imminent | fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934

Analysis

max time kernel
131s
max time network
144s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MT1893878746.PDF.IMG.exe
Size

1.2MB
MD5

b7babb9f64a9ecd894d100ce02f132fe
SHA1

8fa93c638d331f51ec638655d82ec431fdae3f6a
SHA256

fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934
SHA512

8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743
SSDEEP

12288:4v+bQYpRi8N69+d0qKu3rXbSIVfqNZSM1fpJwNDxGVwef3G1oMfqzpcfu2E:bpRbi+d0qPVGZTFfLweO1oMSzpKE

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 3 IoCs

pid	Process
1928	mt1893878746.pdf.img.exe
2044	mt1893878746.pdf.img.exe
1360	mt1893878746.pdf.img.exe

Deletes itself 1 IoCs

pid	Process
1752	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
1828	MT1893878746.PDF.IMG.exe
1828	MT1893878746.PDF.IMG.exe
1928	mt1893878746.pdf.img.exe
1928	mt1893878746.pdf.img.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 780 set thread context of 1828	780	MT1893878746.PDF.IMG.exe	33
PID 1928 set thread context of 1360	1928	mt1893878746.pdf.img.exe	43

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2032	schtasks.exe
1676	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
972	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
780	MT1893878746.PDF.IMG.exe
780	MT1893878746.PDF.IMG.exe
2008	powershell.exe
1928	mt1893878746.pdf.img.exe
1928	mt1893878746.pdf.img.exe
1620	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	780	MT1893878746.PDF.IMG.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	1828	MT1893878746.PDF.IMG.exe
Token: SeDebugPrivilege	1928	mt1893878746.pdf.img.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	1360	mt1893878746.pdf.img.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1360	mt1893878746.pdf.img.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 2008	780	MT1893878746.PDF.IMG.exe	28
PID 780 wrote to memory of 2008	780	MT1893878746.PDF.IMG.exe	28
PID 780 wrote to memory of 2008	780	MT1893878746.PDF.IMG.exe	28
PID 780 wrote to memory of 2008	780	MT1893878746.PDF.IMG.exe	28
PID 780 wrote to memory of 2032	780	MT1893878746.PDF.IMG.exe	30
PID 780 wrote to memory of 2032	780	MT1893878746.PDF.IMG.exe	30
PID 780 wrote to memory of 2032	780	MT1893878746.PDF.IMG.exe	30
PID 780 wrote to memory of 2032	780	MT1893878746.PDF.IMG.exe	30
PID 780 wrote to memory of 1384	780	MT1893878746.PDF.IMG.exe	32
PID 780 wrote to memory of 1384	780	MT1893878746.PDF.IMG.exe	32
PID 780 wrote to memory of 1384	780	MT1893878746.PDF.IMG.exe	32
PID 780 wrote to memory of 1384	780	MT1893878746.PDF.IMG.exe	32
PID 780 wrote to memory of 1828	780	MT1893878746.PDF.IMG.exe	33
PID 780 wrote to memory of 1828	780	MT1893878746.PDF.IMG.exe	33
PID 780 wrote to memory of 1828	780	MT1893878746.PDF.IMG.exe	33
PID 780 wrote to memory of 1828	780	MT1893878746.PDF.IMG.exe	33
PID 780 wrote to memory of 1828	780	MT1893878746.PDF.IMG.exe	33
PID 780 wrote to memory of 1828	780	MT1893878746.PDF.IMG.exe	33
PID 780 wrote to memory of 1828	780	MT1893878746.PDF.IMG.exe	33
PID 780 wrote to memory of 1828	780	MT1893878746.PDF.IMG.exe	33
PID 780 wrote to memory of 1828	780	MT1893878746.PDF.IMG.exe	33
PID 1828 wrote to memory of 1928	1828	MT1893878746.PDF.IMG.exe	34
PID 1828 wrote to memory of 1928	1828	MT1893878746.PDF.IMG.exe	34
PID 1828 wrote to memory of 1928	1828	MT1893878746.PDF.IMG.exe	34
PID 1828 wrote to memory of 1928	1828	MT1893878746.PDF.IMG.exe	34
PID 1828 wrote to memory of 1752	1828	MT1893878746.PDF.IMG.exe	35
PID 1828 wrote to memory of 1752	1828	MT1893878746.PDF.IMG.exe	35
PID 1828 wrote to memory of 1752	1828	MT1893878746.PDF.IMG.exe	35
PID 1828 wrote to memory of 1752	1828	MT1893878746.PDF.IMG.exe	35
PID 1752 wrote to memory of 972	1752	cmd.exe	37
PID 1752 wrote to memory of 972	1752	cmd.exe	37
PID 1752 wrote to memory of 972	1752	cmd.exe	37
PID 1752 wrote to memory of 972	1752	cmd.exe	37
PID 1928 wrote to memory of 1620	1928	mt1893878746.pdf.img.exe	38
PID 1928 wrote to memory of 1620	1928	mt1893878746.pdf.img.exe	38
PID 1928 wrote to memory of 1620	1928	mt1893878746.pdf.img.exe	38
PID 1928 wrote to memory of 1620	1928	mt1893878746.pdf.img.exe	38
PID 1928 wrote to memory of 1676	1928	mt1893878746.pdf.img.exe	40
PID 1928 wrote to memory of 1676	1928	mt1893878746.pdf.img.exe	40
PID 1928 wrote to memory of 1676	1928	mt1893878746.pdf.img.exe	40
PID 1928 wrote to memory of 1676	1928	mt1893878746.pdf.img.exe	40
PID 1928 wrote to memory of 2044	1928	mt1893878746.pdf.img.exe	42
PID 1928 wrote to memory of 2044	1928	mt1893878746.pdf.img.exe	42
PID 1928 wrote to memory of 2044	1928	mt1893878746.pdf.img.exe	42
PID 1928 wrote to memory of 2044	1928	mt1893878746.pdf.img.exe	42
PID 1928 wrote to memory of 1360	1928	mt1893878746.pdf.img.exe	43
PID 1928 wrote to memory of 1360	1928	mt1893878746.pdf.img.exe	43
PID 1928 wrote to memory of 1360	1928	mt1893878746.pdf.img.exe	43
PID 1928 wrote to memory of 1360	1928	mt1893878746.pdf.img.exe	43
PID 1928 wrote to memory of 1360	1928	mt1893878746.pdf.img.exe	43
PID 1928 wrote to memory of 1360	1928	mt1893878746.pdf.img.exe	43
PID 1928 wrote to memory of 1360	1928	mt1893878746.pdf.img.exe	43
PID 1928 wrote to memory of 1360	1928	mt1893878746.pdf.img.exe	43
PID 1928 wrote to memory of 1360	1928	mt1893878746.pdf.img.exe	43

C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
"C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dGKItyBaw.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dGKItyBaw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB53C.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2032
- C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
  "C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"
  2⤵
  PID:1384
- C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe
  "C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
    "C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dGKItyBaw.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1620
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dGKItyBaw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7ABC.tmp"
      4⤵
      Creates scheduled task(s)
      PID:1676
  - - C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
      "C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe"
      4⤵
      Executes dropped EXE
      PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe
      "C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1360
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\MT1893878746.PDF.IMG.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

Filesize
1.2MB

MD5
b7babb9f64a9ecd894d100ce02f132fe

SHA1
8fa93c638d331f51ec638655d82ec431fdae3f6a

SHA256
fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934

SHA512
8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

Download Submit
C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

Filesize
1.2MB

MD5
b7babb9f64a9ecd894d100ce02f132fe

SHA1
8fa93c638d331f51ec638655d82ec431fdae3f6a

SHA256
fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934

SHA512
8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

Download Submit
C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

Filesize
1.2MB

MD5
b7babb9f64a9ecd894d100ce02f132fe

SHA1
8fa93c638d331f51ec638655d82ec431fdae3f6a

SHA256
fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934

SHA512
8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

Download Submit
C:\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

Filesize
1.2MB

MD5
b7babb9f64a9ecd894d100ce02f132fe

SHA1
8fa93c638d331f51ec638655d82ec431fdae3f6a

SHA256
fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934

SHA512
8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7ABC.tmp

Filesize
1KB

MD5
b48ac4d505d31c9e88a30ce62689bf95

SHA1
ba71a0dc27de38add8c5a048396eb40afd097789

SHA256
de07e956fceb5c4d5e342e464061850cf2362ff1e502f8bde61fa90ed5f95a53

SHA512
b8fa5b85014198a6c8f7026167dbd31880c788d2f743bd1f71a41bd4a25076dfa9e019fd0b40a52d32e3e668036b87bfac9ee8e92c1e0d20cd1f26de017bd75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB53C.tmp

Filesize
1KB

MD5
b48ac4d505d31c9e88a30ce62689bf95

SHA1
ba71a0dc27de38add8c5a048396eb40afd097789

SHA256
de07e956fceb5c4d5e342e464061850cf2362ff1e502f8bde61fa90ed5f95a53

SHA512
b8fa5b85014198a6c8f7026167dbd31880c788d2f743bd1f71a41bd4a25076dfa9e019fd0b40a52d32e3e668036b87bfac9ee8e92c1e0d20cd1f26de017bd75a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
12af4248e6dee809811282d00231fb2f

SHA1
a5837398bf295599c5c91f899fc095d6079e48ff

SHA256
b52c55d5a9497629f87973fc29e0e8af5acb02b5fdbcedf1d867fb3920ad6d69

SHA512
8a45dbd2e53d42b85b3f13ca5aa94f7765795fa432615030ac9228f34cea2eb17e26d50b18d4dbcfa12f06d5af89ad5b3fb6f49af4a109df3ae985cb52714426

Download Submit
\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

Filesize
1.2MB

MD5
b7babb9f64a9ecd894d100ce02f132fe

SHA1
8fa93c638d331f51ec638655d82ec431fdae3f6a

SHA256
fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934

SHA512
8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

Download Submit
\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

Filesize
1.2MB

MD5
b7babb9f64a9ecd894d100ce02f132fe

SHA1
8fa93c638d331f51ec638655d82ec431fdae3f6a

SHA256
fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934

SHA512
8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

Download Submit
\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

Filesize
1.2MB

MD5
b7babb9f64a9ecd894d100ce02f132fe

SHA1
8fa93c638d331f51ec638655d82ec431fdae3f6a

SHA256
fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934

SHA512
8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

Download Submit
\Users\Admin\AppData\Local\Temp\mt1893878746.pdf.img\mt1893878746.pdf.img.exe

Filesize
1.2MB

MD5
b7babb9f64a9ecd894d100ce02f132fe

SHA1
8fa93c638d331f51ec638655d82ec431fdae3f6a

SHA256
fee7bc7eff7adf5192824e245be39b703275f67cc6be520fd8adf157ce221934

SHA512
8bc04fc8c754acef111aa8d68885293be136ba387a925facadf7a19c423c3cd94105eac3676669b7c280076321add5a4ae080db56be272cb28b933f06c307743

Download Submit
memory/780-58-0x0000000008010000-0x00000000080C6000-memory.dmp

Filesize
728KB

Download
memory/780-63-0x0000000005E20000-0x0000000005E80000-memory.dmp

Filesize
384KB

Download
memory/780-54-0x00000000008F0000-0x0000000000A1E000-memory.dmp

Filesize
1.2MB

Download
memory/780-57-0x00000000008B0000-0x00000000008BC000-memory.dmp

Filesize
48KB

Download
memory/780-56-0x0000000000860000-0x000000000087A000-memory.dmp

Filesize
104KB

Download
memory/780-55-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/1360-152-0x0000000000300000-0x000000000030E000-memory.dmp

Filesize
56KB

Download
memory/1360-153-0x0000000000330000-0x0000000000346000-memory.dmp

Filesize
88KB

Download
memory/1620-150-0x00000000718A0000-0x0000000071E4B000-memory.dmp

Filesize
5.7MB

Download
memory/1828-69-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1828-79-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1828-88-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1828-91-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1828-93-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1828-94-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1828-96-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1828-64-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1828-83-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1828-65-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1828-85-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1828-82-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1828-81-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1828-80-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1828-67-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1828-87-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1828-78-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1828-77-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1828-75-0x00000000002F0000-0x0000000000318000-memory.dmp

Filesize
160KB

Download
memory/1828-74-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1828-72-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1828-68-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1928-105-0x00000000011F0000-0x000000000131E000-memory.dmp

Filesize
1.2MB

Download
memory/2008-108-0x000000006E9D0000-0x000000006EF7B000-memory.dmp

Filesize
5.7MB

Download
memory/2008-97-0x000000006E9D0000-0x000000006EF7B000-memory.dmp

Filesize
5.7MB

Download