imminent | 12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe
Size

1.1MB
MD5

ce5ea84956f95f78f44ab3769bb03ea6
SHA1

18d6bdd8d0ee9beb9037db6aa2c29d677bbf66fb
SHA256

12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d
SHA512

925463477166e3275149b68e6deabd62721439e3262d1cf318bebc0b279f300c26f262016edbf1ced85c9ff7b74f5be5682f08ac0481f65e07dd4ac5aea2277b
SSDEEP

24576:a6oIKw7gBgmsLOAEtmxEa4FdzC44laOIV:a6oIKwsL0os6KlG

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 2 IoCs

pid	Process
5028	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe
1696	csrss.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2416 set thread context of 5028	2416	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	83

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe
File created	C:\Windows\assembly\Desktop.ini	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4336	schtasks.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe:ZONE.identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\Temp\csrss.exe\:ZONE.identifier:$DATA	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe
1696	csrss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5028	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5028	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe
Token: SeDebugPrivilege	1696	csrss.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5028	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2316	2416	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	79
PID 2416 wrote to memory of 2316	2416	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	79
PID 2416 wrote to memory of 2316	2416	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	79
PID 2416 wrote to memory of 4336	2416	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	81
PID 2416 wrote to memory of 4336	2416	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	81
PID 2416 wrote to memory of 4336	2416	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	81
PID 2416 wrote to memory of 5028	2416	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	83
PID 2416 wrote to memory of 5028	2416	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	83
PID 2416 wrote to memory of 5028	2416	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	83
PID 2416 wrote to memory of 5028	2416	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	83
PID 2416 wrote to memory of 5028	2416	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	83
PID 2416 wrote to memory of 5028	2416	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	83
PID 2416 wrote to memory of 5028	2416	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	83
PID 2416 wrote to memory of 5028	2416	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	83
PID 2416 wrote to memory of 1696	2416	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	84
PID 2416 wrote to memory of 1696	2416	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	84
PID 2416 wrote to memory of 1696	2416	12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe	84

C:\Users\Admin\AppData\Local\Temp\12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe
"C:\Users\Admin\AppData\Local\Temp\12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe":ZONE.identifier & exit
  2⤵
  - NTFS ADS
  PID:2316
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Update\Windows" /XML "C:\Users\Admin\AppData\Local\Temp\1721227615.xml"
  2⤵
  - Creates scheduled task(s)
  PID:4336
- C:\Users\Admin\AppData\Local\Temp\12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe
  "C:\Users\Admin\AppData\Local\Temp\12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5028
- C:\Users\Admin\AppData\Local\Temp\csrss.exe
  "C:\Users\Admin\AppData\Local\Temp\csrss.exe" -keyhide -proc 5028 C:\Users\Admin\AppData\Local\Temp\12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe

Filesize
1.1MB

MD5
ce5ea84956f95f78f44ab3769bb03ea6

SHA1
18d6bdd8d0ee9beb9037db6aa2c29d677bbf66fb

SHA256
12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d

SHA512
925463477166e3275149b68e6deabd62721439e3262d1cf318bebc0b279f300c26f262016edbf1ced85c9ff7b74f5be5682f08ac0481f65e07dd4ac5aea2277b

Download Submit
C:\Users\Admin\AppData\Local\Temp\12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d.exe

Filesize
1.1MB

MD5
ce5ea84956f95f78f44ab3769bb03ea6

SHA1
18d6bdd8d0ee9beb9037db6aa2c29d677bbf66fb

SHA256
12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d

SHA512
925463477166e3275149b68e6deabd62721439e3262d1cf318bebc0b279f300c26f262016edbf1ced85c9ff7b74f5be5682f08ac0481f65e07dd4ac5aea2277b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1721227615.xml

Filesize
1KB

MD5
09504a0b1e340d1d0d9ac760ca0a9982

SHA1
112c9c1465007cff5f686ac5e0a8c7e5f6005eec

SHA256
f6d7b0197f6a100b60cc879e1539fd340aa9022592a07e1176890ff84eddd84c

SHA512
dff3f0ebbaeb0cfe35e41d141810dcc6c420857993f9c63158076cec4d0361c622269b79054773554b3b347e89c64beefbde72db05d0ab5c35d17a4a75ad38eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
1.1MB

MD5
ce5ea84956f95f78f44ab3769bb03ea6

SHA1
18d6bdd8d0ee9beb9037db6aa2c29d677bbf66fb

SHA256
12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d

SHA512
925463477166e3275149b68e6deabd62721439e3262d1cf318bebc0b279f300c26f262016edbf1ced85c9ff7b74f5be5682f08ac0481f65e07dd4ac5aea2277b

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
1.1MB

MD5
ce5ea84956f95f78f44ab3769bb03ea6

SHA1
18d6bdd8d0ee9beb9037db6aa2c29d677bbf66fb

SHA256
12e42a80fe509e6b946140c8d5bf90889856d97628d09b1e013e78eb1a973d7d

SHA512
925463477166e3275149b68e6deabd62721439e3262d1cf318bebc0b279f300c26f262016edbf1ced85c9ff7b74f5be5682f08ac0481f65e07dd4ac5aea2277b

Download Submit
memory/1696-151-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1696-149-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2416-136-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2416-147-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2416-132-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/5028-140-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/5028-139-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/5028-138-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/5028-148-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/5028-150-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download