imminent | 698955ab6d32e0593a3fe7fa85e89dd9d050185b4cd4ca764c623585f1006220

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-12-2023 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
Size

1.3MB
MD5

0fa5140ac2d0b3ed9c0f8137dd10b0b9
SHA1

f17db86c3147896823fe050600be977bb3b2d5b3
SHA256

698955ab6d32e0593a3fe7fa85e89dd9d050185b4cd4ca764c623585f1006220
SHA512

e942f7e21e92ac889e9fea842fa10a9266e452c3362afe1a331fe5fed4e167ca70458c91a9783a5b2cbc02303679e477f5d31319afba9a20afa2b8527217f575
SSDEEP

6144:LZh/bYkcsfM7mH6IUCuKYNqgW935aShOR5TyVFTj48nOogUwzJj2rqorrgHFV:bbcgMg6dKYNqlnlh0KfdgUwtu

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 2 IoCs

pid	Process
2688	File.exe
2300	svhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1848 set thread context of 2300	1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
324	timeout.exe
3064	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1356	tasklist.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\Sony\start.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2300	svhost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
Token: SeDebugPrivilege	2300	svhost.exe
Token: 33	2300	svhost.exe
Token: SeIncBasePriorityPrivilege	2300	svhost.exe
Token: SeDebugPrivilege	1356	tasklist.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2300	svhost.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2688	1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	28
PID 1848 wrote to memory of 2688	1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	28
PID 1848 wrote to memory of 2688	1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	28
PID 1848 wrote to memory of 2688	1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	28
PID 1848 wrote to memory of 2840	1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	29
PID 1848 wrote to memory of 2840	1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	29
PID 1848 wrote to memory of 2840	1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	29
PID 1848 wrote to memory of 2840	1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	29
PID 2840 wrote to memory of 2764	2840	cmd.exe	32
PID 2840 wrote to memory of 2764	2840	cmd.exe	32
PID 2840 wrote to memory of 2764	2840	cmd.exe	32
PID 2840 wrote to memory of 2764	2840	cmd.exe	32
PID 1848 wrote to memory of 2300	1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	33
PID 1848 wrote to memory of 2300	1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	33
PID 1848 wrote to memory of 2300	1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	33
PID 1848 wrote to memory of 2300	1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	33
PID 1848 wrote to memory of 2300	1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	33
PID 1848 wrote to memory of 2300	1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	33
PID 1848 wrote to memory of 2300	1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	33
PID 1848 wrote to memory of 2300	1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	33
PID 1848 wrote to memory of 2300	1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	33
PID 1848 wrote to memory of 616	1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	34
PID 1848 wrote to memory of 616	1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	34
PID 1848 wrote to memory of 616	1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	34
PID 1848 wrote to memory of 616	1848	0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe	34
PID 616 wrote to memory of 324	616	cmd.exe	36
PID 616 wrote to memory of 324	616	cmd.exe	36
PID 616 wrote to memory of 324	616	cmd.exe	36
PID 616 wrote to memory of 324	616	cmd.exe	36
PID 616 wrote to memory of 1356	616	cmd.exe	43
PID 616 wrote to memory of 1356	616	cmd.exe	43
PID 616 wrote to memory of 1356	616	cmd.exe	43
PID 616 wrote to memory of 1356	616	cmd.exe	43
PID 616 wrote to memory of 1516	616	cmd.exe	44
PID 616 wrote to memory of 1516	616	cmd.exe	44
PID 616 wrote to memory of 1516	616	cmd.exe	44
PID 616 wrote to memory of 1516	616	cmd.exe	44
PID 616 wrote to memory of 3064	616	cmd.exe	46
PID 616 wrote to memory of 3064	616	cmd.exe	46
PID 616 wrote to memory of 3064	616	cmd.exe	46
PID 616 wrote to memory of 3064	616	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe
"C:\Users\Admin\AppData\Local\Temp\0fa5140ac2d0b3ed9c0f8137dd10b0b9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Sony\start.exe.lnk" /f
    3⤵
    PID:2764
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\Sony\start.exe.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:616
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 120
    3⤵
    - Delays execution with timeout.exe
    PID:324
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /nh /fi "imagename eq svhost.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1356
- - C:\Windows\SysWOW64\find.exe
    find /i "svhost.exe"
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 120
    3⤵
    - Delays execution with timeout.exe
    PID:3064

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sony\start.exe

Filesize
1.3MB

MD5
0fa5140ac2d0b3ed9c0f8137dd10b0b9

SHA1
f17db86c3147896823fe050600be977bb3b2d5b3

SHA256
698955ab6d32e0593a3fe7fa85e89dd9d050185b4cd4ca764c623585f1006220

SHA512
e942f7e21e92ac889e9fea842fa10a9266e452c3362afe1a331fe5fed4e167ca70458c91a9783a5b2cbc02303679e477f5d31319afba9a20afa2b8527217f575

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sony\start.exe.bat

Filesize
202B

MD5
2a5743568465d83307cc64dec6c1a803

SHA1
dc4b4cac4a3a17bcc84a7e70ddf5ab4f538f2da7

SHA256
181fe174d634d8d53b81e3214b79c4edfb28c4d71efcb0e259b94bba8feb4425

SHA512
e8905a94533c844e9d6e9e2483685cf0ac08296dca46c5a1fd974d0bbfe20a28a3561d05d3f4d2575583b6465bc90ff933456847950f3a291b4f721597355862

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe

Filesize
5KB

MD5
682da3155d77cf83f657e030785a4b96

SHA1
80312a2e338ba03aba581252417e2bdb2efcf8a7

SHA256
1bd6fc01a265f4983b7c8cb277518ff5d2ee01de392b3c65c186f4c11d77b30d

SHA512
a7b6c29e2a99e2073d8a2b22790cb4b01fa252c94fd952786fed54e7236253f81ebbfd532e9db77993abee4f67590809961675db542c02b0608d7240331ef447

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
85KB

MD5
2e5f1cf69f92392f8829fc9c9263ae9b

SHA1
97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

SHA256
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

SHA512
f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

Download Submit
memory/1848-0-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/1848-1-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/1848-2-0x0000000000790000-0x00000000007D0000-memory.dmp

Filesize
256KB

Download
memory/1848-55-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/2300-25-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2300-19-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2300-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2300-27-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2300-59-0x0000000000AA0000-0x0000000000AE0000-memory.dmp

Filesize
256KB

Download
memory/2300-34-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2300-36-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2300-31-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2300-39-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/2300-58-0x0000000000AA0000-0x0000000000AE0000-memory.dmp

Filesize
256KB

Download
memory/2300-40-0x0000000000AA0000-0x0000000000AE0000-memory.dmp

Filesize
256KB

Download
memory/2300-46-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/2300-50-0x0000000000AA0000-0x0000000000AE0000-memory.dmp

Filesize
256KB

Download
memory/2300-22-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2300-57-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/2688-56-0x0000000071890000-0x0000000071F7E000-memory.dmp

Filesize
6.9MB

Download
memory/2688-20-0x0000000001300000-0x0000000001308000-memory.dmp

Filesize
32KB

Download
memory/2688-23-0x0000000071890000-0x0000000071F7E000-memory.dmp

Filesize
6.9MB

Download