imminent | ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6

General

Target

ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6.exe
Size

272KB
MD5

e87802adc9385a9960d4d505bf9777ee
SHA1

8acf181bcd2aa1288d454c980ceb67df235f8b07
SHA256

ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6
SHA512

ab1638215883d084a78471a0594be0e062d521e13231e495b17266dd5317c3af590153c4ef813d173c14afd70e9528499b3387a6ab0e2445ebf17cef2ba3548b
SSDEEP

6144:/DzXdjKLCXJnmlrroy1pvj7WjDiuFCNBL/Yctlm:fJgCXJnmVnbXWjOGu1AIm

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 1 IoCs

pid	Process
1488	ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6.exe

Deletes itself 1 IoCs

pid	Process
1888	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1628	ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6.exe
1628	ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1148	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6.exe
Token: SeDebugPrivilege	1488	ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1488	ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1488	1628	ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6.exe	27
PID 1628 wrote to memory of 1488	1628	ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6.exe	27
PID 1628 wrote to memory of 1488	1628	ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6.exe	27
PID 1628 wrote to memory of 1488	1628	ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6.exe	27
PID 1628 wrote to memory of 1888	1628	ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6.exe	28
PID 1628 wrote to memory of 1888	1628	ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6.exe	28
PID 1628 wrote to memory of 1888	1628	ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6.exe	28
PID 1628 wrote to memory of 1888	1628	ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6.exe	28
PID 1888 wrote to memory of 1148	1888	cmd.exe	30
PID 1888 wrote to memory of 1148	1888	cmd.exe	30
PID 1888 wrote to memory of 1148	1888	cmd.exe	30
PID 1888 wrote to memory of 1148	1888	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6.exe
"C:\Users\Admin\AppData\Local\Temp\ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6\ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6.exe
  "C:\Users\Admin\AppData\Local\Temp\ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6\ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1488
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:1148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cafad1f54a1d22b813ee6f3c365fd5e5

SHA1
50c95f3b1cca0ddda00d5b1309dbab576535a42a

SHA256
d222e1758c3f4790b72814cf7dec356920da726faece2506390f33021a1b9f2b

SHA512
fdcc2c1ad4bf932c98d4d6a3e4807d5d22ace3656a31b6630eac1380b59909843edcd124db2bbdec7a55ede6470b4039c0857fdb7d5e1ca167d4df2fc5d7fa71

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6\ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6.exe

Filesize
272KB

MD5
e87802adc9385a9960d4d505bf9777ee

SHA1
8acf181bcd2aa1288d454c980ceb67df235f8b07

SHA256
ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6

SHA512
ab1638215883d084a78471a0594be0e062d521e13231e495b17266dd5317c3af590153c4ef813d173c14afd70e9528499b3387a6ab0e2445ebf17cef2ba3548b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6\ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6.exe

Filesize
272KB

MD5
e87802adc9385a9960d4d505bf9777ee

SHA1
8acf181bcd2aa1288d454c980ceb67df235f8b07

SHA256
ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6

SHA512
ab1638215883d084a78471a0594be0e062d521e13231e495b17266dd5317c3af590153c4ef813d173c14afd70e9528499b3387a6ab0e2445ebf17cef2ba3548b

Download Submit
\Users\Admin\AppData\Local\Temp\ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6\ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6.exe

Filesize
272KB

MD5
e87802adc9385a9960d4d505bf9777ee

SHA1
8acf181bcd2aa1288d454c980ceb67df235f8b07

SHA256
ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6

SHA512
ab1638215883d084a78471a0594be0e062d521e13231e495b17266dd5317c3af590153c4ef813d173c14afd70e9528499b3387a6ab0e2445ebf17cef2ba3548b

Download Submit
\Users\Admin\AppData\Local\Temp\ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6\ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6.exe

Filesize
272KB

MD5
e87802adc9385a9960d4d505bf9777ee

SHA1
8acf181bcd2aa1288d454c980ceb67df235f8b07

SHA256
ef4b3ffc69ecf69409ae39f13507a9b4ad8aa010e6b1bf90080375031fc3ccf6

SHA512
ab1638215883d084a78471a0594be0e062d521e13231e495b17266dd5317c3af590153c4ef813d173c14afd70e9528499b3387a6ab0e2445ebf17cef2ba3548b

Download Submit
memory/1488-67-0x0000000074DC0000-0x000000007536B000-memory.dmp

Filesize
5.7MB

Download
memory/1488-68-0x0000000074DC0000-0x000000007536B000-memory.dmp

Filesize
5.7MB

Download
memory/1628-54-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/1628-55-0x0000000074DC0000-0x000000007536B000-memory.dmp

Filesize
5.7MB

Download
memory/1628-66-0x0000000074DC0000-0x000000007536B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing