imminent | a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527

Analysis

max time kernel
153s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-10-2022 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe
Size

637KB
MD5

67fd53e8953d5264d89f8eee5f9ddbe0
SHA1

62ff361cb76e08ddbaf035144cc049239e17e222
SHA256

a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527
SHA512

85a697bf454d69c5d997199a3ab11637a3da20ed20e62bddff5a692f9bc73feacce7a1c054815977f6c796f8a38d6010f9a983757677fce2401c2c82e3030d5f
SSDEEP

12288:fW4QErB/6dhOb+nnWT/uGbW85rrPuuUH5Y22LlQ5DXfsJP:+/ErB+NnWruGS8Vrmp5Y22E0J

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 3 IoCs

pid	Process
1388	notepad.exe
1588	RoamingRealmPlayer.exe
1032	notepad.exe

Loads dropped DLL 2 IoCs

pid	Process
1012	a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe
1388	notepad.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1012 set thread context of 1388	1012	a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe	28
PID 1388 set thread context of 1032	1388	notepad.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1012	a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1032	notepad.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1012	a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe
Token: SeDebugPrivilege	1388	notepad.exe
Token: SeDebugPrivilege	1032	notepad.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1032	notepad.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 1388	1012	a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe	28
PID 1012 wrote to memory of 1388	1012	a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe	28
PID 1012 wrote to memory of 1388	1012	a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe	28
PID 1012 wrote to memory of 1388	1012	a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe	28
PID 1012 wrote to memory of 1388	1012	a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe	28
PID 1012 wrote to memory of 1388	1012	a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe	28
PID 1012 wrote to memory of 1388	1012	a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe	28
PID 1012 wrote to memory of 1388	1012	a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe	28
PID 1012 wrote to memory of 1388	1012	a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe	28
PID 1388 wrote to memory of 1588	1388	notepad.exe	29
PID 1388 wrote to memory of 1588	1388	notepad.exe	29
PID 1388 wrote to memory of 1588	1388	notepad.exe	29
PID 1388 wrote to memory of 1588	1388	notepad.exe	29
PID 1388 wrote to memory of 1032	1388	notepad.exe	30
PID 1388 wrote to memory of 1032	1388	notepad.exe	30
PID 1388 wrote to memory of 1032	1388	notepad.exe	30
PID 1388 wrote to memory of 1032	1388	notepad.exe	30
PID 1388 wrote to memory of 1032	1388	notepad.exe	30
PID 1388 wrote to memory of 1032	1388	notepad.exe	30
PID 1388 wrote to memory of 1032	1388	notepad.exe	30
PID 1388 wrote to memory of 1032	1388	notepad.exe	30
PID 1388 wrote to memory of 1032	1388	notepad.exe	30
PID 1588 wrote to memory of 1416	1588	RoamingRealmPlayer.exe	31
PID 1588 wrote to memory of 1416	1588	RoamingRealmPlayer.exe	31
PID 1588 wrote to memory of 1416	1588	RoamingRealmPlayer.exe	31

C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe
"C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Windows\temp\notepad.exe
  C:\Windows\temp\notepad.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Users\Admin\AppData\RoamingRealmPlayer.exe
    "C:\Users\Admin\AppData\RoamingRealmPlayer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
      dw20.exe -x -s 412
      4⤵
      PID:1416
- - C:\Windows\temp\notepad.exe
    "C:\Windows\temp\notepad.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\RoamingRealmPlayer.exe

Filesize
31KB

MD5
7a607550e6bcafcf6024216d4a12162c

SHA1
849336bc7b847fd35311a921eaa5eb7b7e051542

SHA256
5ea1edafff5ffc11f9b8cf1cdf8a821d5e41957ce5c0aab0e4afb206b34354fb

SHA512
f4e38fb50d438bce094aec8d36c8c189b62687ac46d9b5d0d94c96658bfaa4e08a013dd0222dc63343c42fbc178ecb3705d89392f709de153c0647452baeaaf4

Download Submit
C:\Users\Admin\AppData\RoamingRealmPlayer.exe

Filesize
31KB

MD5
7a607550e6bcafcf6024216d4a12162c

SHA1
849336bc7b847fd35311a921eaa5eb7b7e051542

SHA256
5ea1edafff5ffc11f9b8cf1cdf8a821d5e41957ce5c0aab0e4afb206b34354fb

SHA512
f4e38fb50d438bce094aec8d36c8c189b62687ac46d9b5d0d94c96658bfaa4e08a013dd0222dc63343c42fbc178ecb3705d89392f709de153c0647452baeaaf4

Download Submit
C:\Windows\Temp\notepad.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\Windows\Temp\notepad.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\Windows\temp\notepad.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
\Users\Admin\AppData\RoamingRealmPlayer.exe

Filesize
31KB

MD5
7a607550e6bcafcf6024216d4a12162c

SHA1
849336bc7b847fd35311a921eaa5eb7b7e051542

SHA256
5ea1edafff5ffc11f9b8cf1cdf8a821d5e41957ce5c0aab0e4afb206b34354fb

SHA512
f4e38fb50d438bce094aec8d36c8c189b62687ac46d9b5d0d94c96658bfaa4e08a013dd0222dc63343c42fbc178ecb3705d89392f709de153c0647452baeaaf4

Download Submit
\Windows\Temp\notepad.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
memory/1012-118-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/1012-110-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/1012-54-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1012-70-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/1032-81-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1032-93-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1032-117-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/1032-112-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/1032-109-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1032-107-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1032-106-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1032-76-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1032-77-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1032-79-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1032-80-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1032-104-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1032-101-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1032-85-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1032-87-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1032-90-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1032-92-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1032-91-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1032-100-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1032-96-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1032-95-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1032-94-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1032-98-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1388-57-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1388-65-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1388-60-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1388-61-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1388-56-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1388-59-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1388-111-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/1388-67-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1388-71-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/1416-116-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp

Filesize
8KB

Download
memory/1588-114-0x000007FEF2DF0000-0x000007FEF3E86000-memory.dmp

Filesize
16.6MB

Download
memory/1588-113-0x000007FEF3E90000-0x000007FEF48B3000-memory.dmp

Filesize
10.1MB

Download