imminent | 2be7df19384b4edb63a595c4cd5c75a581ee7aab2fd90e169f3e0eaa5da945e7

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-12-2023 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13c2f01a234b7281bc1bcc13f2627ea0.exe
Size

386KB
MD5

13c2f01a234b7281bc1bcc13f2627ea0
SHA1

98eb2e910dfd1a78e995b8f037ad112f0a365a30
SHA256

2be7df19384b4edb63a595c4cd5c75a581ee7aab2fd90e169f3e0eaa5da945e7
SHA512

67736c013334360dee9a98a92b63765d2a51993f9c9c41b0880247ce19dc649bc2871fbebe526fcd6af07d7bff27e7331d1c3c379044a57243c41070c445b1f5
SSDEEP

12288:VNsLPM+ABaXLSdOYVj8slHZJBCsafAwFQ6xkXlz:VNAMCxYRNR

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Deletes itself 1 IoCs

pid	Process
2888	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2448	13c2f01a234b7281bc1bcc13f2627ea0.exe

Loads dropped DLL 4 IoCs

pid	Process
2240	13c2f01a234b7281bc1bcc13f2627ea0.exe
2240	13c2f01a234b7281bc1bcc13f2627ea0.exe
2632	taskmgr.exe
2632	taskmgr.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\hacks = "\\ddos\\ddos.exe"	13c2f01a234b7281bc1bcc13f2627ea0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\18.exe = "C:\\Users\\Admin\\AppData\\RoamingMicrosoft\\System\\Services\\18.exe"	13c2f01a234b7281bc1bcc13f2627ea0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\18.exe = "C:\\Users\\Admin\\AppData\\RoamingMicrosoft\\System\\Services\\18.exe"	13c2f01a234b7281bc1bcc13f2627ea0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\18.exe = "C:\\Users\\Admin\\AppData\\RoamingMicrosoft\\System\\Services\\18.exe"	13c2f01a234b7281bc1bcc13f2627ea0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\18.exe = "C:\\Users\\Admin\\AppData\\RoamingMicrosoft\\System\\Services\\18.exe"	13c2f01a234b7281bc1bcc13f2627ea0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\hacks = "C:\\Users\\Admin\\AppData\\Roaming\\ddos\\ddos.exe"	13c2f01a234b7281bc1bcc13f2627ea0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2880	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2240	13c2f01a234b7281bc1bcc13f2627ea0.exe
2240	13c2f01a234b7281bc1bcc13f2627ea0.exe
2240	13c2f01a234b7281bc1bcc13f2627ea0.exe
2448	13c2f01a234b7281bc1bcc13f2627ea0.exe
2448	13c2f01a234b7281bc1bcc13f2627ea0.exe
2448	13c2f01a234b7281bc1bcc13f2627ea0.exe
2448	13c2f01a234b7281bc1bcc13f2627ea0.exe
2448	13c2f01a234b7281bc1bcc13f2627ea0.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2448	13c2f01a234b7281bc1bcc13f2627ea0.exe
2632	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	13c2f01a234b7281bc1bcc13f2627ea0.exe
Token: SeDebugPrivilege	2448	13c2f01a234b7281bc1bcc13f2627ea0.exe
Token: SeDebugPrivilege	2632	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe
2632	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2448	13c2f01a234b7281bc1bcc13f2627ea0.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2448	2240	13c2f01a234b7281bc1bcc13f2627ea0.exe	28
PID 2240 wrote to memory of 2448	2240	13c2f01a234b7281bc1bcc13f2627ea0.exe	28
PID 2240 wrote to memory of 2448	2240	13c2f01a234b7281bc1bcc13f2627ea0.exe	28
PID 2240 wrote to memory of 2448	2240	13c2f01a234b7281bc1bcc13f2627ea0.exe	28
PID 2240 wrote to memory of 2888	2240	13c2f01a234b7281bc1bcc13f2627ea0.exe	30
PID 2240 wrote to memory of 2888	2240	13c2f01a234b7281bc1bcc13f2627ea0.exe	30
PID 2240 wrote to memory of 2888	2240	13c2f01a234b7281bc1bcc13f2627ea0.exe	30
PID 2240 wrote to memory of 2888	2240	13c2f01a234b7281bc1bcc13f2627ea0.exe	30
PID 2888 wrote to memory of 2880	2888	cmd.exe	31
PID 2888 wrote to memory of 2880	2888	cmd.exe	31
PID 2888 wrote to memory of 2880	2888	cmd.exe	31
PID 2888 wrote to memory of 2880	2888	cmd.exe	31
PID 2448 wrote to memory of 2632	2448	13c2f01a234b7281bc1bcc13f2627ea0.exe	32
PID 2448 wrote to memory of 2632	2448	13c2f01a234b7281bc1bcc13f2627ea0.exe	32
PID 2448 wrote to memory of 2632	2448	13c2f01a234b7281bc1bcc13f2627ea0.exe	32
PID 2448 wrote to memory of 2632	2448	13c2f01a234b7281bc1bcc13f2627ea0.exe	32

C:\Users\Admin\AppData\Local\Temp\13c2f01a234b7281bc1bcc13f2627ea0.exe
"C:\Users\Admin\AppData\Local\Temp\13c2f01a234b7281bc1bcc13f2627ea0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\13c2f01a234b7281bc1bcc13f2627ea0\13c2f01a234b7281bc1bcc13f2627ea0.exe
  "C:\Users\Admin\AppData\Local\Temp\13c2f01a234b7281bc1bcc13f2627ea0\13c2f01a234b7281bc1bcc13f2627ea0.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\taskmgr.exe
    "C:\Windows\System32\taskmgr.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2632
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\13c2f01a234b7281bc1bcc13f2627ea0.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Imminent\Path.dat

Filesize
44B

MD5
60c841fb30ae3e702e6d04ca9ab1bee5

SHA1
e07faee70b3f4e62019206a04195df8c4131b94c

SHA256
2876797edc628b5c9d32279eb99afb3f90ec2df9da96f877e09300ead8636b5b

SHA512
dedaf4090396c0337eaf8d78ec2685bd8aa9bb53125ac48b99fbfeef22e6bc10109111859797829198bbc9fea59cc2756a3206a2c11b85bd99754de42f5aebb9

Download Submit
\Users\Admin\AppData\Local\Temp\13c2f01a234b7281bc1bcc13f2627ea0\13c2f01a234b7281bc1bcc13f2627ea0.exe

Filesize
252KB

MD5
50436ae257061b67e706b541212c7375

SHA1
6458b41e0415dead01ee9a2545170c41ff1df33e

SHA256
763a39d6f1ba7cf426285318ec86467aa2e20ddfd6599fd435d5a72b77523d40

SHA512
f09d09b44cff0e57798f3ec8e73a5b2f55589ae7dec87762fc7dceb8d257b68894f743be611d151c44469b35e79c1e4837c3725d939705707f6ebe612e9a3eef

Download Submit
\Users\Admin\AppData\Local\Temp\13c2f01a234b7281bc1bcc13f2627ea0\13c2f01a234b7281bc1bcc13f2627ea0.exe

Filesize
371KB

MD5
756bd5a06a8a1afe9cbd996681b5c1b7

SHA1
57a0b95a4e98291aac950af6c9c6fef7910ec8b8

SHA256
71b6e29079e09e88b8998694bd0ec6ca6f7ebdcc7ea8353899561f45b02b972d

SHA512
4108e3e27100dea1a535f2e3a0e58444c0ae3c79ee733dda3b19b55930199a96134a408a232b21535d95a97a9e6f511461c63b9ce84661343ec409c2927c3946

Download Submit
\Users\Admin\AppData\Local\Temp\13c2f01a234b7281bc1bcc13f2627ea0\13c2f01a234b7281bc1bcc13f2627ea0.exe

Filesize
386KB

MD5
13c2f01a234b7281bc1bcc13f2627ea0

SHA1
98eb2e910dfd1a78e995b8f037ad112f0a365a30

SHA256
2be7df19384b4edb63a595c4cd5c75a581ee7aab2fd90e169f3e0eaa5da945e7

SHA512
67736c013334360dee9a98a92b63765d2a51993f9c9c41b0880247ce19dc649bc2871fbebe526fcd6af07d7bff27e7331d1c3c379044a57243c41070c445b1f5

Download Submit
memory/2240-15-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/2240-0-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/2240-2-0x0000000000D70000-0x0000000000DB0000-memory.dmp

Filesize
256KB

Download
memory/2240-1-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/2448-14-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/2448-16-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/2448-17-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/2448-47-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/2448-48-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download