imminent | b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51

General

Target

b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe
Size

339KB
MD5

6f2079524dfbcc1873b236623bf54332
SHA1

81d9fa986239d2cddb88b0171ef8cc310636a92a
SHA256

b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51
SHA512

281d5f300c68947b506c4041341e8a5823caf66233d2aec2d026e73dce26edaf0c485b506f1fb6f31665d641df6632ee867ff0d4e095dc548d46d439ba6597f4
SSDEEP

6144:L2gD4gPNYTcl6bWq0o5ACUJVymf7ouQo97HAXvc1GZ/9ctltCc/+EvFkywdg:ggEbWfoSCUqcao97gXvc1ylItCc/+EQ

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent
Executes dropped EXE 1 IoCs

Processes:

b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

pid process

1640 b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1996 cmd.exe

pid	process
1640	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

pid	process
1996	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

pid	process
2028	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe
2028	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Word = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft Word\\Svchost.exe"	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Word = "\\Microsoft Word\\Svchost.exe"	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1260 PING.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

pid process

1640 b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

pid	process
1260	PING.EXE

pid	process
1640	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exeb1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

description	pid	process
Token: SeDebugPrivilege	2028	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe
Token: SeDebugPrivilege	1640	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

pid process

1640 b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

pid	process
1640	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.execmd.exe

description	pid	process	target process
PID 2028 wrote to memory of 1640	2028	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe
PID 2028 wrote to memory of 1640	2028	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe
PID 2028 wrote to memory of 1640	2028	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe
PID 2028 wrote to memory of 1640	2028	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe
PID 2028 wrote to memory of 1996	2028	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe	cmd.exe
PID 2028 wrote to memory of 1996	2028	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe	cmd.exe
PID 2028 wrote to memory of 1996	2028	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe	cmd.exe
PID 2028 wrote to memory of 1996	2028	b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe	cmd.exe
PID 1996 wrote to memory of 1260	1996	cmd.exe	PING.EXE
PID 1996 wrote to memory of 1260	1996	cmd.exe	PING.EXE
PID 1996 wrote to memory of 1260	1996	cmd.exe	PING.EXE
PID 1996 wrote to memory of 1260	1996	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe
"C:\Users\Admin\AppData\Local\Temp\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe
"C:\Users\Admin\AppData\Local\Temp\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
3⤵
- Runs ping.exe
PID:1260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

Filesize
339KB

MD5
6f2079524dfbcc1873b236623bf54332

SHA1
81d9fa986239d2cddb88b0171ef8cc310636a92a

SHA256
b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51

SHA512
281d5f300c68947b506c4041341e8a5823caf66233d2aec2d026e73dce26edaf0c485b506f1fb6f31665d641df6632ee867ff0d4e095dc548d46d439ba6597f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

Filesize
339KB

MD5
6f2079524dfbcc1873b236623bf54332

SHA1
81d9fa986239d2cddb88b0171ef8cc310636a92a

SHA256
b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51

SHA512
281d5f300c68947b506c4041341e8a5823caf66233d2aec2d026e73dce26edaf0c485b506f1fb6f31665d641df6632ee867ff0d4e095dc548d46d439ba6597f4

Download Submit
\Users\Admin\AppData\Local\Temp\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

Filesize
339KB

MD5
6f2079524dfbcc1873b236623bf54332

SHA1
81d9fa986239d2cddb88b0171ef8cc310636a92a

SHA256
b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51

SHA512
281d5f300c68947b506c4041341e8a5823caf66233d2aec2d026e73dce26edaf0c485b506f1fb6f31665d641df6632ee867ff0d4e095dc548d46d439ba6597f4

Download Submit
\Users\Admin\AppData\Local\Temp\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51\b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51.exe

Filesize
339KB

MD5
6f2079524dfbcc1873b236623bf54332

SHA1
81d9fa986239d2cddb88b0171ef8cc310636a92a

SHA256
b1edde38cdde5a77410a3b1286f4e4de9f23e8c85661e27131a912f0c63fcd51

SHA512
281d5f300c68947b506c4041341e8a5823caf66233d2aec2d026e73dce26edaf0c485b506f1fb6f31665d641df6632ee867ff0d4e095dc548d46d439ba6597f4

Download Submit
memory/1260-66-0x0000000000000000-mapping.dmp

Download
memory/1640-58-0x0000000000000000-mapping.dmp

Download
memory/1640-63-0x0000000074BD0000-0x000000007517B000-memory.dmp

Filesize
5.7MB

Download
memory/1640-65-0x0000000074BD0000-0x000000007517B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-62-0x0000000000000000-mapping.dmp

Download
memory/2028-54-0x0000000076651000-0x0000000076653000-memory.dmp

Filesize
8KB

Download
memory/2028-55-0x0000000074BD0000-0x000000007517B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-64-0x0000000074BD0000-0x000000007517B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads