imminent | 73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f

General

Target

73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f.exe
Size

273KB
MD5

fec0638146178c56fafe585c3ec2431e
SHA1

eb6e6c739da7f191cfb23e173d80daa21a2d6e71
SHA256

73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f
SHA512

11ab5498014069a1f1375b52ab5fb0be3ec80f61f64a502013f2cf29874d9e8882b7afa72f347401873a52eea25586d1ea9d6c7dd4b55ece03b1609d2ab5b0e6
SSDEEP

6144:7cVeEqxcaAH44yo8BNE1jp1i39fjaSYcOAdNsteW8ctlml:QVdTaN4yh01nkjaSYcOeNGeZIml

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 1 IoCs

pid	Process
2028	73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f.exe

Loads dropped DLL 2 IoCs

pid	Process
856	73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f.exe
856	73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\345etrdg = "\\34erf\\666kkk.exe"	73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\345etrdg = "C:\\Users\\Admin\\AppData\\Local\\34erf\\666kkk.exe"	73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
300	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2028	73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	856	73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f.exe
Token: SeDebugPrivilege	2028	73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f.exe
Token: SeDebugPrivilege	2028	73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2028	73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 2028	856	73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f.exe	28
PID 856 wrote to memory of 2028	856	73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f.exe	28
PID 856 wrote to memory of 2028	856	73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f.exe	28
PID 856 wrote to memory of 2028	856	73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f.exe	28
PID 856 wrote to memory of 564	856	73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f.exe	29
PID 856 wrote to memory of 564	856	73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f.exe	29
PID 856 wrote to memory of 564	856	73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f.exe	29
PID 856 wrote to memory of 564	856	73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f.exe	29
PID 564 wrote to memory of 300	564	cmd.exe	31
PID 564 wrote to memory of 300	564	cmd.exe	31
PID 564 wrote to memory of 300	564	cmd.exe	31
PID 564 wrote to memory of 300	564	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f.exe
"C:\Users\Admin\AppData\Local\Temp\73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856
- C:\Users\Admin\AppData\Local\Temp\73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f\73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f.exe
  "C:\Users\Admin\AppData\Local\Temp\73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f\73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:564
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
823313b4f372b068d9edfed1056e66c4

SHA1
a1b576b436236541ab77971f0524e2d30f47deb1

SHA256
dc73ba441a57d251b6981873032e55c51bfdb2ea35e1f631a9f93d4139e6f0d1

SHA512
13b99a256b7f40432e771ad14338bbf49356afb94b6644722cc6985729b4f62d1ef86e07353a4da1dcb9fac9e208e0915c57f624435bf4b774b3105eff302433

Download Submit
C:\Users\Admin\AppData\Local\Temp\73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f\73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f.exe

Filesize
273KB

MD5
fec0638146178c56fafe585c3ec2431e

SHA1
eb6e6c739da7f191cfb23e173d80daa21a2d6e71

SHA256
73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f

SHA512
11ab5498014069a1f1375b52ab5fb0be3ec80f61f64a502013f2cf29874d9e8882b7afa72f347401873a52eea25586d1ea9d6c7dd4b55ece03b1609d2ab5b0e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f\73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f.exe

Filesize
273KB

MD5
fec0638146178c56fafe585c3ec2431e

SHA1
eb6e6c739da7f191cfb23e173d80daa21a2d6e71

SHA256
73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f

SHA512
11ab5498014069a1f1375b52ab5fb0be3ec80f61f64a502013f2cf29874d9e8882b7afa72f347401873a52eea25586d1ea9d6c7dd4b55ece03b1609d2ab5b0e6

Download Submit
\Users\Admin\AppData\Local\Temp\73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f\73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f.exe

Filesize
273KB

MD5
fec0638146178c56fafe585c3ec2431e

SHA1
eb6e6c739da7f191cfb23e173d80daa21a2d6e71

SHA256
73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f

SHA512
11ab5498014069a1f1375b52ab5fb0be3ec80f61f64a502013f2cf29874d9e8882b7afa72f347401873a52eea25586d1ea9d6c7dd4b55ece03b1609d2ab5b0e6

Download Submit
\Users\Admin\AppData\Local\Temp\73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f\73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f.exe

Filesize
273KB

MD5
fec0638146178c56fafe585c3ec2431e

SHA1
eb6e6c739da7f191cfb23e173d80daa21a2d6e71

SHA256
73906a5b99b597637dceb03a5a8edb1fa42894305dd98b65b64e9de248a5306f

SHA512
11ab5498014069a1f1375b52ab5fb0be3ec80f61f64a502013f2cf29874d9e8882b7afa72f347401873a52eea25586d1ea9d6c7dd4b55ece03b1609d2ab5b0e6

Download Submit
memory/856-54-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download
memory/856-55-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/856-66-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/2028-67-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/2028-68-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing