imminent | dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a

General

Target

dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a.exe
Size

272KB
MD5

a64077409059b81807d22e157fb09fc8
SHA1

78919afedae2560bf4417f4844d009a43bbff15a
SHA256

dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a
SHA512

663c9b494a5f61a23534a85ddfaacc2bb5bb44304b1499aad9b69c98723a41882ed1cd037629f54c092bf2098ab2213f6a0df873a2fd8038fc3ef4a089045d66
SSDEEP

6144:iUx3z5eUExsUIR3iO48X2muLdjtyOgGHMMqx4B07ctlje:iUhzgNxsnRF4tJLrytGi+07IS

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 1 IoCs

pid	Process
1440	dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a.exe

Deletes itself 1 IoCs

pid	Process
1640	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1956	dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a.exe
1956	dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "\\Google/Chrome/\\chrome32.exe"	dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\Users\\Admin\\AppData\\Local\\Google/Chrome/\\chrome32.exe"	dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1704	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1440	dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a.exe
Token: SeDebugPrivilege	1440	dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1440	dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1440	1956	dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a.exe	27
PID 1956 wrote to memory of 1440	1956	dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a.exe	27
PID 1956 wrote to memory of 1440	1956	dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a.exe	27
PID 1956 wrote to memory of 1440	1956	dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a.exe	27
PID 1956 wrote to memory of 1640	1956	dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a.exe	28
PID 1956 wrote to memory of 1640	1956	dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a.exe	28
PID 1956 wrote to memory of 1640	1956	dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a.exe	28
PID 1956 wrote to memory of 1640	1956	dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a.exe	28
PID 1640 wrote to memory of 1704	1640	cmd.exe	30
PID 1640 wrote to memory of 1704	1640	cmd.exe	30
PID 1640 wrote to memory of 1704	1640	cmd.exe	30
PID 1640 wrote to memory of 1704	1640	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a.exe
"C:\Users\Admin\AppData\Local\Temp\dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a\dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a.exe
  "C:\Users\Admin\AppData\Local\Temp\dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a\dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1440
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa9890eaa6011a2697350baf3d7d1fc7

SHA1
f7b8800ef5998dde321871dd8e9e39f20d94a6eb

SHA256
9d45b3a3389bc36e189d17ded77f05dd567156f44410fc3b93e17a61f1b5ac75

SHA512
b26f4dbd0d34ebabb6abc3eebf57a9ec03abe53e20f675479ef5b81e113246061fed62b8a2559765fbc6ed821cf7e83fc05c15783941049c14084db0feac8886

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a\dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a.exe

Filesize
272KB

MD5
a64077409059b81807d22e157fb09fc8

SHA1
78919afedae2560bf4417f4844d009a43bbff15a

SHA256
dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a

SHA512
663c9b494a5f61a23534a85ddfaacc2bb5bb44304b1499aad9b69c98723a41882ed1cd037629f54c092bf2098ab2213f6a0df873a2fd8038fc3ef4a089045d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a\dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a.exe

Filesize
272KB

MD5
a64077409059b81807d22e157fb09fc8

SHA1
78919afedae2560bf4417f4844d009a43bbff15a

SHA256
dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a

SHA512
663c9b494a5f61a23534a85ddfaacc2bb5bb44304b1499aad9b69c98723a41882ed1cd037629f54c092bf2098ab2213f6a0df873a2fd8038fc3ef4a089045d66

Download Submit
\Users\Admin\AppData\Local\Temp\dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a\dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a.exe

Filesize
272KB

MD5
a64077409059b81807d22e157fb09fc8

SHA1
78919afedae2560bf4417f4844d009a43bbff15a

SHA256
dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a

SHA512
663c9b494a5f61a23534a85ddfaacc2bb5bb44304b1499aad9b69c98723a41882ed1cd037629f54c092bf2098ab2213f6a0df873a2fd8038fc3ef4a089045d66

Download Submit
\Users\Admin\AppData\Local\Temp\dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a\dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a.exe

Filesize
272KB

MD5
a64077409059b81807d22e157fb09fc8

SHA1
78919afedae2560bf4417f4844d009a43bbff15a

SHA256
dfd5a647b5c4957bcaef5054b1241dbd0c2c0213c1810e7417242750a081c21a

SHA512
663c9b494a5f61a23534a85ddfaacc2bb5bb44304b1499aad9b69c98723a41882ed1cd037629f54c092bf2098ab2213f6a0df873a2fd8038fc3ef4a089045d66

Download Submit
memory/1440-64-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/1440-67-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/1956-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1956-55-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/1956-66-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing