imminent | 9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980

General

Target

9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980.exe
Size

341KB
MD5

b71297fc07c65a8bbc77dc95d1370aec
SHA1

22f51ce0e1add2a9b5b9a58e0f9917a851ac4026
SHA256

9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980
SHA512

f47e63e7dddbd17e56ff08db586b87ecad425933a2b1caf55cfab544a246e037d26acfadce5d95173a92b8f48668e9adab696f94081c05e30ba8ce58c22a0970
SSDEEP

6144:dli+u8SuAKUFllL/eM8+m0/oIMEXCiWONRM3/GD7ClYGAmlLjXNlXXxNbJndgtN3:dm8HAxFlkM8+m0QIMESFmRU/QFvojXN+

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 2 IoCs

pid	Process
4936	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c9800.exe
1832	tmpACF9.tmp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scvhost.exe = "\\Client\\Scvhost.exe"	tmpACF9.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scvhost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Client\\Scvhost.exe"	tmpACF9.tmp.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	tmpACF9.tmp.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	tmpACF9.tmp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4296 set thread context of 4936	4296	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980.exe	83

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	tmpACF9.tmp.exe
File created	C:\Windows\assembly\Desktop.ini	tmpACF9.tmp.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	tmpACF9.tmp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1832	tmpACF9.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1832	tmpACF9.tmp.exe
Token: SeDebugPrivilege	1832	tmpACF9.tmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1832	tmpACF9.tmp.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 4936	4296	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980.exe	83
PID 4296 wrote to memory of 4936	4296	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980.exe	83
PID 4296 wrote to memory of 4936	4296	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980.exe	83
PID 4296 wrote to memory of 4936	4296	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980.exe	83
PID 4296 wrote to memory of 4936	4296	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980.exe	83
PID 4296 wrote to memory of 4936	4296	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980.exe	83
PID 4296 wrote to memory of 4936	4296	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980.exe	83
PID 4296 wrote to memory of 4936	4296	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980.exe	83
PID 4936 wrote to memory of 1832	4936	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c9800.exe	84
PID 4936 wrote to memory of 1832	4936	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c9800.exe	84
PID 4936 wrote to memory of 1832	4936	9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c9800.exe	84

C:\Users\Admin\AppData\Local\Temp\9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980.exe
"C:\Users\Admin\AppData\Local\Temp\9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c980.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Users\Admin\AppData\Local\Temp\9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c9800.exe
  "C:\Users\Admin\AppData\Local\Temp\9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c9800.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Users\Admin\AppData\Local\Temp\tmpACF9.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpACF9.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops desktop.ini file(s)
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c9800.exe

Filesize
343KB

MD5
727dc5d3237019664f06c860b609f2f9

SHA1
0409878681e779682a27c57c574360afdaaec727

SHA256
e8087baaeda47dc5eca7ef42c5a2e1c8803c78fe225063bbc2323a27a0317bb9

SHA512
61233f63da60b81cefd8d34c4020c67fc942d2c40fb5b946ccef4a64a02cebcad23f1039ab6d072153856bb739ea842bb6c4e3a2ba99d1521459f5449ea2637b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9bb32479c6ab4c4183e6786bb0c0209a9563adbc1a01f426e9c309b156c3c9800.exe

Filesize
343KB

MD5
727dc5d3237019664f06c860b609f2f9

SHA1
0409878681e779682a27c57c574360afdaaec727

SHA256
e8087baaeda47dc5eca7ef42c5a2e1c8803c78fe225063bbc2323a27a0317bb9

SHA512
61233f63da60b81cefd8d34c4020c67fc942d2c40fb5b946ccef4a64a02cebcad23f1039ab6d072153856bb739ea842bb6c4e3a2ba99d1521459f5449ea2637b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpACF9.tmp.exe

Filesize
273KB

MD5
6242eb6ac9b11d5e6c1e0f7801e8625f

SHA1
9198a27d2b0655a3a513c530dff3f418311bc7e7

SHA256
2f585c41a77ac630eb0c221f13c2f174cccff3410377237335ed547290f98dff

SHA512
49ee1a8b128fe9fc7b8842835c9713d0215f5ccd60ea3f07dec8ef8cd92156cf8d166422e8f59a5bf9e2a27c1596bc69d258e3ae604189086a5c6c33b6350bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpACF9.tmp.exe

Filesize
273KB

MD5
6242eb6ac9b11d5e6c1e0f7801e8625f

SHA1
9198a27d2b0655a3a513c530dff3f418311bc7e7

SHA256
2f585c41a77ac630eb0c221f13c2f174cccff3410377237335ed547290f98dff

SHA512
49ee1a8b128fe9fc7b8842835c9713d0215f5ccd60ea3f07dec8ef8cd92156cf8d166422e8f59a5bf9e2a27c1596bc69d258e3ae604189086a5c6c33b6350bca

Download Submit
memory/1832-141-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/1832-144-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/4296-137-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/4296-132-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/4936-134-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4936-142-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download
memory/4936-143-0x0000000074DF0000-0x00000000753A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing