imminent | b3f1fb57672dea1127cdf4552383005779455c633de4f45b2d8b65f8b433c414

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
21/12/2023, 22:56 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cdee5e88ba57366428e0345075c0215.exe
Size

734KB
MD5

1cdee5e88ba57366428e0345075c0215
SHA1

07f5e12a25be9c5c2d3e8a7a174eebaddfb40ea6
SHA256

b3f1fb57672dea1127cdf4552383005779455c633de4f45b2d8b65f8b433c414
SHA512

51b491a57d82c29d2fadeb2d9426d7c59cfda1bae54c80308d6007ec7a760c662b8c1c40eda02922ea553a07e4682156319b0ce19627df80db8d159836ab14a3
SSDEEP

12288:Qk+2QhKjbypvmScRbZtmsW6qloho4ngvJRkZZ5qK2U9:QkGPvmxbZwj7ihpNZTqK9

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kith2.exe	xcopy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kith2.exe	xcopy.exe

Executes dropped EXE 2 IoCs

pid	Process
2592	system2.exe
2716	system2.exe

Loads dropped DLL 2 IoCs

pid	Process
2116	1cdee5e88ba57366428e0345075c0215.exe
2592	system2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Default Key = "C:\\Users\\Admin\\AppData\\Local\\Default Folder\\System2.exe"	system2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Default Key = "\\Default Folder\\System2.exe"	system2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2444	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2716	system2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2592	system2.exe
Token: SeDebugPrivilege	2716	system2.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2116	1cdee5e88ba57366428e0345075c0215.exe
2116	1cdee5e88ba57366428e0345075c0215.exe
2716	system2.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 1652	2116	1cdee5e88ba57366428e0345075c0215.exe	29
PID 2116 wrote to memory of 1652	2116	1cdee5e88ba57366428e0345075c0215.exe	29
PID 2116 wrote to memory of 1652	2116	1cdee5e88ba57366428e0345075c0215.exe	29
PID 2116 wrote to memory of 1652	2116	1cdee5e88ba57366428e0345075c0215.exe	29
PID 2116 wrote to memory of 2592	2116	1cdee5e88ba57366428e0345075c0215.exe	35
PID 2116 wrote to memory of 2592	2116	1cdee5e88ba57366428e0345075c0215.exe	35
PID 2116 wrote to memory of 2592	2116	1cdee5e88ba57366428e0345075c0215.exe	35
PID 2116 wrote to memory of 2592	2116	1cdee5e88ba57366428e0345075c0215.exe	35
PID 1652 wrote to memory of 2648	1652	cmd.exe	34
PID 1652 wrote to memory of 2648	1652	cmd.exe	34
PID 1652 wrote to memory of 2648	1652	cmd.exe	34
PID 1652 wrote to memory of 2648	1652	cmd.exe	34
PID 2592 wrote to memory of 2716	2592	system2.exe	33
PID 2592 wrote to memory of 2716	2592	system2.exe	33
PID 2592 wrote to memory of 2716	2592	system2.exe	33
PID 2592 wrote to memory of 2716	2592	system2.exe	33
PID 2592 wrote to memory of 2660	2592	system2.exe	32
PID 2592 wrote to memory of 2660	2592	system2.exe	32
PID 2592 wrote to memory of 2660	2592	system2.exe	32
PID 2592 wrote to memory of 2660	2592	system2.exe	32
PID 2660 wrote to memory of 2444	2660	cmd.exe	30
PID 2660 wrote to memory of 2444	2660	cmd.exe	30
PID 2660 wrote to memory of 2444	2660	cmd.exe	30
PID 2660 wrote to memory of 2444	2660	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\1cdee5e88ba57366428e0345075c0215.exe
"C:\Users\Admin\AppData\Local\Temp\1cdee5e88ba57366428e0345075c0215.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\cp.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /c /k /y "kith2.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
    3⤵
    - Drops startup file
    - Enumerates system info in registry
    PID:2648
- C:\Users\Admin\AppData\Roaming\system2.exe
  "C:\Users\Admin\AppData\Roaming\system2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2592

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
1⤵
- Runs ping.exe
PID:2444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Roaming\system2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2660

C:\Users\Admin\AppData\Local\Temp\system2\system2.exe
"C:\Users\Admin\AppData\Local\Temp\system2\system2.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2716

Network

DNS

MisteryDns72.ddns.net

system2.exe

Remote address:

8.8.8.8:53

Request

MisteryDns72.ddns.net

IN A

Response

No results found

8.8.8.8:53

MisteryDns72.ddns.net

dns

system2.exe

67 B
127 B
1
1

DNS Request

MisteryDns72.ddns.net

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system2\system2.exe

Filesize
64KB

MD5
24579b04f7d4180328b33318835a2733

SHA1
7a1583cd12f12eacac71d12afc6c90d34946ac39

SHA256
ab42bfbb62fdcaf3d18fc386db2c4b3d2a3e3b4f210c527ebe746c26dc995692

SHA512
22f443252b239e71490fc19b6ead70d6ab1d8878061dc9b438fbf96bafa0b0a02b73a78f1fe3ed208e5480bfb98f87bf9b3584eb1c220ccf0c6b26e68879a2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\system2\system2.exe

Filesize
83KB

MD5
79d24bd0e6badbb20b45030324728958

SHA1
85298d6021995c5eb1496ce68f6598c7fcfef7a7

SHA256
24f425e8303e16a1b7ea46e433a318e5cbe3fc60a8007123bd6979f54f44863a

SHA512
cd48f0270d29bdea008de8bd0e65074195b6de0235b62137270cce26d128991e42831d005b8e04cbbdd43a538bd0c361fddec54a5abeaf6400d33f6e315e70b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\system2\system2.exe

Filesize
61KB

MD5
6eb9e21575bb6f70fc06a90fa2335062

SHA1
d5e8883207ccb404f008cf0594507dfe006b94c8

SHA256
a468572d0221b7a2826c9caf2e823c743b13526e5c79993ae3037c28ee19d025

SHA512
96f97f1424f385fe00d32d07b3032cb5d806c69b22e3e25dfe3388255339f6590d830ec4dd81552e2b933cac6f132744eef5b71924dc9da5934b36e21afa14a9

Download Submit
C:\Users\Admin\AppData\Roaming\Imminent\Path.dat

Filesize
55B

MD5
033d552c7c12e6de0868b70b09b20ed8

SHA1
552a55923384e6f0797b41be3cbb3ad95eda2033

SHA256
bb89b2ce056a7158bec4876f772b1b91e9302e21c4766adea3eb7921f4df8e99

SHA512
5897e58d6050f568bdd712cfa08e0d550007cd1a5bbe99f6ac918b196fff7ec5760271b28b84fb749e30b602baa973a64e4d72084f8d35ff282b3c5c1d22a138

Download Submit
C:\Users\Admin\AppData\Roaming\cp.bat

Filesize
119B

MD5
a8e7b1130fff0dd0405e0d14d837173b

SHA1
1d867a11bbe7d7b861c315781c3146367fe89e16

SHA256
ac2de3c16a347706fe0253eaa71367ab5b60960fb56b1a7f62f2e1acb84c0a23

SHA512
c59ec28cea9a607f321e054fed27c571b906fbbc102f9eb65aa39b7cf9e8ee86406217e8953711aa082e7cd6884c0d3c41ffed6bbb93e2e83d2272c46e400cfd

Download Submit
C:\Users\Admin\AppData\Roaming\kith2.exe

Filesize
12KB

MD5
801ef53ebade58fd2c203b8090f89a06

SHA1
dc21042b025edb12ca66dbafb16bdd1a2c916e76

SHA256
308d138febe6bbea9c62d24fa5b15cd4e5bf90d13a796f64f2376e632369ef61

SHA512
5d9d487aad36e77c696fd47b264334028c3c55c09ace5193c0c3dc354ce55fec5488e3fe73a07d86f5ada57cecd108015ab49a060453951ff61bf199f85b809c

Download Submit
C:\Users\Admin\AppData\Roaming\system2.exe

Filesize
92KB

MD5
74e85d460b75ae86e77e403f222f3a58

SHA1
733d07af075f78e4b7247ac914ca174456fe0bd0

SHA256
e4839dd000421a932aed19d37d6a9d18fdce4757feaa55408a088f17ab14f170

SHA512
4ca62d483cf2ea89feeccae330e50f07d43e1bac0e7ac7b0935ac9f7388953c451db1c4aac4506a8e7e73034fe20e65b597ae2e699745107c4359aa6180907c7

Download Submit
C:\Users\Admin\AppData\Roaming\system2.exe

Filesize
76KB

MD5
63b6dd33b9dc87065de0ee052c2be00a

SHA1
7dbe81ab9a9c382a8eb29b57fa47bfc39938c1c4

SHA256
6ef54259d79c9b2a0dd9777e84e45228607739b4958c9dfb58caef4f9b140f1d

SHA512
1d9479bedfa079fc6b6fde009303b04f5612526d2842a2c31b26950be097636372a4d134215c8666c922d01aa0c35a06ca09f729f233bceb04e699c2b8783894

Download Submit
\Users\Admin\AppData\Local\Temp\system2\system2.exe

Filesize
69KB

MD5
cb2ea0987f2b5abd53252a2151e8bda8

SHA1
d296cd1f75774dd0397cb9c12cb141aff1bb30f2

SHA256
79c8555646a12129c9bc1b28c29c229e860977814ae358254ad9deb8edf74ed5

SHA512
497e8be8f618e42382f9d40e648c8e57161b34a2b5bd28176c70d2c847ce0ec35cbbd50b22a6a45dc54e5f031daa9b4a6d911ab42a3c3e631e3defaa4895d539

Download Submit
\Users\Admin\AppData\Roaming\system2.exe

Filesize
62KB

MD5
c5d7c325a019e1385e8d911f9f06a608

SHA1
9cc21ee8624627486acc56d9331f4c6a232f6555

SHA256
afb8a9c10cec996a9671b45ce109d26cb198ee7ee890ddb991cadf58b1232a0c

SHA512
a817a3c09f3a59bfd3d3c36e7386412ce41f3f6375ee489889492f04396237a02e210582ddfb1546bef42493c1776b33254c2c721a9904a43388a9e98f4be17a

Download Submit
memory/2116-8-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/2116-3-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/2116-4-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/2116-55-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2116-0-0x0000000000290000-0x000000000034E000-memory.dmp

Filesize
760KB

Download
memory/2116-59-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/2116-2-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/2116-1-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2592-43-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2592-28-0x00000000008E0000-0x000000000093E000-memory.dmp

Filesize
376KB

Download
memory/2592-24-0x0000000000940000-0x00000000009C4000-memory.dmp

Filesize
528KB

Download
memory/2592-30-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/2592-29-0x0000000004AC0000-0x0000000004B00000-memory.dmp

Filesize
256KB

Download
memory/2592-27-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2716-40-0x00000000008D0000-0x0000000000910000-memory.dmp

Filesize
256KB

Download
memory/2716-46-0x0000000000460000-0x0000000000476000-memory.dmp

Filesize
88KB

Download
memory/2716-44-0x0000000000450000-0x000000000045E000-memory.dmp

Filesize
56KB

Download
memory/2716-39-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2716-38-0x00000000001D0000-0x0000000000254000-memory.dmp

Filesize
528KB

Download
memory/2716-69-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2716-75-0x00000000008D0000-0x0000000000910000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.