imminent | f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973

Analysis

max time kernel
131s
max time network
178s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe
Size

613KB
MD5

a482ff02cc9c671882add028df3d6f16
SHA1

acf2184f5689ec3f540f98bc4cdc9341dace0d71
SHA256

f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973
SHA512

1229dca9599660cc4d7194ce1c1e6c082c6b501e4aafbf4bb1acbf0da2163e4640fd21a5b5ffdf1aea99e507567aa0ca5c8fd760050e76bd655900050b6712c7
SSDEEP

12288:7W3lPUgZ/xVjXAIOztFVtx7ShP10VgckaS8:G9Z/bjAI8N8tagczS8

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FolderName\\file.exe"	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
1764	tmp.exe
1680	notepad .exe

Loads dropped DLL 3 IoCs

pid	Process
1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe
1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe
1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tmp.exe	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1368 set thread context of 1680	1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe
1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe
1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe
1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe
1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1680	notepad .exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe
Token: 33	1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe
Token: SeIncBasePriorityPrivilege	1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe
Token: SeDebugPrivilege	1680	notepad .exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1680	notepad .exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 1612	1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	28
PID 1368 wrote to memory of 1612	1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	28
PID 1368 wrote to memory of 1612	1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	28
PID 1368 wrote to memory of 1612	1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	28
PID 1612 wrote to memory of 1520	1612	cmd.exe	30
PID 1612 wrote to memory of 1520	1612	cmd.exe	30
PID 1612 wrote to memory of 1520	1612	cmd.exe	30
PID 1612 wrote to memory of 1520	1612	cmd.exe	30
PID 1368 wrote to memory of 1764	1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	31
PID 1368 wrote to memory of 1764	1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	31
PID 1368 wrote to memory of 1764	1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	31
PID 1368 wrote to memory of 1764	1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	31
PID 1368 wrote to memory of 1680	1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	32
PID 1368 wrote to memory of 1680	1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	32
PID 1368 wrote to memory of 1680	1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	32
PID 1368 wrote to memory of 1680	1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	32
PID 1368 wrote to memory of 1680	1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	32
PID 1368 wrote to memory of 1680	1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	32
PID 1368 wrote to memory of 1680	1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	32
PID 1368 wrote to memory of 1680	1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	32
PID 1368 wrote to memory of 1680	1368	f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe	32
PID 1520 wrote to memory of 1168	1520	wscript.exe	33
PID 1520 wrote to memory of 1168	1520	wscript.exe	33
PID 1520 wrote to memory of 1168	1520	wscript.exe	33
PID 1520 wrote to memory of 1168	1520	wscript.exe	33
PID 1168 wrote to memory of 840	1168	cmd.exe	35
PID 1168 wrote to memory of 840	1168	cmd.exe	35
PID 1168 wrote to memory of 840	1168	cmd.exe	35
PID 1168 wrote to memory of 840	1168	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe
"C:\Users\Admin\AppData\Local\Temp\f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1168
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderName\file.exe" /f
        5⤵
        Modifies WinLogon for persistence
        
        PID:840
- C:\Windows\SysWOW64\tmp.exe
  "C:\Windows\system32\tmp.exe"
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Users\Admin\AppData\Local\Temp\notepad .exe
  "C:\Users\Admin\AppData\Local\Temp\notepad .exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderName\file.exe

Filesize
613KB

MD5
a482ff02cc9c671882add028df3d6f16

SHA1
acf2184f5689ec3f540f98bc4cdc9341dace0d71

SHA256
f553b4b340bc4e88aefbd43ef3c9078af982ebf5baa16451aad02ad3f706a973

SHA512
1229dca9599660cc4d7194ce1c1e6c082c6b501e4aafbf4bb1acbf0da2163e4640fd21a5b5ffdf1aea99e507567aa0ca5c8fd760050e76bd655900050b6712c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat

Filesize
70B

MD5
23f72401196919748c14cb64c1d55c3b

SHA1
869e3809cb4391e6f5aee5349a871e40a1e1fb22

SHA256
d09c4054568f89c5de2bd9bae9cbcbcb3ef2dda9a9ded0153e29da26dc405d11

SHA512
2ab844717c31c4819d8773d7604dfc831e950ae9e38fe311acf8178d46f39fafb54b448ebb6b9cf5d1edd47ed36eae11d649c1be346b0a35d380dd07101c79f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat

Filesize
264B

MD5
6ecf2f3e1102f8c431d8986f794b6f39

SHA1
17c59e2db7ffa50a987bd2f7d35e4060bdc3548a

SHA256
02e997ac200eb1d460a7d719616489efc9cd79efa7e602e5e056c99dc8be75d5

SHA512
6f50909b50543079ea3d7d3080e1e9b77da133b83f260a6187a2b6de97607777c2813f3c8ee72d0dd7217083131bfcc7ea0290358228b2574d3e9d76c6c11404

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad .exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad .exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\Windows\SysWOW64\tmp.exe

Filesize
272KB

MD5
17e960204c17955b57a96b61b6abb260

SHA1
9e4a913e83a237c447d096b0b14a7b1d833c6830

SHA256
77ac0191d581cbb96a1f40d873d9f9accbafb919fe0c447f9156448b366ebfdf

SHA512
6c3408b0a4914b01fd1a7779e0a6499248365abc5dde8973adeb5cedc9102eb1b512b9ec0e94ec37820f78aa6f9627adb488e9a91feb53f84037dc9982e973c8

Download Submit
C:\Windows\SysWOW64\tmp.exe

Filesize
272KB

MD5
17e960204c17955b57a96b61b6abb260

SHA1
9e4a913e83a237c447d096b0b14a7b1d833c6830

SHA256
77ac0191d581cbb96a1f40d873d9f9accbafb919fe0c447f9156448b366ebfdf

SHA512
6c3408b0a4914b01fd1a7779e0a6499248365abc5dde8973adeb5cedc9102eb1b512b9ec0e94ec37820f78aa6f9627adb488e9a91feb53f84037dc9982e973c8

Download Submit
\Users\Admin\AppData\Local\Temp\notepad .exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
\Windows\SysWOW64\tmp.exe

Filesize
272KB

MD5
17e960204c17955b57a96b61b6abb260

SHA1
9e4a913e83a237c447d096b0b14a7b1d833c6830

SHA256
77ac0191d581cbb96a1f40d873d9f9accbafb919fe0c447f9156448b366ebfdf

SHA512
6c3408b0a4914b01fd1a7779e0a6499248365abc5dde8973adeb5cedc9102eb1b512b9ec0e94ec37820f78aa6f9627adb488e9a91feb53f84037dc9982e973c8

Download Submit
\Windows\SysWOW64\tmp.exe

Filesize
272KB

MD5
17e960204c17955b57a96b61b6abb260

SHA1
9e4a913e83a237c447d096b0b14a7b1d833c6830

SHA256
77ac0191d581cbb96a1f40d873d9f9accbafb919fe0c447f9156448b366ebfdf

SHA512
6c3408b0a4914b01fd1a7779e0a6499248365abc5dde8973adeb5cedc9102eb1b512b9ec0e94ec37820f78aa6f9627adb488e9a91feb53f84037dc9982e973c8

Download Submit
memory/1368-89-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/1368-61-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/1368-54-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/1680-71-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1680-77-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1680-79-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1680-73-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1680-72-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1680-69-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1680-86-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/1680-67-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1680-90-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/1764-85-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/1764-87-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download