imminent | 1135e0a27afc2adb83e04f461941f7c1ebed8154e0adcd56a2bd124f9b5c207f

General

Target

1135e0a27afc2adb83e04f461941f7c1ebed8154e0adcd56a2bd124f9b5c207f.exe
Size

935KB
MD5

d62357289be1e500937f593579008f71
SHA1

564517291f9c8bfb58bdc274d2be6588d6cb09b2
SHA256

1135e0a27afc2adb83e04f461941f7c1ebed8154e0adcd56a2bd124f9b5c207f
SHA512

378ac4a887b3a99f971660e0600539bdd2c259932b4339e9aa5a008d6eb71c6b01f39cef93b108c802437654c26000aed715daa590d9f1718e71a945c7b3e90b
SSDEEP

12288:1QRelylTFh+HSCaAuPSteQ005fXEmj4Wi/yRVSUnz6ojLUrA/c4qVg5RClL:1Qh+yCSS/005vyWCwOm44cjO5RCl

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 1 IoCs

pid	Process
1496	svhost.exe

Loads dropped DLL 1 IoCs

pid	Process
1708	1135e0a27afc2adb83e04f461941f7c1ebed8154e0adcd56a2bd124f9b5c207f.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1708 set thread context of 1496	1708	1135e0a27afc2adb83e04f461941f7c1ebed8154e0adcd56a2bd124f9b5c207f.exe	26

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1708	1135e0a27afc2adb83e04f461941f7c1ebed8154e0adcd56a2bd124f9b5c207f.exe
1708	1135e0a27afc2adb83e04f461941f7c1ebed8154e0adcd56a2bd124f9b5c207f.exe
1708	1135e0a27afc2adb83e04f461941f7c1ebed8154e0adcd56a2bd124f9b5c207f.exe
1708	1135e0a27afc2adb83e04f461941f7c1ebed8154e0adcd56a2bd124f9b5c207f.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1496	svhost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1708	1135e0a27afc2adb83e04f461941f7c1ebed8154e0adcd56a2bd124f9b5c207f.exe
Token: 33	1708	1135e0a27afc2adb83e04f461941f7c1ebed8154e0adcd56a2bd124f9b5c207f.exe
Token: SeIncBasePriorityPrivilege	1708	1135e0a27afc2adb83e04f461941f7c1ebed8154e0adcd56a2bd124f9b5c207f.exe
Token: SeDebugPrivilege	1496	svhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1496	svhost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1496	1708	1135e0a27afc2adb83e04f461941f7c1ebed8154e0adcd56a2bd124f9b5c207f.exe	26
PID 1708 wrote to memory of 1496	1708	1135e0a27afc2adb83e04f461941f7c1ebed8154e0adcd56a2bd124f9b5c207f.exe	26
PID 1708 wrote to memory of 1496	1708	1135e0a27afc2adb83e04f461941f7c1ebed8154e0adcd56a2bd124f9b5c207f.exe	26
PID 1708 wrote to memory of 1496	1708	1135e0a27afc2adb83e04f461941f7c1ebed8154e0adcd56a2bd124f9b5c207f.exe	26
PID 1708 wrote to memory of 1496	1708	1135e0a27afc2adb83e04f461941f7c1ebed8154e0adcd56a2bd124f9b5c207f.exe	26
PID 1708 wrote to memory of 1496	1708	1135e0a27afc2adb83e04f461941f7c1ebed8154e0adcd56a2bd124f9b5c207f.exe	26
PID 1708 wrote to memory of 1496	1708	1135e0a27afc2adb83e04f461941f7c1ebed8154e0adcd56a2bd124f9b5c207f.exe	26
PID 1708 wrote to memory of 1496	1708	1135e0a27afc2adb83e04f461941f7c1ebed8154e0adcd56a2bd124f9b5c207f.exe	26
PID 1708 wrote to memory of 1496	1708	1135e0a27afc2adb83e04f461941f7c1ebed8154e0adcd56a2bd124f9b5c207f.exe	26

C:\Users\Admin\AppData\Local\Temp\1135e0a27afc2adb83e04f461941f7c1ebed8154e0adcd56a2bd124f9b5c207f.exe
"C:\Users\Admin\AppData\Local\Temp\1135e0a27afc2adb83e04f461941f7c1ebed8154e0adcd56a2bd124f9b5c207f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  C:\Users\Admin\AppData\Local\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
memory/1496-58-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1496-60-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1496-61-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1496-62-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1496-57-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1496-66-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1496-68-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1496-71-0x00000000744C0000-0x0000000074A6B000-memory.dmp

Filesize
5.7MB

Download
memory/1496-73-0x00000000744C0000-0x0000000074A6B000-memory.dmp

Filesize
5.7MB

Download
memory/1708-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1708-55-0x00000000744C0000-0x0000000074A6B000-memory.dmp

Filesize
5.7MB

Download
memory/1708-72-0x00000000744C0000-0x0000000074A6B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing