imminent | e34b20ba4dcb923b68660529ab9a071211b73466bae90d4ec2ad438daf7a26fb

General

Target

e34b20ba4dcb923b68660529ab9a071211b73466bae90d4ec2ad438daf7a26fb.exe
Size

772KB
MD5

7ca43d6276ac5ad12d9f8000f8c07e3e
SHA1

19ff25f1ed8d55bc424b17bb3328eee934804303
SHA256

e34b20ba4dcb923b68660529ab9a071211b73466bae90d4ec2ad438daf7a26fb
SHA512

9010976aff6a2801fe22fa9f015a98c6badedb024a60365db79f07b2f6d9aacb74bdde0aed0e4e95cb201a7f84272e2a758fb4abec717611a409d0ae44c2b29d
SSDEEP

12288:xq+O7Rjj7OPQbUQJlnXeSFGCu3H2Jz5tUwfBR52sm2p9kF:xJqHbJ1eSFaydtUwZRYC

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent
Executes dropped EXE 1 IoCs

Processes:

Vrypted .exe

pid process

2036 Vrypted .exe
Loads dropped DLL 1 IoCs

Processes:

e34b20ba4dcb923b68660529ab9a071211b73466bae90d4ec2ad438daf7a26fb.exe

pid process

1784 e34b20ba4dcb923b68660529ab9a071211b73466bae90d4ec2ad438daf7a26fb.exe

pid	process
2036	Vrypted .exe

pid	process
1784	e34b20ba4dcb923b68660529ab9a071211b73466bae90d4ec2ad438daf7a26fb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Vrypted .exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\system32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows/system32\\system32.exe"	Vrypted .exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e34b20ba4dcb923b68660529ab9a071211b73466bae90d4ec2ad438daf7a26fb.exe

description	pid	process	target process
PID 1784 set thread context of 2036	1784	e34b20ba4dcb923b68660529ab9a071211b73466bae90d4ec2ad438daf7a26fb.exe	Vrypted .exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

e34b20ba4dcb923b68660529ab9a071211b73466bae90d4ec2ad438daf7a26fb.exe

pid process

1784 e34b20ba4dcb923b68660529ab9a071211b73466bae90d4ec2ad438daf7a26fb.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Vrypted .exe

pid process

2036 Vrypted .exe

pid	process
1784	e34b20ba4dcb923b68660529ab9a071211b73466bae90d4ec2ad438daf7a26fb.exe

pid	process
2036	Vrypted .exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e34b20ba4dcb923b68660529ab9a071211b73466bae90d4ec2ad438daf7a26fb.exeVrypted .exe

description	pid	process
Token: SeDebugPrivilege	1784	e34b20ba4dcb923b68660529ab9a071211b73466bae90d4ec2ad438daf7a26fb.exe
Token: SeDebugPrivilege	2036	Vrypted .exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Vrypted .exe

pid process

2036 Vrypted .exe

pid	process
2036	Vrypted .exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

e34b20ba4dcb923b68660529ab9a071211b73466bae90d4ec2ad438daf7a26fb.exe

description	pid	process	target process
PID 1784 wrote to memory of 2036	1784	e34b20ba4dcb923b68660529ab9a071211b73466bae90d4ec2ad438daf7a26fb.exe	Vrypted .exe
PID 1784 wrote to memory of 2036	1784	e34b20ba4dcb923b68660529ab9a071211b73466bae90d4ec2ad438daf7a26fb.exe	Vrypted .exe
PID 1784 wrote to memory of 2036	1784	e34b20ba4dcb923b68660529ab9a071211b73466bae90d4ec2ad438daf7a26fb.exe	Vrypted .exe
PID 1784 wrote to memory of 2036	1784	e34b20ba4dcb923b68660529ab9a071211b73466bae90d4ec2ad438daf7a26fb.exe	Vrypted .exe
PID 1784 wrote to memory of 2036	1784	e34b20ba4dcb923b68660529ab9a071211b73466bae90d4ec2ad438daf7a26fb.exe	Vrypted .exe
PID 1784 wrote to memory of 2036	1784	e34b20ba4dcb923b68660529ab9a071211b73466bae90d4ec2ad438daf7a26fb.exe	Vrypted .exe
PID 1784 wrote to memory of 2036	1784	e34b20ba4dcb923b68660529ab9a071211b73466bae90d4ec2ad438daf7a26fb.exe	Vrypted .exe
PID 1784 wrote to memory of 2036	1784	e34b20ba4dcb923b68660529ab9a071211b73466bae90d4ec2ad438daf7a26fb.exe	Vrypted .exe
PID 1784 wrote to memory of 2036	1784	e34b20ba4dcb923b68660529ab9a071211b73466bae90d4ec2ad438daf7a26fb.exe	Vrypted .exe

C:\Users\Admin\AppData\Local\Temp\e34b20ba4dcb923b68660529ab9a071211b73466bae90d4ec2ad438daf7a26fb.exe
"C:\Users\Admin\AppData\Local\Temp\e34b20ba4dcb923b68660529ab9a071211b73466bae90d4ec2ad438daf7a26fb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Users\Admin\AppData\Local\Temp\Vrypted .exe
  "C:\Users\Admin\AppData\Local\Temp\Vrypted .exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Vrypted .exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vrypted .exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
\Users\Admin\AppData\Local\Temp\Vrypted .exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
memory/1784-61-0x0000000075010000-0x00000000755BB000-memory.dmp

Filesize
5.7MB

Download
memory/1784-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1784-70-0x0000000075010000-0x00000000755BB000-memory.dmp

Filesize
5.7MB

Download
memory/2036-59-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2036-60-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2036-62-0x0000000000000000-mapping.dmp

Download
memory/2036-63-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2036-57-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2036-67-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2036-56-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2036-71-0x0000000075010000-0x00000000755BB000-memory.dmp

Filesize
5.7MB

Download
memory/2036-72-0x0000000075010000-0x00000000755BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads