087

SHA512
10dd6e16e587322bfba755198d886d6d5df23ef610696fd4a32c6ae4de3bc37fa546e08e1f4941df62b9969e0e3c86c54415b1ddb5746ab3d4b52ef4e5167cf6

Download Submit
memory/944-73-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/944-81-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download
memory/944-80-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download
memory/944-78-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/944-76-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/944-69-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/944-72-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/944-68-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/944-71-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1000-67-0x0000000000E10000-0x0000000000E66000-memory.dmp

Filesize
344KB

Download
memory/1000-66-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download
memory/1000-54-0x00000000011E0000-0x0000000001278000-memory.dmp

Filesize
608KB

Download
memory/1000-65-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/1000-64-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/1000-63-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing