imminent | 9ad899013d0ef0e645f6e542ac132a9cc4f81882555e52dc6f8baa8f6003a0f8

Analysis

max time kernel
136s
max time network
151s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ad899013d0ef0e645f6e542ac132a9cc4f81882555e52dc6f8baa8f6003a0f8.exe
Size

544KB
MD5

50c2311c1a23abffa92400be91636d3d
SHA1

307eb527c1959715200b5feddb974061b53d95d1
SHA256

9ad899013d0ef0e645f6e542ac132a9cc4f81882555e52dc6f8baa8f6003a0f8
SHA512

b34c5cb18b5aeefef8aa8ef78d8f1e7405e54d0b360c245eccf238686df49146b40e3ea6d85315aadea0c6736ec95732d988d3bc4166c0d9cf2767b76cfc0732
SSDEEP

12288:JR3NywK49G8JoeBFg5q1hw9Eogo++wlj7rjYFwOKf/wTdN:JR3NywK49hJLW5qU9Ey+rv/OKf/+

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Skypeupdate\\DIFqvLRXowaL.exe\",explorer.exe"	9ad899013d0ef0e645f6e542ac132a9cc4f81882555e52dc6f8baa8f6003a0f8.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1720	9ad899013d0ef0e645f6e542ac132a9cc4f81882555e52dc6f8baa8f6003a0f8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	9ad899013d0ef0e645f6e542ac132a9cc4f81882555e52dc6f8baa8f6003a0f8.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1720	9ad899013d0ef0e645f6e542ac132a9cc4f81882555e52dc6f8baa8f6003a0f8.exe

C:\Users\Admin\AppData\Local\Temp\9ad899013d0ef0e645f6e542ac132a9cc4f81882555e52dc6f8baa8f6003a0f8.exe
"C:\Users\Admin\AppData\Local\Temp\9ad899013d0ef0e645f6e542ac132a9cc4f81882555e52dc6f8baa8f6003a0f8.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1720-54-0x00000000765B1000-0x00000000765B3000-memory.dmp

Filesize
8KB

Download
memory/1720-55-0x0000000074990000-0x0000000074F3B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-56-0x0000000074990000-0x0000000074F3B000-memory.dmp

Filesize
5.7MB

Download