imminent | 9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980

Analysis

max time kernel
151s
max time network
195s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980.exe
Size

341KB
MD5

b71297fc07c65a8bbc77dc95d1370aec
SHA1

22f51ce0e1add2a9b5b9a58e0f9917a851ac4026
SHA256

9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980
SHA512

f47e63e7dddbd17e56ff08db586b87ecad425933a2b1caf55cfab544a246e037d26acfadce5d95173a92b8f48668e9adab696f94081c05e30ba8ce58c22a0970
SSDEEP

6144:dli+u8SuAKUFllL/eM8+m0/oIMEXCiWONRM3/GD7ClYGAmlLjXNlXXxNbJndgtN3:dm8HAxFlkM8+m0QIMESFmRU/QFvojXN+

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 2 IoCs

pid	Process
1324	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c9800.exe
960	tmp349D.tmp.exe

Loads dropped DLL 3 IoCs

pid	Process
1620	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980.exe
1324	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c9800.exe
1324	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c9800.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scvhost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Client\\Scvhost.exe"	tmp349D.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scvhost.exe = "\\Client\\Scvhost.exe"	tmp349D.tmp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1620 set thread context of 1324	1620	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980.exe	28

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
960	tmp349D.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	960	tmp349D.tmp.exe
Token: SeDebugPrivilege	960	tmp349D.tmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
960	tmp349D.tmp.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 1324	1620	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980.exe	28
PID 1620 wrote to memory of 1324	1620	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980.exe	28
PID 1620 wrote to memory of 1324	1620	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980.exe	28
PID 1620 wrote to memory of 1324	1620	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980.exe	28
PID 1620 wrote to memory of 1324	1620	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980.exe	28
PID 1620 wrote to memory of 1324	1620	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980.exe	28
PID 1620 wrote to memory of 1324	1620	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980.exe	28
PID 1620 wrote to memory of 1324	1620	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980.exe	28
PID 1620 wrote to memory of 1324	1620	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980.exe	28
PID 1324 wrote to memory of 960	1324	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c9800.exe	29
PID 1324 wrote to memory of 960	1324	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c9800.exe	29
PID 1324 wrote to memory of 960	1324	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c9800.exe	29
PID 1324 wrote to memory of 960	1324	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c9800.exe	29

C:\Users\Admin\AppData\Local\Temp\9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980.exe
"C:\Users\Admin\AppData\Local\Temp\9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\AppData\Local\Temp\9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c9800.exe
  "C:\Users\Admin\AppData\Local\Temp\9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c9800.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Users\Admin\AppData\Local\Temp\tmp349D.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp349D.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5ecb0a61fe9dbe467ada68689dd6d99

SHA1
8f4b5358ebb7ac72d70b23d385ffcf4f5d5fc8aa

SHA256
3d418cb46551783d84e993c441599302dc2186327853f617a952cd38b90cdc24

SHA512
369017a45e31c245001f01ec8e71d0d7c9fda24f61f5f638984cf96d4146bcb25ebf30e00e70294c30194abb5d101c8b32ffcf02be40995faa3891c007ad067e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d086d032e150dbbd12a7c02dfe142f03

SHA1
a97a8b830cbe76462d6724b4ac113dea6196b3fa

SHA256
cbc327223e7e8716ef47eddf40d4285a04454605efa0e6e5bd1d646fe92cd37d

SHA512
da84cd7e2ae2c8db6582611a42c93a75ccedb7b26fb3156e5226dc5a1a9f96f6f6a78a26f22515a84aea777374ec7b4c4ec32af33c9a3e36e99838a2ef24008d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c9800.exe

Filesize
343KB

MD5
727dc5d3237019664f06c860b609f2f9

SHA1
0409878681e779682a27c57c574360afdaaec727

SHA256
e8087baaeda47dc5eca7ef42c5a2e1c8803c78fe225063bbc2323a27a0317bb9

SHA512
61233f63da60b81cefd8d34c4020c67fc942d2c40fb5b946ccef4a64a02cebcad23f1039ab6d072153856bb739ea842bb6c4e3a2ba99d1521459f5449ea2637b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c9800.exe

Filesize
343KB

MD5
727dc5d3237019664f06c860b609f2f9

SHA1
0409878681e779682a27c57c574360afdaaec727

SHA256
e8087baaeda47dc5eca7ef42c5a2e1c8803c78fe225063bbc2323a27a0317bb9

SHA512
61233f63da60b81cefd8d34c4020c67fc942d2c40fb5b946ccef4a64a02cebcad23f1039ab6d072153856bb739ea842bb6c4e3a2ba99d1521459f5449ea2637b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp349D.tmp.exe

Filesize
273KB

MD5
6242eb6ac9b11d5e6c1e0f7801e8625f

SHA1
9198a27d2b0655a3a513c530dff3f418311bc7e7

SHA256
2f585c41a77ac630eb0c221f13c2f174cccff3410377237335ed547290f98dff

SHA512
49ee1a8b128fe9fc7b8842835c9713d0215f5ccd60ea3f07dec8ef8cd92156cf8d166422e8f59a5bf9e2a27c1596bc69d258e3ae604189086a5c6c33b6350bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp349D.tmp.exe

Filesize
273KB

MD5
6242eb6ac9b11d5e6c1e0f7801e8625f

SHA1
9198a27d2b0655a3a513c530dff3f418311bc7e7

SHA256
2f585c41a77ac630eb0c221f13c2f174cccff3410377237335ed547290f98dff

SHA512
49ee1a8b128fe9fc7b8842835c9713d0215f5ccd60ea3f07dec8ef8cd92156cf8d166422e8f59a5bf9e2a27c1596bc69d258e3ae604189086a5c6c33b6350bca

Download Submit
\Users\Admin\AppData\Local\Temp\9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c9800.exe

Filesize
343KB

MD5
727dc5d3237019664f06c860b609f2f9

SHA1
0409878681e779682a27c57c574360afdaaec727

SHA256
e8087baaeda47dc5eca7ef42c5a2e1c8803c78fe225063bbc2323a27a0317bb9

SHA512
61233f63da60b81cefd8d34c4020c67fc942d2c40fb5b946ccef4a64a02cebcad23f1039ab6d072153856bb739ea842bb6c4e3a2ba99d1521459f5449ea2637b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp349D.tmp.exe

Filesize
273KB

MD5
6242eb6ac9b11d5e6c1e0f7801e8625f

SHA1
9198a27d2b0655a3a513c530dff3f418311bc7e7

SHA256
2f585c41a77ac630eb0c221f13c2f174cccff3410377237335ed547290f98dff

SHA512
49ee1a8b128fe9fc7b8842835c9713d0215f5ccd60ea3f07dec8ef8cd92156cf8d166422e8f59a5bf9e2a27c1596bc69d258e3ae604189086a5c6c33b6350bca

Download Submit
\Users\Admin\AppData\Local\Temp\tmp349D.tmp.exe

Filesize
273KB

MD5
6242eb6ac9b11d5e6c1e0f7801e8625f

SHA1
9198a27d2b0655a3a513c530dff3f418311bc7e7

SHA256
2f585c41a77ac630eb0c221f13c2f174cccff3410377237335ed547290f98dff

SHA512
49ee1a8b128fe9fc7b8842835c9713d0215f5ccd60ea3f07dec8ef8cd92156cf8d166422e8f59a5bf9e2a27c1596bc69d258e3ae604189086a5c6c33b6350bca

Download Submit
memory/960-82-0x0000000074600000-0x0000000074BAB000-memory.dmp

Filesize
5.7MB

Download
memory/960-81-0x0000000074600000-0x0000000074BAB000-memory.dmp

Filesize
5.7MB

Download
memory/1324-61-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1324-67-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1324-69-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1324-62-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1324-78-0x0000000074600000-0x0000000074BAB000-memory.dmp

Filesize
5.7MB

Download
memory/1324-60-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1324-58-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1324-57-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1620-66-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download
memory/1620-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1620-55-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download