imminent | f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239

Analysis

max time kernel
146s
max time network
153s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
22/11/2022, 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe
Size

1.1MB
MD5

025815e4612abeb9091363175923143f
SHA1

c8f1da32c27227ac04e877b56ac52367e4f040bb
SHA256

f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239
SHA512

e61bcabbe6ad4d87fa609aafa605f592a1cc01326cc0c967765de6846af22d70406ba60a871e152d42e7dd29d17bfac9d67e460b4c29f9b318bb6f007de4f044
SSDEEP

24576:2t24Hig61KRHaDleb38novJ7ZoYHdScInH2v27efUlcaVW67fsMH:cHigDRHElSMnox7ZoYHd9IslsqKWKf1H

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 2 IoCs

pid	Process
112	ewnkp.com
1960	ewnkp.com

Loads dropped DLL 6 IoCs

pid	Process
1284	f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe
1284	f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe
1284	f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe
1284	f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe
1284	f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe
112	ewnkp.com

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ewnkp.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cvtres = "C:\\Users\\Admin\\AppData\\Roaming\\soawf\\ewnkp.com C:\\Users\\Admin\\AppData\\Roaming\\soawf\\irrdb.txl"	ewnkp.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1960 set thread context of 520	1960	ewnkp.com	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
624	taskkill.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1960	ewnkp.com

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
520	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	624	taskkill.exe
Token: SeDebugPrivilege	520	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
520	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 112	1284	f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe	28
PID 1284 wrote to memory of 112	1284	f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe	28
PID 1284 wrote to memory of 112	1284	f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe	28
PID 1284 wrote to memory of 112	1284	f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe	28
PID 1284 wrote to memory of 112	1284	f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe	28
PID 1284 wrote to memory of 112	1284	f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe	28
PID 1284 wrote to memory of 112	1284	f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe	28
PID 112 wrote to memory of 1960	112	ewnkp.com	29
PID 112 wrote to memory of 1960	112	ewnkp.com	29
PID 112 wrote to memory of 1960	112	ewnkp.com	29
PID 112 wrote to memory of 1960	112	ewnkp.com	29
PID 112 wrote to memory of 1960	112	ewnkp.com	29
PID 112 wrote to memory of 1960	112	ewnkp.com	29
PID 112 wrote to memory of 1960	112	ewnkp.com	29
PID 1960 wrote to memory of 1748	1960	ewnkp.com	30
PID 1960 wrote to memory of 1748	1960	ewnkp.com	30
PID 1960 wrote to memory of 1748	1960	ewnkp.com	30
PID 1960 wrote to memory of 1748	1960	ewnkp.com	30
PID 1960 wrote to memory of 1748	1960	ewnkp.com	30
PID 1960 wrote to memory of 1748	1960	ewnkp.com	30
PID 1960 wrote to memory of 1748	1960	ewnkp.com	30
PID 1960 wrote to memory of 1568	1960	ewnkp.com	31
PID 1960 wrote to memory of 1568	1960	ewnkp.com	31
PID 1960 wrote to memory of 1568	1960	ewnkp.com	31
PID 1960 wrote to memory of 1568	1960	ewnkp.com	31
PID 1960 wrote to memory of 1568	1960	ewnkp.com	31
PID 1960 wrote to memory of 1568	1960	ewnkp.com	31
PID 1960 wrote to memory of 1568	1960	ewnkp.com	31
PID 1960 wrote to memory of 2024	1960	ewnkp.com	32
PID 1960 wrote to memory of 2024	1960	ewnkp.com	32
PID 1960 wrote to memory of 2024	1960	ewnkp.com	32
PID 1960 wrote to memory of 2024	1960	ewnkp.com	32
PID 1960 wrote to memory of 2024	1960	ewnkp.com	32
PID 1960 wrote to memory of 2024	1960	ewnkp.com	32
PID 1960 wrote to memory of 2024	1960	ewnkp.com	32
PID 1960 wrote to memory of 1964	1960	ewnkp.com	33
PID 1960 wrote to memory of 1964	1960	ewnkp.com	33
PID 1960 wrote to memory of 1964	1960	ewnkp.com	33
PID 1960 wrote to memory of 1964	1960	ewnkp.com	33
PID 1960 wrote to memory of 1964	1960	ewnkp.com	33
PID 1960 wrote to memory of 1964	1960	ewnkp.com	33
PID 1960 wrote to memory of 1964	1960	ewnkp.com	33
PID 1960 wrote to memory of 1084	1960	ewnkp.com	34
PID 1960 wrote to memory of 1084	1960	ewnkp.com	34
PID 1960 wrote to memory of 1084	1960	ewnkp.com	34
PID 1960 wrote to memory of 1084	1960	ewnkp.com	34
PID 1960 wrote to memory of 1084	1960	ewnkp.com	34
PID 1960 wrote to memory of 1084	1960	ewnkp.com	34
PID 1960 wrote to memory of 1084	1960	ewnkp.com	34
PID 1960 wrote to memory of 1900	1960	ewnkp.com	35
PID 1960 wrote to memory of 1900	1960	ewnkp.com	35
PID 1960 wrote to memory of 1900	1960	ewnkp.com	35
PID 1960 wrote to memory of 1900	1960	ewnkp.com	35
PID 1960 wrote to memory of 1900	1960	ewnkp.com	35
PID 1960 wrote to memory of 1900	1960	ewnkp.com	35
PID 1960 wrote to memory of 1900	1960	ewnkp.com	35
PID 1960 wrote to memory of 1740	1960	ewnkp.com	36
PID 1960 wrote to memory of 1740	1960	ewnkp.com	36
PID 1960 wrote to memory of 1740	1960	ewnkp.com	36
PID 1960 wrote to memory of 1740	1960	ewnkp.com	36
PID 1960 wrote to memory of 1740	1960	ewnkp.com	36
PID 1960 wrote to memory of 1740	1960	ewnkp.com	36
PID 1960 wrote to memory of 1740	1960	ewnkp.com	36
PID 1960 wrote to memory of 876	1960	ewnkp.com	37

C:\Users\Admin\AppData\Local\Temp\f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe
"C:\Users\Admin\AppData\Local\Temp\f051c9541a319e90a794ba1853984e1975f0e11318b764080fed98c5a8bdb239.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com
  "C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com" irrdb.txl
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com
    C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com C:\Users\Admin\AppData\Roaming\soawf\ZEWKL
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:1748
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:1568
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:1964
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:1084
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:1900
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:1740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C taskkill /f /IM mshta.exe
      4⤵
      PID:876
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /IM mshta.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\soawf\YMQGIX

Filesize
22KB

MD5
8411942151d844067bc637c35ac2847e

SHA1
0fae54a9b04ab15ce4acff346224d88195300b23

SHA256
96a2341f1bc8f3a31ca774b76f0c441d54f4f9e270d7aeeafac68e2ccf9e3506

SHA512
a3fb1441cd29300abdaa889e4c6cec9dba4e12d21459eada361117a2a64f163051af8bc0c942e56b2b932df7428c259d8dcc5d6c5d3c260be799050bb0ccd610

Download Submit
C:\Users\Admin\AppData\Roaming\soawf\ZEWKL

Filesize
117KB

MD5
3384979a23fbe4de79286b1901121b19

SHA1
5e69f43dcc8ed992ab17c233271712bb0bf60f13

SHA256
ae2427d833c91c213875fe7e70b05c88e949859da91b33681d598e3fd6b4f740

SHA512
0f98ff4b4c631dfc388e515dcaa3e858ed2c9581a63d9ab3ec588ea9ef17a593dc632c6f9093c13944812f273153ea0f0b37a1ca8aaa30a23d1199dcdf832fa3

Download Submit
C:\Users\Admin\AppData\Roaming\soawf\citax.ojb

Filesize
117KB

MD5
3a6730dd1fd8c9a8a316dcc6d4c6510c

SHA1
2d1d23733c1e34143b85575418b0d7fb39c30a78

SHA256
b5f108cffa82e6bd972d548139ef07d2024db58f0657b1cce60d1d1ca27958e5

SHA512
e5280425ea75d2429bc3795aa8352a687910fc3b43c533ae31afb7d6dafaa1f7bdac3698b94fd4ef7f0bfc49eccdd371cc83727b377baec2c9a974d4a4206310

Download Submit
C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com

Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com

Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
C:\Users\Admin\AppData\Roaming\soawf\ewnkp.com

Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
C:\Users\Admin\AppData\Roaming\soawf\irrdb.txl

Filesize
3KB

MD5
320133077eb8365d0a35a6c8bf1078c5

SHA1
31bf50ca151ee596b2fa04db5f748c2799b16b26

SHA256
a18eb74dc95cd8df63dd06561ade96d97efe753153f7e679f118be9cc3b2aad6

SHA512
f6cf82316f2562d6910690064fcb1681d1136ce902cac2f6dd8daa1b5b8877b8ebf6be8b5bd48ea00a522971fa85929340268ea69cf1f3003ebfa4af9e26da38

Download Submit
C:\Users\Admin\AppData\Roaming\soawf\nbwul

Filesize
272KB

MD5
b6ea1cbbe3f6599f3992c1b0eacfa171

SHA1
2844c4ea48876886757a24b05c72473594a8cb4e

SHA256
87d170c56ef26f9bb8f46151a61d56be62ecac3847c33145e3c8501fad778c4d

SHA512
01fa6e5a8dcc661c0e8a037de9476920ea0d87370e0b895c7d5c2dfd17db1b2ef9dca7c29dc43b6223c0a77cefb889b1ad2cf7cdeff997647e358e6c147823ef

Download Submit
\Users\Admin\AppData\Roaming\soawf\ewnkp.com

Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
\Users\Admin\AppData\Roaming\soawf\ewnkp.com

Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
\Users\Admin\AppData\Roaming\soawf\ewnkp.com

Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
\Users\Admin\AppData\Roaming\soawf\ewnkp.com

Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
\Users\Admin\AppData\Roaming\soawf\ewnkp.com

Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
\Users\Admin\AppData\Roaming\soawf\ewnkp.com

Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
memory/520-92-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/520-104-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/520-103-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/520-101-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/520-99-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/520-96-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/520-95-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/520-94-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/520-91-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1284-54-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download