imminent | 92bcbcde94378cd17973b2b27cae6a5d22215b85d0c463983adad6963e01a4ce

Analysis

max time kernel
148s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92bcbcde94378cd17973b2b27cae6a5d22215b85d0c463983adad6963e01a4ce.exe
Size

321KB
MD5

b1248d3447d7c5317c408d74007d480a
SHA1

6f7f87624675a11b7a8d3aa8b7002488d98981e2
SHA256

92bcbcde94378cd17973b2b27cae6a5d22215b85d0c463983adad6963e01a4ce
SHA512

d7fbdb9601e6d2a4d3679c392f2efd3fa16c6c607262fd886e245e72a9c2df1b93a38ae55480524f4e56f004e69b37007c15904833e176dc2f8f7d2098a03469
SSDEEP

6144:abava4iG816qo0UYrVRsVLxgAsiWChAsjvdBAnctlfSOn:abIiB+5WRsVLxXECtlsIfSOn

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\windowlogin = "C:\\Users\\Admin\\AppData\\Roaming\\windowslogin\\winlogon.exe"	92bcbcde94378cd17973b2b27cae6a5d22215b85d0c463983adad6963e01a4ce.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2040	92bcbcde94378cd17973b2b27cae6a5d22215b85d0c463983adad6963e01a4ce.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	92bcbcde94378cd17973b2b27cae6a5d22215b85d0c463983adad6963e01a4ce.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2040	92bcbcde94378cd17973b2b27cae6a5d22215b85d0c463983adad6963e01a4ce.exe

C:\Users\Admin\AppData\Local\Temp\92bcbcde94378cd17973b2b27cae6a5d22215b85d0c463983adad6963e01a4ce.exe
"C:\Users\Admin\AppData\Local\Temp\92bcbcde94378cd17973b2b27cae6a5d22215b85d0c463983adad6963e01a4ce.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2040-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/2040-55-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2040-56-0x0000000074610000-0x0000000074BBB000-memory.dmp

Filesize
5.7MB

Download