imminent | 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3

General

Target

48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe
Size

1.2MB
MD5

33a67ab9f3cd79bb48c8e3db30728986
SHA1

b0154442643a0d8dafd036a501bf5e40245a0841
SHA256

48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3
SHA512

4c0f15131b9a5d05ded58b51fc75e1d0c2070f7b6b859b0fb84d2c5c23d8bcc257e342d8f44734004b4b48ee2be1a50f0218610ba67fdc23af2d89bc6c15fd83
SSDEEP

24576:A8ndVY0XKelcxVs1I5pYLqEeYmoRq1CNRa9XURbHudjrcSdg:A8nzYIOUQW2EeYBRq1Ag9XURbHuhm

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BBBCfg\\file.exe"	reg.exe

Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

2012 svhost.exe
Loads dropped DLL 1 IoCs

Processes:

48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe

pid process

1488 48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe

pid	process
2012	svhost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe

description	pid	process	target process
PID 1488 set thread context of 2012	1488	48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe

pid	process
1488	48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe
1488	48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe
1488	48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe
1488	48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe
1488	48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svhost.exe

pid process

2012 svhost.exe

pid	process
2012	svhost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exesvhost.exe

description	pid	process
Token: SeDebugPrivilege	1488	48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe
Token: 33	1488	48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe
Token: SeIncBasePriorityPrivilege	1488	48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe
Token: SeDebugPrivilege	2012	svhost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

2024 DllHost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svhost.exe

pid process

2012 svhost.exe

pid	process
2024	DllHost.exe

pid	process
2012	svhost.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.execmd.exe

description	pid	process	target process
PID 1488 wrote to memory of 948	1488	48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe	cmd.exe
PID 1488 wrote to memory of 948	1488	48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe	cmd.exe
PID 1488 wrote to memory of 948	1488	48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe	cmd.exe
PID 1488 wrote to memory of 948	1488	48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe	cmd.exe
PID 948 wrote to memory of 2040	948	cmd.exe	reg.exe
PID 948 wrote to memory of 2040	948	cmd.exe	reg.exe
PID 948 wrote to memory of 2040	948	cmd.exe	reg.exe
PID 948 wrote to memory of 2040	948	cmd.exe	reg.exe
PID 1488 wrote to memory of 2012	1488	48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe	svhost.exe
PID 1488 wrote to memory of 2012	1488	48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe	svhost.exe
PID 1488 wrote to memory of 2012	1488	48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe	svhost.exe
PID 1488 wrote to memory of 2012	1488	48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe	svhost.exe
PID 1488 wrote to memory of 2012	1488	48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe	svhost.exe
PID 1488 wrote to memory of 2012	1488	48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe	svhost.exe
PID 1488 wrote to memory of 2012	1488	48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe	svhost.exe
PID 1488 wrote to memory of 2012	1488	48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe	svhost.exe
PID 1488 wrote to memory of 2012	1488	48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe	svhost.exe

C:\Users\Admin\AppData\Local\Temp\48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe
"C:\Users\Admin\AppData\Local\Temp\48e1f8993271d9a1f5b01331ba137daf7e2c00cf84772f1202c77d8d2d9f08e3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BBBCfg\file.exe" /f
3⤵
- Modifies WinLogon for persistence
PID:2040

C:\Users\Admin\AppData\Local\Temp\svhost.exe
C:\Users\Admin\AppData\Local\Temp\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2012

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.jpg
Filesize
17KB

MD5
4b8e15489fbb3de3d4e2710cc736388c

SHA1
e4b54e411fae0dd7293a8f4f3f9a46509b14ef2f

SHA256
2d1d26bd528025cfe1e13b8ec3c2979222f47b499e8992f687bfd50360ba9f4a

SHA512
4e7222c2e8368793bbd40b136abb33f459b027d77c67f9c37a2dc9ade5914fdfe06a84b76c8fa588a25340f27bc6e823f534f382ea36ad739831b3da33c258c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
memory/948-57-0x0000000000000000-mapping.dmp

Download
memory/1488-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1488-55-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download
memory/1488-76-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download
memory/2012-65-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2012-66-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2012-63-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2012-67-0x0000000000445A2E-mapping.dmp

Download
memory/2012-70-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2012-72-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2012-61-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2012-75-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download
memory/2012-60-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2012-78-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads