imminent | f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e

General

Target

f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e.exe
Size

271KB
MD5

1d7157ce34d0baa57e684f95ead52605
SHA1

0484af353cf88f3eaae5c77eccdcfec869842f9c
SHA256

f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e
SHA512

015f2231bed0cbfb8352dbda4ff3a1530ec93fccc77a8e562a09c70692c600c296d31b6bb68f7aebcef748e8a1db9cef1580b8366e35f90cda36ac11f1b970cc
SSDEEP

6144:20SEiYbEZSPNYslw+67yVWenNFNRCbsMtun9zBPLctlU:XSEiOAoNy+IyVWQ3NelaBzIU

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 1 IoCs

pid	Process
872	f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e.exe

Loads dropped DLL 2 IoCs

pid	Process
1500	f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e.exe
1500	f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1924	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
872	f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1500	f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e.exe
Token: SeDebugPrivilege	872	f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e.exe
Token: SeDebugPrivilege	872	f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
872	f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 872	1500	f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e.exe	28
PID 1500 wrote to memory of 872	1500	f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e.exe	28
PID 1500 wrote to memory of 872	1500	f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e.exe	28
PID 1500 wrote to memory of 872	1500	f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e.exe	28
PID 1500 wrote to memory of 1752	1500	f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e.exe	29
PID 1500 wrote to memory of 1752	1500	f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e.exe	29
PID 1500 wrote to memory of 1752	1500	f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e.exe	29
PID 1500 wrote to memory of 1752	1500	f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e.exe	29
PID 1752 wrote to memory of 1924	1752	cmd.exe	31
PID 1752 wrote to memory of 1924	1752	cmd.exe	31
PID 1752 wrote to memory of 1924	1752	cmd.exe	31
PID 1752 wrote to memory of 1924	1752	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e.exe
"C:\Users\Admin\AppData\Local\Temp\f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Users\Admin\AppData\Local\Temp\f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e\f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e.exe
  "C:\Users\Admin\AppData\Local\Temp\f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e\f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:872
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a9c00713282222da853c3de2581fd52

SHA1
87aacb5667ab70b8372bae074ae41f039b44cfc6

SHA256
de57112a8c45889ab803d353d043170229c08e2895410459e53d70dc4160adb9

SHA512
484726f64fd44ae210472dfbadb175c7faae0bc9913de56e30396f1d326ef524210a5dacb70863df0d85ba21882ae195bf06225a70b6f8d79d9c947f3cbdff34

Download Submit
C:\Users\Admin\AppData\Local\Temp\f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e\f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e.exe

Filesize
271KB

MD5
1d7157ce34d0baa57e684f95ead52605

SHA1
0484af353cf88f3eaae5c77eccdcfec869842f9c

SHA256
f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e

SHA512
015f2231bed0cbfb8352dbda4ff3a1530ec93fccc77a8e562a09c70692c600c296d31b6bb68f7aebcef748e8a1db9cef1580b8366e35f90cda36ac11f1b970cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e\f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e.exe

Filesize
271KB

MD5
1d7157ce34d0baa57e684f95ead52605

SHA1
0484af353cf88f3eaae5c77eccdcfec869842f9c

SHA256
f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e

SHA512
015f2231bed0cbfb8352dbda4ff3a1530ec93fccc77a8e562a09c70692c600c296d31b6bb68f7aebcef748e8a1db9cef1580b8366e35f90cda36ac11f1b970cc

Download Submit
\Users\Admin\AppData\Local\Temp\f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e\f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e.exe

Filesize
271KB

MD5
1d7157ce34d0baa57e684f95ead52605

SHA1
0484af353cf88f3eaae5c77eccdcfec869842f9c

SHA256
f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e

SHA512
015f2231bed0cbfb8352dbda4ff3a1530ec93fccc77a8e562a09c70692c600c296d31b6bb68f7aebcef748e8a1db9cef1580b8366e35f90cda36ac11f1b970cc

Download Submit
\Users\Admin\AppData\Local\Temp\f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e\f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e.exe

Filesize
271KB

MD5
1d7157ce34d0baa57e684f95ead52605

SHA1
0484af353cf88f3eaae5c77eccdcfec869842f9c

SHA256
f452261adf2c73deddc37ef1013a5bbda5db4cd7b22e86b669ca7acd54a2d88e

SHA512
015f2231bed0cbfb8352dbda4ff3a1530ec93fccc77a8e562a09c70692c600c296d31b6bb68f7aebcef748e8a1db9cef1580b8366e35f90cda36ac11f1b970cc

Download Submit
memory/872-67-0x0000000074060000-0x000000007460B000-memory.dmp

Filesize
5.7MB

Download
memory/872-68-0x0000000074060000-0x000000007460B000-memory.dmp

Filesize
5.7MB

Download
memory/1500-54-0x0000000075151000-0x0000000075153000-memory.dmp

Filesize
8KB

Download
memory/1500-56-0x0000000074060000-0x000000007460B000-memory.dmp

Filesize
5.7MB

Download
memory/1500-55-0x0000000074060000-0x000000007460B000-memory.dmp

Filesize
5.7MB

Download
memory/1500-65-0x0000000074060000-0x000000007460B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing