imminent | 7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3

Analysis

max time kernel
160s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2022, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe
Size

916KB
MD5

7e01aac13f28affd9c5d1b72d50fbfed
SHA1

2a6d8e4a3c28cec8043c7e4fba89bf01043eb065
SHA256

7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3
SHA512

b5e7307962ba7ff410541e015a7fe0ca30d5b0ee3baa865a926db2c6b238e6d12891de1ac3eddd503f2e298d57edbb436bc8bb41494d145480133e8f30f848a4
SSDEEP

12288:GnDs62f6fw3H5jRtuPhgsK/aex1fVnXHp1lCi6qVNb55aJ6ahco6WZN1vTwG8VsR:GnD2f/yUa8fVn3DlCt6o1R5Y

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default Key = "C:\\Users\\Admin\\AppData\\Roaming\\Default Folder\\Default File.exe"	7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1680 set thread context of 4108	1680	7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe	80

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe
File opened for modification	C:\Windows\assembly	7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4108	7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4108	7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4108	7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 4108	1680	7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe	80
PID 1680 wrote to memory of 4108	1680	7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe	80
PID 1680 wrote to memory of 4108	1680	7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe	80
PID 1680 wrote to memory of 4108	1680	7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe	80
PID 1680 wrote to memory of 4108	1680	7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe	80
PID 1680 wrote to memory of 4108	1680	7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe	80
PID 1680 wrote to memory of 4108	1680	7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe	80
PID 1680 wrote to memory of 4108	1680	7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe	80

C:\Users\Admin\AppData\Local\Temp\7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe
"C:\Users\Admin\AppData\Local\Temp\7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe
  "C:\Users\Admin\AppData\Local\Temp\7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe"
  2⤵
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\7a13683b7acf78137ac41709023de2217214e770c39266789837a65e0324dec3.exe.log

Filesize
319B

MD5
a4da81a3544d9cd85f257967c0a431fe

SHA1
ba6f59ae5c6a2674a1fda758b5ded92f76d5edb3

SHA256
ad372efe5e610b9c2a331ac8f17f83542ef78b92c875c206d76c84e158fb271e

SHA512
12348d4cb4b6534a43f122d18fc7276c524c5b7e8f242f446eefb4d2ffea8018aed53a854cb840b2f30669caf74d14daff4276c6676a15221c58c84b210d393f

Download Submit
memory/1680-132-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/1680-136-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/4108-134-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4108-137-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/4108-138-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download