imminent | c55f22213dda901e2b97ccce6f5e46abd008c7a07eb7fe9ca8ce3c5bcc1dee95

General

Target

c55f22213dda901e2b97ccce6f5e46abd008c7a07eb7fe9ca8ce3c5bcc1dee95.exe
Size

352KB
MD5

6120e5e74937174530953b8b465e262e
SHA1

c4eed2041c3fd371b945b46bf2c1a8c008139f1b
SHA256

c55f22213dda901e2b97ccce6f5e46abd008c7a07eb7fe9ca8ce3c5bcc1dee95
SHA512

0417beb2dea331199a57a01b4c8169c52bc6e4475975fd726664395e02b9ac012e54d19ec991fa72745116d636ebc2c7ebcba07f0da6129f24cf2207b509ca3e
SSDEEP

6144:gRaO5ZNlcj2iMDMmeY0ixpeQRokqmnQw1ToomRPX/sSMPXOkNp0QHkBAYn8V:5wcaDMmeY7xpbtnh16RPXElPXOkNaqMn

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 2 IoCs

pid	Process
1040	winlogon.exe
1128	csrss.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\LeagueofLegend\\SubFolder\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\LeagueofLegend\\SubFolder\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\LeagueofLegend\\SubFolder\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\LeagueofLegend\\SubFolder\\winlogon.exe"	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1168 set thread context of 1040	1168	winlogon.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1128	csrss.exe
1128	csrss.exe
1128	csrss.exe
1128	csrss.exe
1128	csrss.exe
1128	csrss.exe
1128	csrss.exe
1128	csrss.exe
1128	csrss.exe
1128	csrss.exe
1128	csrss.exe
1128	csrss.exe
1128	csrss.exe
1128	csrss.exe
1128	csrss.exe
1128	csrss.exe
1128	csrss.exe
1128	csrss.exe
1128	csrss.exe
1128	csrss.exe
1128	csrss.exe
1128	csrss.exe
1128	csrss.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1184	c55f22213dda901e2b97ccce6f5e46abd008c7a07eb7fe9ca8ce3c5bcc1dee95.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1040	winlogon.exe
Token: SeDebugPrivilege	1128	csrss.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1040	winlogon.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 1168	1184	c55f22213dda901e2b97ccce6f5e46abd008c7a07eb7fe9ca8ce3c5bcc1dee95.exe	27
PID 1184 wrote to memory of 1168	1184	c55f22213dda901e2b97ccce6f5e46abd008c7a07eb7fe9ca8ce3c5bcc1dee95.exe	27
PID 1184 wrote to memory of 1168	1184	c55f22213dda901e2b97ccce6f5e46abd008c7a07eb7fe9ca8ce3c5bcc1dee95.exe	27
PID 1168 wrote to memory of 1040	1168	winlogon.exe	28
PID 1168 wrote to memory of 1040	1168	winlogon.exe	28
PID 1168 wrote to memory of 1040	1168	winlogon.exe	28
PID 1168 wrote to memory of 1040	1168	winlogon.exe	28
PID 1168 wrote to memory of 1040	1168	winlogon.exe	28
PID 1168 wrote to memory of 1040	1168	winlogon.exe	28
PID 1168 wrote to memory of 1040	1168	winlogon.exe	28
PID 1168 wrote to memory of 1040	1168	winlogon.exe	28
PID 1168 wrote to memory of 1040	1168	winlogon.exe	28
PID 1168 wrote to memory of 1128	1168	winlogon.exe	29
PID 1168 wrote to memory of 1128	1168	winlogon.exe	29
PID 1168 wrote to memory of 1128	1168	winlogon.exe	29

C:\Users\Admin\AppData\Local\Temp\c55f22213dda901e2b97ccce6f5e46abd008c7a07eb7fe9ca8ce3c5bcc1dee95.exe
"C:\Users\Admin\AppData\Local\Temp\c55f22213dda901e2b97ccce6f5e46abd008c7a07eb7fe9ca8ce3c5bcc1dee95.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\AppData\Roaming\LeagueofLegend\SubFolder\winlogon.exe
  "C:\Users\Admin\AppData\Roaming\LeagueofLegend\SubFolder\winlogon.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1040
- - C:\Users\Admin\AppData\Roaming\LeagueofLegend\SubFolder\csrss.exe
    "C:\Users\Admin\AppData\Roaming\LeagueofLegend\SubFolder\csrss.exe" -reg C:\Users\Admin\AppData\Roaming\LeagueofLegend\SubFolder\winlogon.exe -proc 1040 C:\Users\Admin\AppData\Roaming\LeagueofLegend\SubFolder\winlogon.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\LeagueofLegend\SubFolder\csrss.exe

Filesize
352KB

MD5
6120e5e74937174530953b8b465e262e

SHA1
c4eed2041c3fd371b945b46bf2c1a8c008139f1b

SHA256
c55f22213dda901e2b97ccce6f5e46abd008c7a07eb7fe9ca8ce3c5bcc1dee95

SHA512
0417beb2dea331199a57a01b4c8169c52bc6e4475975fd726664395e02b9ac012e54d19ec991fa72745116d636ebc2c7ebcba07f0da6129f24cf2207b509ca3e

Download Submit
C:\Users\Admin\AppData\Roaming\LeagueofLegend\SubFolder\csrss.exe

Filesize
352KB

MD5
6120e5e74937174530953b8b465e262e

SHA1
c4eed2041c3fd371b945b46bf2c1a8c008139f1b

SHA256
c55f22213dda901e2b97ccce6f5e46abd008c7a07eb7fe9ca8ce3c5bcc1dee95

SHA512
0417beb2dea331199a57a01b4c8169c52bc6e4475975fd726664395e02b9ac012e54d19ec991fa72745116d636ebc2c7ebcba07f0da6129f24cf2207b509ca3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe

Filesize
4KB

MD5
88579adcac3be9a8d1c1494a8830c179

SHA1
fcd174761aa1f175998a5c138cb9daa6683b9e08

SHA256
6e5e3e087015dcc1cc2ec46d93b0132941399728df6bf53956b426c1ed7936d9

SHA512
175a5b1cac8abdde709fc0afb88bacc23f06fd1c3a5ac94de9c41ee12ffc25647c355492e037f46b7bbf6ae6ba8f22c2020fe21609a48435afc242bad9279344

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe

Filesize
4KB

MD5
88579adcac3be9a8d1c1494a8830c179

SHA1
fcd174761aa1f175998a5c138cb9daa6683b9e08

SHA256
6e5e3e087015dcc1cc2ec46d93b0132941399728df6bf53956b426c1ed7936d9

SHA512
175a5b1cac8abdde709fc0afb88bacc23f06fd1c3a5ac94de9c41ee12ffc25647c355492e037f46b7bbf6ae6ba8f22c2020fe21609a48435afc242bad9279344

Download Submit
memory/1040-60-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1040-73-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1040-59-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1040-64-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1040-66-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1040-62-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1040-82-0x0000000073F20000-0x00000000744CB000-memory.dmp

Filesize
5.7MB

Download
memory/1040-71-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1040-81-0x0000000073F20000-0x00000000744CB000-memory.dmp

Filesize
5.7MB

Download
memory/1040-75-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1128-79-0x000007FEF3C50000-0x000007FEF4673000-memory.dmp

Filesize
10.1MB

Download
memory/1128-80-0x000007FEF2BB0000-0x000007FEF3C46000-memory.dmp

Filesize
16.6MB

Download
memory/1168-57-0x000007FEF4B30000-0x000007FEF5553000-memory.dmp

Filesize
10.1MB

Download
memory/1168-58-0x000007FEF2700000-0x000007FEF3796000-memory.dmp

Filesize
16.6MB

Download
memory/1184-55-0x000007FEF2BB0000-0x000007FEF3C46000-memory.dmp

Filesize
16.6MB

Download
memory/1184-54-0x000007FEF3C50000-0x000007FEF4673000-memory.dmp

Filesize
10.1MB

Download

Analysis

Sharing