imminent | d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab

Analysis

max time kernel
151s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe
Size

425KB
MD5

fe484787661bf09669f845a732270d98
SHA1

8f2bc598564fd08b6b6ec6da295938946525afa7
SHA256

d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab
SHA512

ae854fbb50a8c533796568835f68f3caf258bff8031e5d655c6516c73e3f10afef4016e369ff80d2eb3644f7c8c88918d44b0b4e6425aecdd26b0b849440278b
SSDEEP

12288:sSXQpmFaoScAdtr1JGgF9Sv+hD7e9IpYbW9NP7AYN:s4QpmLyfnTPS+hZ/9NP7AYN

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 4 IoCs

pid	Process
1312	winlogon.exe
1200	winlogon.exe
1768	winlogon.exe
1348	csrss.exe

Deletes itself 1 IoCs

pid	Process
1768	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
1312	winlogon.exe
1312	winlogon.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe"	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1312 set thread context of 1768	1312	winlogon.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe:ZONE.identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe:ZONE.identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe\:ZONE.identifier:$DATA	winlogon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1312	winlogon.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe
1348	csrss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1768	winlogon.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1340	d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1312	winlogon.exe
Token: SeDebugPrivilege	1768	winlogon.exe
Token: SeDebugPrivilege	1348	csrss.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1768	winlogon.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 1440	1340	d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe	28
PID 1340 wrote to memory of 1440	1340	d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe	28
PID 1340 wrote to memory of 1440	1340	d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe	28
PID 1340 wrote to memory of 1440	1340	d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe	28
PID 1340 wrote to memory of 1312	1340	d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe	30
PID 1340 wrote to memory of 1312	1340	d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe	30
PID 1340 wrote to memory of 1312	1340	d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe	30
PID 1340 wrote to memory of 1312	1340	d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe	30
PID 1312 wrote to memory of 1144	1312	winlogon.exe	31
PID 1312 wrote to memory of 1144	1312	winlogon.exe	31
PID 1312 wrote to memory of 1144	1312	winlogon.exe	31
PID 1312 wrote to memory of 1144	1312	winlogon.exe	31
PID 1312 wrote to memory of 1200	1312	winlogon.exe	33
PID 1312 wrote to memory of 1200	1312	winlogon.exe	33
PID 1312 wrote to memory of 1200	1312	winlogon.exe	33
PID 1312 wrote to memory of 1200	1312	winlogon.exe	33
PID 1312 wrote to memory of 1768	1312	winlogon.exe	34
PID 1312 wrote to memory of 1768	1312	winlogon.exe	34
PID 1312 wrote to memory of 1768	1312	winlogon.exe	34
PID 1312 wrote to memory of 1768	1312	winlogon.exe	34
PID 1312 wrote to memory of 1768	1312	winlogon.exe	34
PID 1312 wrote to memory of 1768	1312	winlogon.exe	34
PID 1312 wrote to memory of 1768	1312	winlogon.exe	34
PID 1312 wrote to memory of 1768	1312	winlogon.exe	34
PID 1312 wrote to memory of 1768	1312	winlogon.exe	34
PID 1312 wrote to memory of 1348	1312	winlogon.exe	35
PID 1312 wrote to memory of 1348	1312	winlogon.exe	35
PID 1312 wrote to memory of 1348	1312	winlogon.exe	35
PID 1312 wrote to memory of 1348	1312	winlogon.exe	35

C:\Users\Admin\AppData\Local\Temp\d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe
"C:\Users\Admin\AppData\Local\Temp\d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe":ZONE.identifier & exit
  2⤵
  - NTFS ADS
  PID:1440
- C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
  "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe":ZONE.identifier & exit
    3⤵
    - NTFS ADS
    PID:1144
- - C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
    "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"
    3⤵
    - Executes dropped EXE
    PID:1200
- - C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
    "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Deletes itself
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1768
- - C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe
    "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe" -keyhide -prochide 1768 -reg C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe -proc 1768 C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab.exe

Filesize
425KB

MD5
fe484787661bf09669f845a732270d98

SHA1
8f2bc598564fd08b6b6ec6da295938946525afa7

SHA256
d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab

SHA512
ae854fbb50a8c533796568835f68f3caf258bff8031e5d655c6516c73e3f10afef4016e369ff80d2eb3644f7c8c88918d44b0b4e6425aecdd26b0b849440278b

Download Submit
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe

Filesize
425KB

MD5
fe484787661bf09669f845a732270d98

SHA1
8f2bc598564fd08b6b6ec6da295938946525afa7

SHA256
d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab

SHA512
ae854fbb50a8c533796568835f68f3caf258bff8031e5d655c6516c73e3f10afef4016e369ff80d2eb3644f7c8c88918d44b0b4e6425aecdd26b0b849440278b

Download Submit
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe

Filesize
425KB

MD5
fe484787661bf09669f845a732270d98

SHA1
8f2bc598564fd08b6b6ec6da295938946525afa7

SHA256
d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab

SHA512
ae854fbb50a8c533796568835f68f3caf258bff8031e5d655c6516c73e3f10afef4016e369ff80d2eb3644f7c8c88918d44b0b4e6425aecdd26b0b849440278b

Download Submit
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe

Filesize
425KB

MD5
fe484787661bf09669f845a732270d98

SHA1
8f2bc598564fd08b6b6ec6da295938946525afa7

SHA256
d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab

SHA512
ae854fbb50a8c533796568835f68f3caf258bff8031e5d655c6516c73e3f10afef4016e369ff80d2eb3644f7c8c88918d44b0b4e6425aecdd26b0b849440278b

Download Submit
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe

Filesize
425KB

MD5
fe484787661bf09669f845a732270d98

SHA1
8f2bc598564fd08b6b6ec6da295938946525afa7

SHA256
d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab

SHA512
ae854fbb50a8c533796568835f68f3caf258bff8031e5d655c6516c73e3f10afef4016e369ff80d2eb3644f7c8c88918d44b0b4e6425aecdd26b0b849440278b

Download Submit
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe

Filesize
425KB

MD5
fe484787661bf09669f845a732270d98

SHA1
8f2bc598564fd08b6b6ec6da295938946525afa7

SHA256
d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab

SHA512
ae854fbb50a8c533796568835f68f3caf258bff8031e5d655c6516c73e3f10afef4016e369ff80d2eb3644f7c8c88918d44b0b4e6425aecdd26b0b849440278b

Download Submit
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe

Filesize
425KB

MD5
fe484787661bf09669f845a732270d98

SHA1
8f2bc598564fd08b6b6ec6da295938946525afa7

SHA256
d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab

SHA512
ae854fbb50a8c533796568835f68f3caf258bff8031e5d655c6516c73e3f10afef4016e369ff80d2eb3644f7c8c88918d44b0b4e6425aecdd26b0b849440278b

Download Submit
\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe

Filesize
425KB

MD5
fe484787661bf09669f845a732270d98

SHA1
8f2bc598564fd08b6b6ec6da295938946525afa7

SHA256
d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab

SHA512
ae854fbb50a8c533796568835f68f3caf258bff8031e5d655c6516c73e3f10afef4016e369ff80d2eb3644f7c8c88918d44b0b4e6425aecdd26b0b849440278b

Download Submit
\Users\Admin\AppData\Roaming\SubFolder\SubFolder\csrss.exe

Filesize
425KB

MD5
fe484787661bf09669f845a732270d98

SHA1
8f2bc598564fd08b6b6ec6da295938946525afa7

SHA256
d1da67579c78d02d319d99e3f989753cfc1d6793984ff70a7d491000111e29ab

SHA512
ae854fbb50a8c533796568835f68f3caf258bff8031e5d655c6516c73e3f10afef4016e369ff80d2eb3644f7c8c88918d44b0b4e6425aecdd26b0b849440278b

Download Submit
memory/1312-86-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1340-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1340-60-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1348-90-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1348-88-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1768-65-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1768-78-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1768-76-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1768-71-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1768-69-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1768-87-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1768-67-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1768-89-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1768-64-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download