imminent | b3f1fb57672dea1127cdf4552383005779455c633de4f45b2d8b65f8b433c414

General

Target

1cdee5e88ba57366428e0345075c0215.exe
Size

734KB
MD5

1cdee5e88ba57366428e0345075c0215
SHA1

07f5e12a25be9c5c2d3e8a7a174eebaddfb40ea6
SHA256

b3f1fb57672dea1127cdf4552383005779455c633de4f45b2d8b65f8b433c414
SHA512

51b491a57d82c29d2fadeb2d9426d7c59cfda1bae54c80308d6007ec7a760c662b8c1c40eda02922ea553a07e4682156319b0ce19627df80db8d159836ab14a3
SSDEEP

12288:Qk+2QhKjbypvmScRbZtmsW6qloho4ngvJRkZZ5qK2U9:QkGPvmxbZwj7ihpNZTqK9

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	1cdee5e88ba57366428e0345075c0215.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	system2.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kith2.exe	xcopy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kith2.exe	xcopy.exe

Executes dropped EXE 2 IoCs

pid	Process
4228	system2.exe
220	system2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default Key = "\\Default Folder\\System2.exe"	system2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default Key = "C:\\Users\\Admin\\AppData\\Local\\Default Folder\\System2.exe"	system2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
344	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
220	system2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4228	system2.exe
Token: SeDebugPrivilege	220	system2.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4940	1cdee5e88ba57366428e0345075c0215.exe
4940	1cdee5e88ba57366428e0345075c0215.exe
220	system2.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 4376	4940	1cdee5e88ba57366428e0345075c0215.exe	52
PID 4940 wrote to memory of 4376	4940	1cdee5e88ba57366428e0345075c0215.exe	52
PID 4940 wrote to memory of 4376	4940	1cdee5e88ba57366428e0345075c0215.exe	52
PID 4940 wrote to memory of 4228	4940	1cdee5e88ba57366428e0345075c0215.exe	53
PID 4940 wrote to memory of 4228	4940	1cdee5e88ba57366428e0345075c0215.exe	53
PID 4940 wrote to memory of 4228	4940	1cdee5e88ba57366428e0345075c0215.exe	53
PID 4376 wrote to memory of 4224	4376	cmd.exe	56
PID 4376 wrote to memory of 4224	4376	cmd.exe	56
PID 4376 wrote to memory of 4224	4376	cmd.exe	56
PID 4228 wrote to memory of 220	4228	system2.exe	60
PID 4228 wrote to memory of 220	4228	system2.exe	60
PID 4228 wrote to memory of 220	4228	system2.exe	60
PID 4228 wrote to memory of 2504	4228	system2.exe	59
PID 4228 wrote to memory of 2504	4228	system2.exe	59
PID 4228 wrote to memory of 2504	4228	system2.exe	59
PID 2504 wrote to memory of 344	2504	cmd.exe	57
PID 2504 wrote to memory of 344	2504	cmd.exe	57
PID 2504 wrote to memory of 344	2504	cmd.exe	57

C:\Users\Admin\AppData\Local\Temp\1cdee5e88ba57366428e0345075c0215.exe
"C:\Users\Admin\AppData\Local\Temp\1cdee5e88ba57366428e0345075c0215.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\cp.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /c /k /y "kith2.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
    3⤵
    - Drops startup file
    - Enumerates system info in registry
    PID:4224
- C:\Users\Admin\AppData\Roaming\system2.exe
  "C:\Users\Admin\AppData\Roaming\system2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Roaming\system2.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2504
- - C:\Users\Admin\AppData\Local\Temp\system2\system2.exe
    "C:\Users\Admin\AppData\Local\Temp\system2\system2.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:220

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
1⤵
- Runs ping.exe
PID:344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system2\system2.exe

Filesize
65KB

MD5
13cae01f0dc1d799f1894c2d82f7a60a

SHA1
ac92e52d9373992967fad854ab7bfe2fb0b5b0ae

SHA256
2fb672bbb3d4417a2c656aae26c5e27dcb01c9e85c5ad05d4c4e88a76e4d0684

SHA512
e9d8e02e2dfa24d5966d50824a266140f425787da7d90fd0796fb96f822dd45681bb3bc24a4ebdf44cb55179908e95586c2b618dbac4cc8b1455f42c06c5e9ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\system2\system2.exe

Filesize
38KB

MD5
181fc409f63b37f5efac405b4473907c

SHA1
09370385a5c408c419e8156af7a1711dd09fbd4d

SHA256
1f30649da244a254925372a6a02af824063cc2ef5f84676dff24138625221efa

SHA512
1eb51b471d0d2fb8a1f8dfd8b2968f642950183d1e43500413c34f4e03319e78337575aa7900e7bc76ea3e1a19fc5591a36af1b3a109367955840741b6cccc49

Download Submit
C:\Users\Admin\AppData\Roaming\Imminent\Path.dat

Filesize
55B

MD5
033d552c7c12e6de0868b70b09b20ed8

SHA1
552a55923384e6f0797b41be3cbb3ad95eda2033

SHA256
bb89b2ce056a7158bec4876f772b1b91e9302e21c4766adea3eb7921f4df8e99

SHA512
5897e58d6050f568bdd712cfa08e0d550007cd1a5bbe99f6ac918b196fff7ec5760271b28b84fb749e30b602baa973a64e4d72084f8d35ff282b3c5c1d22a138

Download Submit
C:\Users\Admin\AppData\Roaming\cp.bat

Filesize
119B

MD5
a8e7b1130fff0dd0405e0d14d837173b

SHA1
1d867a11bbe7d7b861c315781c3146367fe89e16

SHA256
ac2de3c16a347706fe0253eaa71367ab5b60960fb56b1a7f62f2e1acb84c0a23

SHA512
c59ec28cea9a607f321e054fed27c571b906fbbc102f9eb65aa39b7cf9e8ee86406217e8953711aa082e7cd6884c0d3c41ffed6bbb93e2e83d2272c46e400cfd

Download Submit
C:\Users\Admin\AppData\Roaming\kith2.exe

Filesize
12KB

MD5
801ef53ebade58fd2c203b8090f89a06

SHA1
dc21042b025edb12ca66dbafb16bdd1a2c916e76

SHA256
308d138febe6bbea9c62d24fa5b15cd4e5bf90d13a796f64f2376e632369ef61

SHA512
5d9d487aad36e77c696fd47b264334028c3c55c09ace5193c0c3dc354ce55fec5488e3fe73a07d86f5ada57cecd108015ab49a060453951ff61bf199f85b809c

Download Submit
C:\Users\Admin\AppData\Roaming\system2.exe

Filesize
70KB

MD5
3d07a0410b4aa7ad0f16e6921c9bd118

SHA1
dac985660cb4c78e2ee4d6c53cf982526388e4e4

SHA256
2724ed2f2a9776504f67808d800f477bd6b978969cb89da876de605f822226ee

SHA512
2042156407330859c235a678ab7e88a2aadc751b1e2c976a4aa8a5a5f6adf4aa59c839852ead0878562f27752e6cfb3f0f66046eed3c255422c3f93910beafc5

Download Submit
C:\Users\Admin\AppData\Roaming\system2.exe

Filesize
30KB

MD5
9e73be5c1e353e105d8a5a1978a0de85

SHA1
d7a0938482f396cd60ef805ce386a5ac182f4f02

SHA256
0c210d1385115b36a4ef8b2c21187c7abcdbd0fc34d464a83abeae75b41ab6c8

SHA512
213e61fefb644f8bd73418713fd8d425c194ef9cb9e581c9f06ca50b01e38496ff1e3b632ac7fde7d380d692ba6802a44ff793a3aa944a8f8b2af2d64de83f05

Download Submit
C:\Users\Admin\AppData\Roaming\system2.exe

Filesize
68KB

MD5
c159fc89d0ec2e6f8519511c49713646

SHA1
64fc71515b77057ee0376a55dd87058fe1d8025b

SHA256
36d3974d280cdcfba535084282871c3f44c9a7737c1115441faf00c315956665

SHA512
bd54da32d7b097b876b6ba5264818c3dbb0d9c505bd252ea7389751384d1e6513732d6f368799d3630e9a9e7d69a4e52c02ccde8ac79b5b3b7e322a5c51f1988

Download Submit
memory/220-46-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/220-48-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/220-52-0x0000000005640000-0x000000000564E000-memory.dmp

Filesize
56KB

Download
memory/220-54-0x00000000058D0000-0x00000000058E6000-memory.dmp

Filesize
88KB

Download
memory/220-82-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/220-86-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/4228-26-0x00000000004A0000-0x0000000000524000-memory.dmp

Filesize
528KB

Download
memory/4228-34-0x0000000007350000-0x0000000007378000-memory.dmp

Filesize
160KB

Download
memory/4228-27-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/4228-30-0x0000000004D90000-0x0000000004DEE000-memory.dmp

Filesize
376KB

Download
memory/4228-28-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/4228-49-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/4940-1-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/4940-2-0x0000000004EA0000-0x0000000004F3C000-memory.dmp

Filesize
624KB

Download
memory/4940-6-0x0000000004E80000-0x0000000004E8A000-memory.dmp

Filesize
40KB

Download
memory/4940-7-0x0000000005040000-0x0000000005096000-memory.dmp

Filesize
344KB

Download
memory/4940-5-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/4940-8-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/4940-31-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/4940-9-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/4940-59-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/4940-3-0x00000000054F0000-0x0000000005A94000-memory.dmp

Filesize
5.6MB

Download
memory/4940-67-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/4940-70-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/4940-73-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/4940-79-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/4940-4-0x0000000004F40000-0x0000000004FD2000-memory.dmp

Filesize
584KB

Download
memory/4940-0-0x00000000003D0000-0x000000000048E000-memory.dmp

Filesize
760KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads