imminent | fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff

Analysis

max time kernel
153s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
Size

352KB
MD5

2650bf6d5c4ad8279215e3326d19a278
SHA1

c71fbd1020d7a244ca404bedb98e3074f22b50d2
SHA256

fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff
SHA512

8ac8a313bc491f35d7310b860c4f9c1e405b3bec85799684f8d7b39f4fdd51813c148c46ffe8a4cf64d2321977d9d500b2e973c6afc8c05a62e4a25f6c4dd7f5
SSDEEP

6144:8K52HzXI/1jwWw0IrAv/FINo6hHIq/xcLp8t/xTBN/uVBgKj:T52HzYNcD1Aoo6Z3iLpG/B7/uVyKj

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 4 IoCs

pid	Process
4484	AppMgnt.exe
1772	hknswc.exe
2324	hknswc.exe
3712	AppMgnt.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	AppMgnt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	hknswc.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3108 set thread context of 2248	3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe	88
PID 1772 set thread context of 2324	1772	hknswc.exe	92

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
File created	C:\Windows\assembly\Desktop.ini	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
4484	AppMgnt.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
4484	AppMgnt.exe
4484	AppMgnt.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
4484	AppMgnt.exe
4484	AppMgnt.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
4484	AppMgnt.exe
4484	AppMgnt.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
4484	AppMgnt.exe
4484	AppMgnt.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
4484	AppMgnt.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
4484	AppMgnt.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
4484	AppMgnt.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
4484	AppMgnt.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
4484	AppMgnt.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
4484	AppMgnt.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
4484	AppMgnt.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
4484	AppMgnt.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
4484	AppMgnt.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
4484	AppMgnt.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
4484	AppMgnt.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
4484	AppMgnt.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
4484	AppMgnt.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
4484	AppMgnt.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
4484	AppMgnt.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
4484	AppMgnt.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
4484	AppMgnt.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
4484	AppMgnt.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
4484	AppMgnt.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
4484	AppMgnt.exe
3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
4484	AppMgnt.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2248	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
2324	hknswc.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
Token: SeDebugPrivilege	4484	AppMgnt.exe
Token: 33	4484	AppMgnt.exe
Token: SeIncBasePriorityPrivilege	4484	AppMgnt.exe
Token: SeDebugPrivilege	2248	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
Token: SeDebugPrivilege	1772	hknswc.exe
Token: 33	4484	AppMgnt.exe
Token: SeIncBasePriorityPrivilege	4484	AppMgnt.exe
Token: SeDebugPrivilege	3712	AppMgnt.exe
Token: 33	3712	AppMgnt.exe
Token: SeIncBasePriorityPrivilege	3712	AppMgnt.exe
Token: SeDebugPrivilege	2324	hknswc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2248	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
2324	hknswc.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 2248	3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe	88
PID 3108 wrote to memory of 2248	3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe	88
PID 3108 wrote to memory of 2248	3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe	88
PID 3108 wrote to memory of 2248	3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe	88
PID 3108 wrote to memory of 2248	3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe	88
PID 3108 wrote to memory of 2248	3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe	88
PID 3108 wrote to memory of 2248	3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe	88
PID 3108 wrote to memory of 2248	3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe	88
PID 3108 wrote to memory of 4484	3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe	89
PID 3108 wrote to memory of 4484	3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe	89
PID 3108 wrote to memory of 4484	3108	fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe	89
PID 4484 wrote to memory of 1772	4484	AppMgnt.exe	90
PID 4484 wrote to memory of 1772	4484	AppMgnt.exe	90
PID 4484 wrote to memory of 1772	4484	AppMgnt.exe	90
PID 1772 wrote to memory of 2324	1772	hknswc.exe	92
PID 1772 wrote to memory of 2324	1772	hknswc.exe	92
PID 1772 wrote to memory of 2324	1772	hknswc.exe	92
PID 1772 wrote to memory of 2324	1772	hknswc.exe	92
PID 1772 wrote to memory of 2324	1772	hknswc.exe	92
PID 1772 wrote to memory of 2324	1772	hknswc.exe	92
PID 1772 wrote to memory of 2324	1772	hknswc.exe	92
PID 1772 wrote to memory of 2324	1772	hknswc.exe	92
PID 1772 wrote to memory of 3712	1772	hknswc.exe	93
PID 1772 wrote to memory of 3712	1772	hknswc.exe	93
PID 1772 wrote to memory of 3712	1772	hknswc.exe	93

C:\Users\Admin\AppData\Local\Temp\fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
"C:\Users\Admin\AppData\Local\Temp\fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Users\Admin\AppData\Local\Temp\fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe
  "C:\Users\Admin\AppData\Local\Temp\fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff.exe"
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2248
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2324
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\AppMgnt.exe.log

Filesize
496B

MD5
cb76b18ebed3a9f05a14aed43d35fba6

SHA1
836a4b4e351846fca08b84149cb734cb59b8c0d6

SHA256
8d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349

SHA512
7631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c

Download Submit
C:\Users\Admin\AppData\Roaming\Imminent\Logs\27-11-2022

Filesize
150B

MD5
7ea9933c3fd1da65ce50dc78675edac2

SHA1
9413e4aee7a9123a161fd61a05d29ca652a06a21

SHA256
74663a9441d4e5adbe130af3c9c32630c31fc2778fe917c47de1098f5c8efb16

SHA512
2c1ae56c418092387fda619aebf08a9b9b1075180a8e84ddde4be179663c1afe063afe04897f76a4ac0ebf023e652756bbf42dd88fcea3de06aa44a1d23596ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe

Filesize
11KB

MD5
6b8eda50fa5ec3663901fdddff1f858c

SHA1
88732ef0660264b68651a2fbaed9bf166309af05

SHA256
b60499f6e4b2620aca4490ff7ed15c498f17c97157ed14a4f10eb012db78b5c3

SHA512
345243cde61d04cc0cde1873d35b39bc46b8c634e6c754d226353cadc69c0bacd1d8ccfe4b0096d69bb719fd8f469bb4d53d11c0f8cd1243985228c5f547120d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe

Filesize
11KB

MD5
6b8eda50fa5ec3663901fdddff1f858c

SHA1
88732ef0660264b68651a2fbaed9bf166309af05

SHA256
b60499f6e4b2620aca4490ff7ed15c498f17c97157ed14a4f10eb012db78b5c3

SHA512
345243cde61d04cc0cde1873d35b39bc46b8c634e6c754d226353cadc69c0bacd1d8ccfe4b0096d69bb719fd8f469bb4d53d11c0f8cd1243985228c5f547120d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe

Filesize
11KB

MD5
6b8eda50fa5ec3663901fdddff1f858c

SHA1
88732ef0660264b68651a2fbaed9bf166309af05

SHA256
b60499f6e4b2620aca4490ff7ed15c498f17c97157ed14a4f10eb012db78b5c3

SHA512
345243cde61d04cc0cde1873d35b39bc46b8c634e6c754d226353cadc69c0bacd1d8ccfe4b0096d69bb719fd8f469bb4d53d11c0f8cd1243985228c5f547120d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe

Filesize
11KB

MD5
6b8eda50fa5ec3663901fdddff1f858c

SHA1
88732ef0660264b68651a2fbaed9bf166309af05

SHA256
b60499f6e4b2620aca4490ff7ed15c498f17c97157ed14a4f10eb012db78b5c3

SHA512
345243cde61d04cc0cde1873d35b39bc46b8c634e6c754d226353cadc69c0bacd1d8ccfe4b0096d69bb719fd8f469bb4d53d11c0f8cd1243985228c5f547120d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe

Filesize
352KB

MD5
2650bf6d5c4ad8279215e3326d19a278

SHA1
c71fbd1020d7a244ca404bedb98e3074f22b50d2

SHA256
fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff

SHA512
8ac8a313bc491f35d7310b860c4f9c1e405b3bec85799684f8d7b39f4fdd51813c148c46ffe8a4cf64d2321977d9d500b2e973c6afc8c05a62e4a25f6c4dd7f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe

Filesize
352KB

MD5
2650bf6d5c4ad8279215e3326d19a278

SHA1
c71fbd1020d7a244ca404bedb98e3074f22b50d2

SHA256
fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff

SHA512
8ac8a313bc491f35d7310b860c4f9c1e405b3bec85799684f8d7b39f4fdd51813c148c46ffe8a4cf64d2321977d9d500b2e973c6afc8c05a62e4a25f6c4dd7f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe

Filesize
352KB

MD5
2650bf6d5c4ad8279215e3326d19a278

SHA1
c71fbd1020d7a244ca404bedb98e3074f22b50d2

SHA256
fd710ac0bdaed06293b8671ee935c88f4a3aca2200482c50abcce5aa9c06c3ff

SHA512
8ac8a313bc491f35d7310b860c4f9c1e405b3bec85799684f8d7b39f4fdd51813c148c46ffe8a4cf64d2321977d9d500b2e973c6afc8c05a62e4a25f6c4dd7f5

Download Submit
memory/1772-144-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/1772-147-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/2248-145-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/2248-142-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/2248-135-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2324-160-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/2324-157-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/3108-132-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/3108-133-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/3108-148-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/3712-158-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/3712-161-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/4484-149-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/4484-143-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download
memory/4484-146-0x00000000754A0000-0x0000000075A51000-memory.dmp

Filesize
5.7MB

Download