imminent | f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724

General

Target

f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe
Size

3.8MB
MD5

6de25756f2fa6198480b69594c7abec7
SHA1

21e99a9e96a23999584e6a11289a5b625231e249
SHA256

f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724
SHA512

b257c7cef887bb22ead07abfed562ecae4145b53123910a231eedad5a78035cd2606f753fe507d9a6f3c24363852833906eda93e8bc88e365879c7ae1c1b110c
SSDEEP

98304:QbY+W1mwQyEWxzhersAVkPOhHqobKQV+bY0:jf1gy3hzAKPCKo7P

Score

10^/10

imminent spyware trojan upx

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 1 IoCs

pid	Process
592	CSGOHacksUndetected.com.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/948-66-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/948-65-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/948-67-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/948-70-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/948-71-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/948-87-0x0000000000400000-0x0000000000407000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe
1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1404 set thread context of 948	1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe	27
PID 1404 set thread context of 1896	1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe
1896	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe
Token: SeDebugPrivilege	1896	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
948	Cvtres.exe
1896	RegAsm.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 592	1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe	26
PID 1404 wrote to memory of 592	1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe	26
PID 1404 wrote to memory of 592	1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe	26
PID 1404 wrote to memory of 592	1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe	26
PID 1404 wrote to memory of 948	1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe	27
PID 1404 wrote to memory of 948	1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe	27
PID 1404 wrote to memory of 948	1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe	27
PID 1404 wrote to memory of 948	1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe	27
PID 1404 wrote to memory of 948	1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe	27
PID 1404 wrote to memory of 948	1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe	27
PID 1404 wrote to memory of 948	1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe	27
PID 1404 wrote to memory of 948	1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe	27
PID 1404 wrote to memory of 1896	1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe	28
PID 1404 wrote to memory of 1896	1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe	28
PID 1404 wrote to memory of 1896	1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe	28
PID 1404 wrote to memory of 1896	1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe	28
PID 1404 wrote to memory of 1896	1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe	28
PID 1404 wrote to memory of 1896	1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe	28
PID 1404 wrote to memory of 1896	1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe	28
PID 1404 wrote to memory of 1896	1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe	28
PID 1404 wrote to memory of 1896	1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe	28
PID 1404 wrote to memory of 1896	1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe	28
PID 1404 wrote to memory of 1896	1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe	28
PID 1404 wrote to memory of 1896	1404	f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe	28

C:\Users\Admin\AppData\Local\Temp\f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe
"C:\Users\Admin\AppData\Local\Temp\f784e6c5a6a6f034a51bd4d069752bd569e016a1d0a5fdbde8546ede0d4c7724.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Roaming\CSGOHacksUndetected.com.exe
  "C:\Users\Admin\AppData\Roaming\CSGOHacksUndetected.com.exe"
  2⤵
  - Executes dropped EXE
  PID:592
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\Cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\Cvtres.exe" -C:\Users\Admin\AppData\Roaming\K9FwLiiV\Glrznz6.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:948
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\CSGOHacksUndetected.com.exe

Filesize
3.5MB

MD5
02a099a444619eb6558fcd96d878862f

SHA1
1dc352f1b8ae1f5b989dcf6c1075f118bd5f522a

SHA256
58b1641ca1162df5227ed816cae76515a0ec37fb17d02a81df92fe65a203129a

SHA512
a3929e85e77fa935a75365c459554c2fc8e456d98fa8959b6a615933e876a10adcab2b3a7143b97175b78e9a583f7d125b07fd1e65a5d824de2bb800692175e2

Download Submit
C:\Users\Admin\AppData\Roaming\CSGOHacksUndetected.com.exe

Filesize
3.5MB

MD5
02a099a444619eb6558fcd96d878862f

SHA1
1dc352f1b8ae1f5b989dcf6c1075f118bd5f522a

SHA256
58b1641ca1162df5227ed816cae76515a0ec37fb17d02a81df92fe65a203129a

SHA512
a3929e85e77fa935a75365c459554c2fc8e456d98fa8959b6a615933e876a10adcab2b3a7143b97175b78e9a583f7d125b07fd1e65a5d824de2bb800692175e2

Download Submit
\Users\Admin\AppData\Roaming\CSGOHacksUndetected.com.exe

Filesize
3.5MB

MD5
02a099a444619eb6558fcd96d878862f

SHA1
1dc352f1b8ae1f5b989dcf6c1075f118bd5f522a

SHA256
58b1641ca1162df5227ed816cae76515a0ec37fb17d02a81df92fe65a203129a

SHA512
a3929e85e77fa935a75365c459554c2fc8e456d98fa8959b6a615933e876a10adcab2b3a7143b97175b78e9a583f7d125b07fd1e65a5d824de2bb800692175e2

Download Submit
\Users\Admin\AppData\Roaming\CSGOHacksUndetected.com.exe

Filesize
3.5MB

MD5
02a099a444619eb6558fcd96d878862f

SHA1
1dc352f1b8ae1f5b989dcf6c1075f118bd5f522a

SHA256
58b1641ca1162df5227ed816cae76515a0ec37fb17d02a81df92fe65a203129a

SHA512
a3929e85e77fa935a75365c459554c2fc8e456d98fa8959b6a615933e876a10adcab2b3a7143b97175b78e9a583f7d125b07fd1e65a5d824de2bb800692175e2

Download Submit
memory/592-90-0x0000000000B07000-0x0000000000B26000-memory.dmp

Filesize
124KB

Download
memory/592-92-0x0000000000B07000-0x0000000000B26000-memory.dmp

Filesize
124KB

Download
memory/592-91-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmp

Filesize
8KB

Download
memory/592-62-0x000007FEF3410000-0x000007FEF3E33000-memory.dmp

Filesize
10.1MB

Download
memory/592-63-0x000007FEF2370000-0x000007FEF3406000-memory.dmp

Filesize
16.6MB

Download
memory/948-65-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/948-64-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/948-67-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/948-70-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/948-71-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/948-66-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/948-87-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1404-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1404-55-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/1404-56-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/1896-78-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1896-81-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1896-83-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1896-77-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1896-88-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/1896-89-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/1896-74-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1896-76-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1896-73-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing