imminent | 12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d

Analysis

max time kernel
151s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe
Size

1.1MB
MD5

ce5ea84956f95f78f44ab3769bb03ea6
SHA1

18d6bdd8d0ee9beb9037db6aa2c29d677bbf66fb
SHA256

12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d
SHA512

925463477166e3275149b68e6deabd62721439e3262d1cf318bebc0b279f300c26f262016edbf1ced85c9ff7b74f5be5682f08ac0481f65e07dd4ac5aea2277b
SSDEEP

24576:a6oIKw7gBgmsLOAEtmxEa4FdzC44laOIV:a6oIKwsL0os6KlG

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 2 IoCs

pid	Process
1508	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe
556	csrss.exe

Deletes itself 1 IoCs

pid	Process
1508	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe

Loads dropped DLL 3 IoCs

pid	Process
2020	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe
2020	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe
2020	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2020 set thread context of 1508	2020	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
848	schtasks.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe:ZONE.identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\Temp\csrss.exe\:ZONE.identifier:$DATA	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe
556	csrss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1508	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe
Token: SeDebugPrivilege	556	csrss.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1508	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1388	2020	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	28
PID 2020 wrote to memory of 1388	2020	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	28
PID 2020 wrote to memory of 1388	2020	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	28
PID 2020 wrote to memory of 1388	2020	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	28
PID 2020 wrote to memory of 848	2020	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	30
PID 2020 wrote to memory of 848	2020	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	30
PID 2020 wrote to memory of 848	2020	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	30
PID 2020 wrote to memory of 848	2020	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	30
PID 2020 wrote to memory of 1508	2020	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	32
PID 2020 wrote to memory of 1508	2020	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	32
PID 2020 wrote to memory of 1508	2020	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	32
PID 2020 wrote to memory of 1508	2020	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	32
PID 2020 wrote to memory of 1508	2020	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	32
PID 2020 wrote to memory of 1508	2020	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	32
PID 2020 wrote to memory of 1508	2020	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	32
PID 2020 wrote to memory of 1508	2020	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	32
PID 2020 wrote to memory of 1508	2020	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	32
PID 2020 wrote to memory of 556	2020	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	33
PID 2020 wrote to memory of 556	2020	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	33
PID 2020 wrote to memory of 556	2020	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	33
PID 2020 wrote to memory of 556	2020	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	33

C:\Users\Admin\AppData\Local\Temp\12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe
"C:\Users\Admin\AppData\Local\Temp\12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe":ZONE.identifier & exit
  2⤵
  - NTFS ADS
  PID:1388
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Update\Windows" /XML "C:\Users\Admin\AppData\Local\Temp\299780685.xml"
  2⤵
  - Creates scheduled task(s)
  PID:848
- C:\Users\Admin\AppData\Local\Temp\12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe
  "C:\Users\Admin\AppData\Local\Temp\12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe"
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1508
- C:\Users\Admin\AppData\Local\Temp\csrss.exe
  "C:\Users\Admin\AppData\Local\Temp\csrss.exe" -keyhide -proc 1508 C:\Users\Admin\AppData\Local\Temp\12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe

Filesize
1.1MB

MD5
ce5ea84956f95f78f44ab3769bb03ea6

SHA1
18d6bdd8d0ee9beb9037db6aa2c29d677bbf66fb

SHA256
12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d

SHA512
925463477166e3275149b68e6deabd62721439e3262d1cf318bebc0b279f300c26f262016edbf1ced85c9ff7b74f5be5682f08ac0481f65e07dd4ac5aea2277b

Download Submit
C:\Users\Admin\AppData\Local\Temp\12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe

Filesize
1.1MB

MD5
ce5ea84956f95f78f44ab3769bb03ea6

SHA1
18d6bdd8d0ee9beb9037db6aa2c29d677bbf66fb

SHA256
12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d

SHA512
925463477166e3275149b68e6deabd62721439e3262d1cf318bebc0b279f300c26f262016edbf1ced85c9ff7b74f5be5682f08ac0481f65e07dd4ac5aea2277b

Download Submit
C:\Users\Admin\AppData\Local\Temp\299780685.xml

Filesize
1KB

MD5
8a137d926353a4bcc5ff4d157f89072f

SHA1
3f5258db637dae3df93f94a7aaa3110313742cd6

SHA256
13b2c4f9c1eacba460e7de03fd171c9f97c6d431a3afdedb8dee57c26262fdb7

SHA512
3ec6449c5c105971b0b6edb2f1e734e1529c8f2ed85d70f3472a0fdc4687dcc091a5884500df824a9e23bdaca7b27915f0fe043b8f1b5446720151886f8061e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
1.1MB

MD5
ce5ea84956f95f78f44ab3769bb03ea6

SHA1
18d6bdd8d0ee9beb9037db6aa2c29d677bbf66fb

SHA256
12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d

SHA512
925463477166e3275149b68e6deabd62721439e3262d1cf318bebc0b279f300c26f262016edbf1ced85c9ff7b74f5be5682f08ac0481f65e07dd4ac5aea2277b

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
1.1MB

MD5
ce5ea84956f95f78f44ab3769bb03ea6

SHA1
18d6bdd8d0ee9beb9037db6aa2c29d677bbf66fb

SHA256
12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d

SHA512
925463477166e3275149b68e6deabd62721439e3262d1cf318bebc0b279f300c26f262016edbf1ced85c9ff7b74f5be5682f08ac0481f65e07dd4ac5aea2277b

Download Submit
\Users\Admin\AppData\Local\Temp\12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe

Filesize
1.1MB

MD5
ce5ea84956f95f78f44ab3769bb03ea6

SHA1
18d6bdd8d0ee9beb9037db6aa2c29d677bbf66fb

SHA256
12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d

SHA512
925463477166e3275149b68e6deabd62721439e3262d1cf318bebc0b279f300c26f262016edbf1ced85c9ff7b74f5be5682f08ac0481f65e07dd4ac5aea2277b

Download Submit
\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
1.1MB

MD5
ce5ea84956f95f78f44ab3769bb03ea6

SHA1
18d6bdd8d0ee9beb9037db6aa2c29d677bbf66fb

SHA256
12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d

SHA512
925463477166e3275149b68e6deabd62721439e3262d1cf318bebc0b279f300c26f262016edbf1ced85c9ff7b74f5be5682f08ac0481f65e07dd4ac5aea2277b

Download Submit
\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
1.1MB

MD5
ce5ea84956f95f78f44ab3769bb03ea6

SHA1
18d6bdd8d0ee9beb9037db6aa2c29d677bbf66fb

SHA256
12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d

SHA512
925463477166e3275149b68e6deabd62721439e3262d1cf318bebc0b279f300c26f262016edbf1ced85c9ff7b74f5be5682f08ac0481f65e07dd4ac5aea2277b

Download Submit
memory/556-88-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/556-86-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-69-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1508-62-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1508-74-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1508-76-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1508-63-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1508-85-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-67-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1508-87-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-65-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2020-59-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/2020-84-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/2020-55-0x0000000074690000-0x0000000074C3B000-memory.dmp

Filesize
5.7MB

Download
memory/2020-54-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download