imminent | fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff

Analysis

max time kernel
233s
max time network
335s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
Size

352KB
MD5

2650bf6d5c4ad8279215e3326d19a278
SHA1

c71fbd1020d7a244ca404bedb98e3074f22b50d2
SHA256

fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff
SHA512

8ac8a313bc491f35d7310b860c4f9c1e405b3bec85799684f8d7b39f4fdd51813c148c46ffe8a4cf64d2321977d9d500b2e973c6afc8c05a62e4a25f6c4dd7f5
SSDEEP

6144:8K52HzXI/1jwWw0IrAv/FINo6hHIq/xcLp8t/xTBN/uVBgKj:T52HzYNcD1Aoo6Z3iLpG/B7/uVyKj

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 3 IoCs

pid	Process
968	AppMgnt.exe
1684	hknswc.exe
1264	hknswc.exe

Loads dropped DLL 2 IoCs

pid	Process
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 472 set thread context of 1724	472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe	28
PID 1684 set thread context of 1264	1684	hknswc.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe
472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
968	AppMgnt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1724	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
Token: SeDebugPrivilege	1724	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
Token: SeDebugPrivilege	968	AppMgnt.exe
Token: 33	968	AppMgnt.exe
Token: SeIncBasePriorityPrivilege	968	AppMgnt.exe
Token: SeDebugPrivilege	1684	hknswc.exe
Token: SeDebugPrivilege	1264	hknswc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1724	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
1264	hknswc.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 472 wrote to memory of 1724	472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe	28
PID 472 wrote to memory of 1724	472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe	28
PID 472 wrote to memory of 1724	472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe	28
PID 472 wrote to memory of 1724	472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe	28
PID 472 wrote to memory of 1724	472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe	28
PID 472 wrote to memory of 1724	472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe	28
PID 472 wrote to memory of 1724	472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe	28
PID 472 wrote to memory of 1724	472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe	28
PID 472 wrote to memory of 1724	472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe	28
PID 472 wrote to memory of 968	472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe	29
PID 472 wrote to memory of 968	472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe	29
PID 472 wrote to memory of 968	472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe	29
PID 472 wrote to memory of 968	472	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe	29
PID 968 wrote to memory of 1684	968	AppMgnt.exe	30
PID 968 wrote to memory of 1684	968	AppMgnt.exe	30
PID 968 wrote to memory of 1684	968	AppMgnt.exe	30
PID 968 wrote to memory of 1684	968	AppMgnt.exe	30
PID 1684 wrote to memory of 1264	1684	hknswc.exe	31
PID 1684 wrote to memory of 1264	1684	hknswc.exe	31
PID 1684 wrote to memory of 1264	1684	hknswc.exe	31
PID 1684 wrote to memory of 1264	1684	hknswc.exe	31
PID 1684 wrote to memory of 1264	1684	hknswc.exe	31
PID 1684 wrote to memory of 1264	1684	hknswc.exe	31
PID 1684 wrote to memory of 1264	1684	hknswc.exe	31
PID 1684 wrote to memory of 1264	1684	hknswc.exe	31
PID 1684 wrote to memory of 1264	1684	hknswc.exe	31

C:\Users\Admin\AppData\Local\Temp\fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
"C:\Users\Admin\AppData\Local\Temp\fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:472
- C:\Users\Admin\AppData\Local\Temp\fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
  "C:\Users\Admin\AppData\Local\Temp\fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1724
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Imminent\Logs\27-11-2022

Filesize
45B

MD5
6239075a60967348bcbc253d0976ca6d

SHA1
62d9b77ab2764d49a18029d78cfa8723ae19f06f

SHA256
3d6b748ffd8ca381fef385d0a9f5ff22e0f81f0524674701edf5242442950781

SHA512
fe2c971695e06800a536b0eb67c9748a60913771097dbcaeab955cf8a8cf74238aad54ca342fed03b26f123d2990b8ebf3ed89ab7f5e890b4efbc865a946966e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe

Filesize
11KB

MD5
6b8eda50fa5ec3663901fdddff1f858c

SHA1
88732ef0660264b68651a2fbaed9bf166309af05

SHA256
b60499f6e4b2620aca4490ff7ed15c498f17c97157ed14a4f10eb012db78b5c3

SHA512
345243cde61d04cc0cde1873d35b39bc46b8c634e6c754d226353cadc69c0bacd1d8ccfe4b0096d69bb719fd8f469bb4d53d11c0f8cd1243985228c5f547120d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe

Filesize
11KB

MD5
6b8eda50fa5ec3663901fdddff1f858c

SHA1
88732ef0660264b68651a2fbaed9bf166309af05

SHA256
b60499f6e4b2620aca4490ff7ed15c498f17c97157ed14a4f10eb012db78b5c3

SHA512
345243cde61d04cc0cde1873d35b39bc46b8c634e6c754d226353cadc69c0bacd1d8ccfe4b0096d69bb719fd8f469bb4d53d11c0f8cd1243985228c5f547120d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe

Filesize
352KB

MD5
2650bf6d5c4ad8279215e3326d19a278

SHA1
c71fbd1020d7a244ca404bedb98e3074f22b50d2

SHA256
fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff

SHA512
8ac8a313bc491f35d7310b860c4f9c1e405b3bec85799684f8d7b39f4fdd51813c148c46ffe8a4cf64d2321977d9d500b2e973c6afc8c05a62e4a25f6c4dd7f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe

Filesize
352KB

MD5
2650bf6d5c4ad8279215e3326d19a278

SHA1
c71fbd1020d7a244ca404bedb98e3074f22b50d2

SHA256
fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff

SHA512
8ac8a313bc491f35d7310b860c4f9c1e405b3bec85799684f8d7b39f4fdd51813c148c46ffe8a4cf64d2321977d9d500b2e973c6afc8c05a62e4a25f6c4dd7f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe

Filesize
352KB

MD5
2650bf6d5c4ad8279215e3326d19a278

SHA1
c71fbd1020d7a244ca404bedb98e3074f22b50d2

SHA256
fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff

SHA512
8ac8a313bc491f35d7310b860c4f9c1e405b3bec85799684f8d7b39f4fdd51813c148c46ffe8a4cf64d2321977d9d500b2e973c6afc8c05a62e4a25f6c4dd7f5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe

Filesize
11KB

MD5
6b8eda50fa5ec3663901fdddff1f858c

SHA1
88732ef0660264b68651a2fbaed9bf166309af05

SHA256
b60499f6e4b2620aca4490ff7ed15c498f17c97157ed14a4f10eb012db78b5c3

SHA512
345243cde61d04cc0cde1873d35b39bc46b8c634e6c754d226353cadc69c0bacd1d8ccfe4b0096d69bb719fd8f469bb4d53d11c0f8cd1243985228c5f547120d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe

Filesize
352KB

MD5
2650bf6d5c4ad8279215e3326d19a278

SHA1
c71fbd1020d7a244ca404bedb98e3074f22b50d2

SHA256
fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff

SHA512
8ac8a313bc491f35d7310b860c4f9c1e405b3bec85799684f8d7b39f4fdd51813c148c46ffe8a4cf64d2321977d9d500b2e973c6afc8c05a62e4a25f6c4dd7f5

Download Submit
memory/472-55-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/472-57-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/472-56-0x00000000004B6000-0x00000000004C7000-memory.dmp

Filesize
68KB

Download
memory/472-54-0x0000000074FA1000-0x0000000074FA3000-memory.dmp

Filesize
8KB

Download
memory/472-58-0x00000000004B6000-0x00000000004C7000-memory.dmp

Filesize
68KB

Download
memory/968-78-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/968-86-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/1264-101-0x0000000000080000-0x00000000000CA000-memory.dmp

Filesize
296KB

Download
memory/1264-97-0x0000000000080000-0x00000000000CA000-memory.dmp

Filesize
296KB

Download
memory/1264-104-0x0000000000080000-0x00000000000CA000-memory.dmp

Filesize
296KB

Download
memory/1264-108-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/1264-106-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/1684-83-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/1684-84-0x0000000002116000-0x0000000002127000-memory.dmp

Filesize
68KB

Download
memory/1684-87-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/1724-64-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1724-85-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/1724-77-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/1724-69-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1724-67-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1724-63-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1724-62-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1724-60-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1724-59-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download