imminent | d4f7648705a2c55cdd007dcf41a86160443223c16f160ed7c0cb743856107b8a

Analysis

max time kernel
151s
max time network
157s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4f7648705a2c55cdd007dcf41a86160443223c16f160ed7c0cb743856107b8a.exe
Size

1.0MB
MD5

9a68a6df1c835f8c37a8099af3641609
SHA1

c0a06fd9f3b01b64d9062ad0153b479b3e355f9a
SHA256

d4f7648705a2c55cdd007dcf41a86160443223c16f160ed7c0cb743856107b8a
SHA512

1f1148e01ded112724ab2cfd19467190788849863caa5b48a962395bc6476e75416f3291b462d7338170fa121960a2e7568117844443b5779d87c926bf65d77b
SSDEEP

24576:Nt24Q2YvaKR9uVbK7YmxPSKocXFreTloXqWwcmSpQAwFvOx7Ei:p7Yv5aSYKZOmcSR267p

Score

10^/10

imminent evasion persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IliJIkfCXZJ.com

Executes dropped EXE 1 IoCs

pid	Process
428	IliJIkfCXZJ.com

Loads dropped DLL 4 IoCs

pid	Process
1032	d4f7648705a2c55cdd007dcf41a86160443223c16f160ed7c0cb743856107b8a.exe
1032	d4f7648705a2c55cdd007dcf41a86160443223c16f160ed7c0cb743856107b8a.exe
1032	d4f7648705a2c55cdd007dcf41a86160443223c16f160ed7c0cb743856107b8a.exe
1032	d4f7648705a2c55cdd007dcf41a86160443223c16f160ed7c0cb743856107b8a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mvc973976p99 = "C:\\Users\\Admin\\mvc973976p99\\17333.vbs"	IliJIkfCXZJ.com
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	IliJIkfCXZJ.com

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IliJIkfCXZJ.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 428 set thread context of 580	428	IliJIkfCXZJ.com	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com
428	IliJIkfCXZJ.com

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	580	RegSvcs.exe
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com
Token: SeDebugPrivilege	428	IliJIkfCXZJ.com

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1808	DllHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
580	RegSvcs.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 428	1032	d4f7648705a2c55cdd007dcf41a86160443223c16f160ed7c0cb743856107b8a.exe	28
PID 1032 wrote to memory of 428	1032	d4f7648705a2c55cdd007dcf41a86160443223c16f160ed7c0cb743856107b8a.exe	28
PID 1032 wrote to memory of 428	1032	d4f7648705a2c55cdd007dcf41a86160443223c16f160ed7c0cb743856107b8a.exe	28
PID 1032 wrote to memory of 428	1032	d4f7648705a2c55cdd007dcf41a86160443223c16f160ed7c0cb743856107b8a.exe	28
PID 1032 wrote to memory of 428	1032	d4f7648705a2c55cdd007dcf41a86160443223c16f160ed7c0cb743856107b8a.exe	28
PID 1032 wrote to memory of 428	1032	d4f7648705a2c55cdd007dcf41a86160443223c16f160ed7c0cb743856107b8a.exe	28
PID 1032 wrote to memory of 428	1032	d4f7648705a2c55cdd007dcf41a86160443223c16f160ed7c0cb743856107b8a.exe	28
PID 428 wrote to memory of 580	428	IliJIkfCXZJ.com	31
PID 428 wrote to memory of 580	428	IliJIkfCXZJ.com	31
PID 428 wrote to memory of 580	428	IliJIkfCXZJ.com	31
PID 428 wrote to memory of 580	428	IliJIkfCXZJ.com	31
PID 428 wrote to memory of 580	428	IliJIkfCXZJ.com	31
PID 428 wrote to memory of 580	428	IliJIkfCXZJ.com	31
PID 428 wrote to memory of 580	428	IliJIkfCXZJ.com	31
PID 428 wrote to memory of 580	428	IliJIkfCXZJ.com	31
PID 428 wrote to memory of 580	428	IliJIkfCXZJ.com	31

C:\Users\Admin\AppData\Local\Temp\d4f7648705a2c55cdd007dcf41a86160443223c16f160ed7c0cb743856107b8a.exe
"C:\Users\Admin\AppData\Local\Temp\d4f7648705a2c55cdd007dcf41a86160443223c16f160ed7c0cb743856107b8a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Users\Admin\mvc973976p99\IliJIkfCXZJ.com
  "C:\Users\Admin\mvc973976p99\IliJIkfCXZJ.com" TJgFQHi.UNF
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:580

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\MVC973~1\BZKQYS~1.XTV

Filesize
268KB

MD5
68dd91e201d7d6fd5fc37cfc93bb5036

SHA1
a36c5f972fd05bd5c9a10fc5028dc9709f9f1147

SHA256
cdca46ee294da49918ac092be804540fff171f9dc12a671588a9461d868fc7c4

SHA512
3a59a80929d95aa9d2ca5fa609f82c43e640da7a7b6b54ed1f91ce2332ca9ab861128f73323cfb188a8716ece6c60233b3aba31af29885d16c2f22740cd424e7

Download Submit
C:\Users\Admin\MVC973~1\bydoPsfxl.FGU

Filesize
201B

MD5
5581292b58ee75bb100ea9e7b9d23d58

SHA1
323b891f7cd89cb39cde6b837b604d6dcf3a2d89

SHA256
0e93d8e26af39d5f2c6570a4c8dc5d06c31504c3acfbd06cef34274fba254833

SHA512
d94a4a0cb1a4d85fb6bd2819fe1d0b2029f363d338152bdaf828d0327e513c9b16a9c9c7a684288b461a46d299354e7033a20656bb34472e4e451b32c01c9af1

Download Submit
C:\Users\Admin\mvc973976p99\2.jpg

Filesize
46KB

MD5
eabffdd0ac0696a47ee087e7e572c341

SHA1
f323321dda4ff0d6688784659ea77b3eec96643e

SHA256
1accc46a8a20df3c06b6508371e926492ca5a33dd873cfaef4ff8ebe96ac04e6

SHA512
634cfafb8a7ddae214c6413213c287d06bc643a9aad03998801bb5b3dbc79f598fbb449b3f990e5d40cb2910899934642bd21565e40973e3b9943cf2022591f7

Download Submit
C:\Users\Admin\mvc973976p99\IliJIkfCXZJ.com

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
C:\Users\Admin\mvc973976p99\TJgFQHi.UNF

Filesize
28.5MB

MD5
9a94fe5ba128e6125f91d34669e05257

SHA1
3ebfbd4b7cc08a8a131166d9f7138f97d9b7f1e9

SHA256
262bd66f3ad856dccfa728ce810756881748902a0d39046b4ebd18e0f55ac756

SHA512
8b0783dee8770ca64f3fc877269b6d7f9e1f7a933d97c6106125f20f76308908376439f400928046c7d9bd2362b4e914088f7bc3bffd7e7a19ec3b56c1536ad1

Download Submit
\Users\Admin\mvc973976p99\IliJIkfCXZJ.com

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
\Users\Admin\mvc973976p99\IliJIkfCXZJ.com

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
\Users\Admin\mvc973976p99\IliJIkfCXZJ.com

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
\Users\Admin\mvc973976p99\IliJIkfCXZJ.com

Filesize
912KB

MD5
6a93a4071cc7c22628af40a4d872f49b

SHA1
ba916e686aa0cae19ab907bdab94924ada92b5f4

SHA256
8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01

SHA512
5a26af395a03397aadab13a53cac320f1d8bbe77046a61ae12e1f72f93df7afb360f52ef52f979f7b946a814365a298c3a3a536add6cdd7165896fb82abc4afd

Download Submit
memory/428-59-0x0000000000000000-mapping.dmp

Download
memory/580-67-0x0000000000090000-0x00000000000DA000-memory.dmp

Filesize
296KB

Download
memory/580-69-0x0000000000090000-0x00000000000DA000-memory.dmp

Filesize
296KB

Download
memory/580-70-0x00000000000D468E-mapping.dmp

Download
memory/580-72-0x0000000000090000-0x00000000000DA000-memory.dmp

Filesize
296KB

Download
memory/580-74-0x0000000000090000-0x00000000000DA000-memory.dmp

Filesize
296KB

Download
memory/580-76-0x0000000073A10000-0x0000000073FBB000-memory.dmp

Filesize
5.7MB

Download
memory/580-77-0x0000000000796000-0x00000000007A7000-memory.dmp

Filesize
68KB

Download
memory/580-78-0x0000000073A10000-0x0000000073FBB000-memory.dmp

Filesize
5.7MB

Download
memory/580-79-0x0000000000796000-0x00000000007A7000-memory.dmp

Filesize
68KB

Download
memory/1032-54-0x0000000076711000-0x0000000076713000-memory.dmp

Filesize
8KB

Download