imminent | b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8

General

Target

b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8.exe
Size

272KB
MD5

3995e647a475af3c4462c39fc6ba8c40
SHA1

37c1a1ffc5b21162bc21654a8fd07a8509713d83
SHA256

b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8
SHA512

612ecf1f3cbe57ccc635fe84603408509104b2644227db2d1d2a0f394c014f015b1d2195b34251568a2024e4f10634ebd18fd0d368b7112cf736549733ea934c
SSDEEP

6144:BP6l7zVEWFobaO8p4yiJ2zJBvjOZRyjfdeENBRvFctlRS:BQ6GRKkrVdpNBRvFII

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 1 IoCs

pid	Process
728	b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8.exe

Loads dropped DLL 2 IoCs

pid	Process
1756	b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8.exe
1756	b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZZFJSKDF826148 = "\\ZZHFGD867\\svchost.exe"	b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZZFJSKDF826148 = "C:\\Users\\Admin\\AppData\\Local\\ZZHFGD867\\svchost.exe"	b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
520	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
728	b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8.exe
Token: SeDebugPrivilege	728	b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
728	b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 728	1756	b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8.exe	28
PID 1756 wrote to memory of 728	1756	b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8.exe	28
PID 1756 wrote to memory of 728	1756	b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8.exe	28
PID 1756 wrote to memory of 728	1756	b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8.exe	28
PID 1756 wrote to memory of 1276	1756	b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8.exe	29
PID 1756 wrote to memory of 1276	1756	b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8.exe	29
PID 1756 wrote to memory of 1276	1756	b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8.exe	29
PID 1756 wrote to memory of 1276	1756	b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8.exe	29
PID 1276 wrote to memory of 520	1276	cmd.exe	31
PID 1276 wrote to memory of 520	1276	cmd.exe	31
PID 1276 wrote to memory of 520	1276	cmd.exe	31
PID 1276 wrote to memory of 520	1276	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8.exe
"C:\Users\Admin\AppData\Local\Temp\b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\AppData\Local\Temp\b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8\b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8.exe
  "C:\Users\Admin\AppData\Local\Temp\b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8\b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:728
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1bd7466924f8a069d4978624ded31023

SHA1
1b3615dd89f0f87bc9811f4b2e2f95ef0a248da1

SHA256
a6d3d8e5425b90902193825b793ecbc1c4009492b399083483f61662cbc11de8

SHA512
33447e79cf8332d6922ff8dfb9034a4d0cccc52b9679ae2bdaf3788f69e02f84466e57e5a5b4a53c965828a456946b81455ddaafc332e4960c5984e36da4af62

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8\b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8.exe

Filesize
272KB

MD5
3995e647a475af3c4462c39fc6ba8c40

SHA1
37c1a1ffc5b21162bc21654a8fd07a8509713d83

SHA256
b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8

SHA512
612ecf1f3cbe57ccc635fe84603408509104b2644227db2d1d2a0f394c014f015b1d2195b34251568a2024e4f10634ebd18fd0d368b7112cf736549733ea934c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8\b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8.exe

Filesize
272KB

MD5
3995e647a475af3c4462c39fc6ba8c40

SHA1
37c1a1ffc5b21162bc21654a8fd07a8509713d83

SHA256
b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8

SHA512
612ecf1f3cbe57ccc635fe84603408509104b2644227db2d1d2a0f394c014f015b1d2195b34251568a2024e4f10634ebd18fd0d368b7112cf736549733ea934c

Download Submit
\Users\Admin\AppData\Local\Temp\b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8\b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8.exe

Filesize
272KB

MD5
3995e647a475af3c4462c39fc6ba8c40

SHA1
37c1a1ffc5b21162bc21654a8fd07a8509713d83

SHA256
b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8

SHA512
612ecf1f3cbe57ccc635fe84603408509104b2644227db2d1d2a0f394c014f015b1d2195b34251568a2024e4f10634ebd18fd0d368b7112cf736549733ea934c

Download Submit
\Users\Admin\AppData\Local\Temp\b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8\b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8.exe

Filesize
272KB

MD5
3995e647a475af3c4462c39fc6ba8c40

SHA1
37c1a1ffc5b21162bc21654a8fd07a8509713d83

SHA256
b9c12645403f806b6f53d82fb0fa3e178a19781bfd36d46a622ec2c2454adef8

SHA512
612ecf1f3cbe57ccc635fe84603408509104b2644227db2d1d2a0f394c014f015b1d2195b34251568a2024e4f10634ebd18fd0d368b7112cf736549733ea934c

Download Submit
memory/728-66-0x0000000075010000-0x00000000755BB000-memory.dmp

Filesize
5.7MB

Download
memory/728-67-0x0000000075010000-0x00000000755BB000-memory.dmp

Filesize
5.7MB

Download
memory/1756-55-0x0000000075010000-0x00000000755BB000-memory.dmp

Filesize
5.7MB

Download
memory/1756-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1756-65-0x0000000075010000-0x00000000755BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing