imminent | 264b34d8521655d554f9f7e34b130d68a3d13f3d8230b40342c9d84fb95bef48

Analysis

max time kernel
186s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2023 22:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CrypteX Advanced/CrypteX Advanced/CrypteX Advanced.exe
Size

3.8MB
MD5

a191e14057dc91c8922827b591ea594b
SHA1

41e07a4170ac0b4f0d33880ff83ec22d9dfdf70a
SHA256

1bdc804b2c9015f8480e43f918580a089b03aef0917607d24eec97aa8eadd3c5
SHA512

243147396331a874a4473201f80f6a1b8a12dadb8e6f01e774d41a9ed50111dbf1c9faaabdf0f3c653987a89a0b51fc0d413618a1e12a0d042b0c330bfc5a143
SSDEEP

49152:TtUECyX4kYTJPKgdWsBQrTq0+DeoMyx1fDGCKRIQ:TCECcyb7bKR/

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	CrypteX Advanced.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	S-1-.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\S-1-5-21-2275444769-3691835758-4097679484-1000.lnk	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\S-1-5-21-2275444769-3691835758-4097679484-1000.lnk	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\S-1-5-21-2275444769-3691835758-4097679484-1000.lnk	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
1460	0.exe
4772	S-1-.exe
2076	0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msconfig.exe = "C:\\Users\\Admin\\AppData\\Roaming\\%AppData%\\Roaming\\Adobe\\Flash Player\\AssetCache\\msconfig.exe"	regasm.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	regasm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	regasm.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1460	0.exe
2076	0.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3844 set thread context of 2500	3844	CrypteX Advanced.exe	93
PID 4772 set thread context of 4684	4772	S-1-.exe	104

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	regasm.exe
File created	C:\Windows\assembly\Desktop.ini	regasm.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	regasm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	S-1-.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	CrypteX Advanced.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3844	CrypteX Advanced.exe
3844	CrypteX Advanced.exe
3844	CrypteX Advanced.exe
3844	CrypteX Advanced.exe
3844	CrypteX Advanced.exe
3844	CrypteX Advanced.exe
3844	CrypteX Advanced.exe
3844	CrypteX Advanced.exe
3844	CrypteX Advanced.exe
3844	CrypteX Advanced.exe
4772	S-1-.exe
4772	S-1-.exe
4772	S-1-.exe
4772	S-1-.exe
4772	S-1-.exe
4772	S-1-.exe
4772	S-1-.exe
4772	S-1-.exe
4772	S-1-.exe
4772	S-1-.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2500	regasm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	regasm.exe
Token: 33	2500	regasm.exe
Token: SeIncBasePriorityPrivilege	2500	regasm.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1460	0.exe
2500	regasm.exe
2076	0.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 4420	3844	CrypteX Advanced.exe	90
PID 3844 wrote to memory of 4420	3844	CrypteX Advanced.exe	90
PID 3844 wrote to memory of 4420	3844	CrypteX Advanced.exe	90
PID 3844 wrote to memory of 1460	3844	CrypteX Advanced.exe	92
PID 3844 wrote to memory of 1460	3844	CrypteX Advanced.exe	92
PID 3844 wrote to memory of 1460	3844	CrypteX Advanced.exe	92
PID 3844 wrote to memory of 2500	3844	CrypteX Advanced.exe	93
PID 3844 wrote to memory of 2500	3844	CrypteX Advanced.exe	93
PID 3844 wrote to memory of 2500	3844	CrypteX Advanced.exe	93
PID 3844 wrote to memory of 2500	3844	CrypteX Advanced.exe	93
PID 3844 wrote to memory of 2500	3844	CrypteX Advanced.exe	93
PID 3844 wrote to memory of 4772	3844	CrypteX Advanced.exe	101
PID 3844 wrote to memory of 4772	3844	CrypteX Advanced.exe	101
PID 3844 wrote to memory of 4772	3844	CrypteX Advanced.exe	101
PID 4772 wrote to memory of 4800	4772	S-1-.exe	102
PID 4772 wrote to memory of 4800	4772	S-1-.exe	102
PID 4772 wrote to memory of 4800	4772	S-1-.exe	102
PID 4772 wrote to memory of 2076	4772	S-1-.exe	103
PID 4772 wrote to memory of 2076	4772	S-1-.exe	103
PID 4772 wrote to memory of 2076	4772	S-1-.exe	103
PID 4772 wrote to memory of 4684	4772	S-1-.exe	104
PID 4772 wrote to memory of 4684	4772	S-1-.exe	104
PID 4772 wrote to memory of 4684	4772	S-1-.exe	104
PID 4772 wrote to memory of 4684	4772	S-1-.exe	104
PID 4772 wrote to memory of 4684	4772	S-1-.exe	104

C:\Users\Admin\AppData\Local\Temp\CrypteX Advanced\CrypteX Advanced\CrypteX Advanced.exe
"C:\Users\Admin\AppData\Local\Temp\CrypteX Advanced\CrypteX Advanced\CrypteX Advanced.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\test.vbs"
  2⤵
  - Drops startup file
  PID:4420
- C:\Users\Admin\AppData\Local\Temp\0.exe
  C:\Users\Admin\AppData\Local\Temp\0.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:1460
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"
  2⤵
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2500
- C:\Users\Admin\AppData\Local\Temp\S-1-.exe
  C:\Users\Admin\AppData\Local\Temp\S-1-.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\test.vbs"
    3⤵
    - Drops startup file
    PID:4800
- - C:\Users\Admin\AppData\Local\Temp\0.exe
    C:\Users\Admin\AppData\Local\Temp\0.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:2076
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"
    3⤵
    PID:4684

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\963-9674445722-12-5-1-S\S-1-5-21-2275444769-369.exe

Filesize
3.8MB

MD5
a191e14057dc91c8922827b591ea594b

SHA1
41e07a4170ac0b4f0d33880ff83ec22d9dfdf70a

SHA256
1bdc804b2c9015f8480e43f918580a089b03aef0917607d24eec97aa8eadd3c5

SHA512
243147396331a874a4473201f80f6a1b8a12dadb8e6f01e774d41a9ed50111dbf1c9faaabdf0f3c653987a89a0b51fc0d413618a1e12a0d042b0c330bfc5a143

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.exe

Filesize
2.0MB

MD5
d466d130d5913adff4c069b9f2ad96a9

SHA1
b87161dc34781720f1db51bd72f1b0d49d73c426

SHA256
443c5ab7c95bbd78df4cce9a90e93a22b92f4bc1fb52de25efce12ad1d526740

SHA512
86dda6b990d69af021b38f2d2303a76e78e0d1a242cbcc56f7d931d47704f929791bb3f2a596bce45686036355c049d7e99144faf57cef8e4f2a3410bf9c92b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.exe

Filesize
2.0MB

MD5
d466d130d5913adff4c069b9f2ad96a9

SHA1
b87161dc34781720f1db51bd72f1b0d49d73c426

SHA256
443c5ab7c95bbd78df4cce9a90e93a22b92f4bc1fb52de25efce12ad1d526740

SHA512
86dda6b990d69af021b38f2d2303a76e78e0d1a242cbcc56f7d931d47704f929791bb3f2a596bce45686036355c049d7e99144faf57cef8e4f2a3410bf9c92b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.exe

Filesize
2.0MB

MD5
d466d130d5913adff4c069b9f2ad96a9

SHA1
b87161dc34781720f1db51bd72f1b0d49d73c426

SHA256
443c5ab7c95bbd78df4cce9a90e93a22b92f4bc1fb52de25efce12ad1d526740

SHA512
86dda6b990d69af021b38f2d2303a76e78e0d1a242cbcc56f7d931d47704f929791bb3f2a596bce45686036355c049d7e99144faf57cef8e4f2a3410bf9c92b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\S-1-.exe

Filesize
3.8MB

MD5
a191e14057dc91c8922827b591ea594b

SHA1
41e07a4170ac0b4f0d33880ff83ec22d9dfdf70a

SHA256
1bdc804b2c9015f8480e43f918580a089b03aef0917607d24eec97aa8eadd3c5

SHA512
243147396331a874a4473201f80f6a1b8a12dadb8e6f01e774d41a9ed50111dbf1c9faaabdf0f3c653987a89a0b51fc0d413618a1e12a0d042b0c330bfc5a143

Download Submit
C:\Users\Admin\AppData\Local\Temp\S-1-.exe

Filesize
3.8MB

MD5
a191e14057dc91c8922827b591ea594b

SHA1
41e07a4170ac0b4f0d33880ff83ec22d9dfdf70a

SHA256
1bdc804b2c9015f8480e43f918580a089b03aef0917607d24eec97aa8eadd3c5

SHA512
243147396331a874a4473201f80f6a1b8a12dadb8e6f01e774d41a9ed50111dbf1c9faaabdf0f3c653987a89a0b51fc0d413618a1e12a0d042b0c330bfc5a143

Download Submit
C:\Users\Admin\AppData\Local\Temp\S-1-.exe

Filesize
3.8MB

MD5
a191e14057dc91c8922827b591ea594b

SHA1
41e07a4170ac0b4f0d33880ff83ec22d9dfdf70a

SHA256
1bdc804b2c9015f8480e43f918580a089b03aef0917607d24eec97aa8eadd3c5

SHA512
243147396331a874a4473201f80f6a1b8a12dadb8e6f01e774d41a9ed50111dbf1c9faaabdf0f3c653987a89a0b51fc0d413618a1e12a0d042b0c330bfc5a143

Download Submit
C:\Users\Admin\AppData\Local\Temp\S-1-5-21-2275444769-3691835758-4097679484-1000.lnk

Filesize
1KB

MD5
43d9772420c87dbb21d3254e35cd2e58

SHA1
905ed7b215f0c4dd138b658a3f76f7079d10e55f

SHA256
a6da8adfe099eb7cd37b5a55ecd17af9a22b902d5edda328bdee00134307047d

SHA512
88ef4cfa1c45ce7a1ad4a5ebea8975efebc491f1eeefa264877437a967ca7d463083eb532942b8ed6f9c4045fa0aef645c97c287de82c3aacc35791d03908d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\S-1-5-21-2275444769-3691835758-4097679484-1000.lnk

Filesize
1KB

MD5
7ce97e898c851409c91ad86f038c1356

SHA1
17e06992c2d1143770f1c7a06611ad0ad1b7af60

SHA256
0bf9fc59272d4a2410a6c216a08f15b2bb722b109062af74ccd8d320f9111223

SHA512
e751ea1d3069c02b9d2cef3e4a320becd8f0503235245ee6010673b517301e9329fd3aabafa43b213c1d27d48413d091e680c6019226d2e02415dea032777285

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.vbs

Filesize
295B

MD5
b669febf83c149e52e8738222baa393f

SHA1
06b7f8ab3af7bc9d9ea981c80d5c719514048450

SHA256
3411c6eda97d24e172f53e50295bb39079a2993aab322c71ea41cc3a55084f4b

SHA512
0d0abfeeacd1983073500435385e0a685b1d7e28195b1de0cd1a9ec8a48e9a31f9afdca3e0c71e2fd37ede39e5da12ade1f664a582fca1c02ace121479ea2dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.vbs

Filesize
295B

MD5
b669febf83c149e52e8738222baa393f

SHA1
06b7f8ab3af7bc9d9ea981c80d5c719514048450

SHA256
3411c6eda97d24e172f53e50295bb39079a2993aab322c71ea41cc3a55084f4b

SHA512
0d0abfeeacd1983073500435385e0a685b1d7e28195b1de0cd1a9ec8a48e9a31f9afdca3e0c71e2fd37ede39e5da12ade1f664a582fca1c02ace121479ea2dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.vbs

Filesize
295B

MD5
b669febf83c149e52e8738222baa393f

SHA1
06b7f8ab3af7bc9d9ea981c80d5c719514048450

SHA256
3411c6eda97d24e172f53e50295bb39079a2993aab322c71ea41cc3a55084f4b

SHA512
0d0abfeeacd1983073500435385e0a685b1d7e28195b1de0cd1a9ec8a48e9a31f9afdca3e0c71e2fd37ede39e5da12ade1f664a582fca1c02ace121479ea2dc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\S-1-5-21-2275444769-3691835758-4097679484-1000.lnk

Filesize
1KB

MD5
7ce97e898c851409c91ad86f038c1356

SHA1
17e06992c2d1143770f1c7a06611ad0ad1b7af60

SHA256
0bf9fc59272d4a2410a6c216a08f15b2bb722b109062af74ccd8d320f9111223

SHA512
e751ea1d3069c02b9d2cef3e4a320becd8f0503235245ee6010673b517301e9329fd3aabafa43b213c1d27d48413d091e680c6019226d2e02415dea032777285

Download Submit
memory/1460-151-0x0000000000B00000-0x0000000001034000-memory.dmp

Filesize
5.2MB

Download
memory/1460-153-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/1460-156-0x0000000000B00000-0x0000000001034000-memory.dmp

Filesize
5.2MB

Download
memory/1460-162-0x0000000000B00000-0x0000000001034000-memory.dmp

Filesize
5.2MB

Download
memory/2076-211-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/2076-216-0x0000000000730000-0x0000000000C64000-memory.dmp

Filesize
5.2MB

Download
memory/2076-210-0x0000000000730000-0x0000000000C64000-memory.dmp

Filesize
5.2MB

Download
memory/2500-176-0x0000000002E40000-0x0000000002E50000-memory.dmp

Filesize
64KB

Download
memory/2500-175-0x0000000002E40000-0x0000000002E50000-memory.dmp

Filesize
64KB

Download
memory/2500-165-0x0000000002E40000-0x0000000002E50000-memory.dmp

Filesize
64KB

Download
memory/2500-164-0x0000000002E40000-0x0000000002E50000-memory.dmp

Filesize
64KB

Download
memory/2500-152-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3844-133-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3844-134-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3844-135-0x00000000024F0000-0x00000000025E5000-memory.dmp

Filesize
980KB

Download
memory/3844-145-0x0000000003DA0000-0x0000000003E95000-memory.dmp

Filesize
980KB

Download
memory/3844-144-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3844-136-0x0000000003DA0000-0x0000000003E95000-memory.dmp

Filesize
980KB

Download
memory/3844-188-0x0000000003DA0000-0x0000000003E95000-memory.dmp

Filesize
980KB

Download
memory/4684-224-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/4684-223-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download
memory/4772-190-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4772-204-0x0000000003D00000-0x0000000003DF5000-memory.dmp

Filesize
980KB

Download
memory/4772-200-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4772-189-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/4772-193-0x0000000003D00000-0x0000000003DF5000-memory.dmp

Filesize
980KB

Download
memory/4772-192-0x0000000002460000-0x0000000002555000-memory.dmp

Filesize
980KB

Download