imminent | bb992a2a26463285634e1aba34f188240e861b7ab29bc65e332fa2ebdece4dae

General

Target

54ce4b3ee7bf8152203aa77fb6acb14c.exe
Size

505KB
MD5

54ce4b3ee7bf8152203aa77fb6acb14c
SHA1

fe555154b24f65d05879aee558f60cdf68905381
SHA256

bb992a2a26463285634e1aba34f188240e861b7ab29bc65e332fa2ebdece4dae
SHA512

f67a0631d4be5c783d9c75a4133462451d0a16216533b413daa68c69bfb0495ea98a234390a4ef2cd9fae9dd4f1e92b95b206d4ba9ca95c5ec3afd09e02999f3
SSDEEP

6144:YRGQ8zpJEijUsysr8nBBdYnLGcRaJNK65gftmoxWBBRurqQ+mnIUomhQarSG8Q86:vjbypvmScRbZtmsW6qloho4ngvJRkZZ

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Deletes itself 1 IoCs

pid	Process
2856	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2304	54ce4b3ee7bf8152203aa77fb6acb14c.exe

Loads dropped DLL 1 IoCs

pid	Process
2532	54ce4b3ee7bf8152203aa77fb6acb14c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Default Key = "C:\\Users\\Admin\\AppData\\Local\\Default Folder\\System2.exe"	54ce4b3ee7bf8152203aa77fb6acb14c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Default Key = "\\Default Folder\\System2.exe"	54ce4b3ee7bf8152203aa77fb6acb14c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2744	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2304	54ce4b3ee7bf8152203aa77fb6acb14c.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	54ce4b3ee7bf8152203aa77fb6acb14c.exe
Token: SeDebugPrivilege	2304	54ce4b3ee7bf8152203aa77fb6acb14c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2304	54ce4b3ee7bf8152203aa77fb6acb14c.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2304	2532	54ce4b3ee7bf8152203aa77fb6acb14c.exe	28
PID 2532 wrote to memory of 2304	2532	54ce4b3ee7bf8152203aa77fb6acb14c.exe	28
PID 2532 wrote to memory of 2304	2532	54ce4b3ee7bf8152203aa77fb6acb14c.exe	28
PID 2532 wrote to memory of 2304	2532	54ce4b3ee7bf8152203aa77fb6acb14c.exe	28
PID 2532 wrote to memory of 2856	2532	54ce4b3ee7bf8152203aa77fb6acb14c.exe	31
PID 2532 wrote to memory of 2856	2532	54ce4b3ee7bf8152203aa77fb6acb14c.exe	31
PID 2532 wrote to memory of 2856	2532	54ce4b3ee7bf8152203aa77fb6acb14c.exe	31
PID 2532 wrote to memory of 2856	2532	54ce4b3ee7bf8152203aa77fb6acb14c.exe	31
PID 2856 wrote to memory of 2744	2856	cmd.exe	29
PID 2856 wrote to memory of 2744	2856	cmd.exe	29
PID 2856 wrote to memory of 2744	2856	cmd.exe	29
PID 2856 wrote to memory of 2744	2856	cmd.exe	29

C:\Users\Admin\AppData\Local\Temp\54ce4b3ee7bf8152203aa77fb6acb14c.exe
"C:\Users\Admin\AppData\Local\Temp\54ce4b3ee7bf8152203aa77fb6acb14c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\54ce4b3ee7bf8152203aa77fb6acb14c\54ce4b3ee7bf8152203aa77fb6acb14c.exe
  "C:\Users\Admin\AppData\Local\Temp\54ce4b3ee7bf8152203aa77fb6acb14c\54ce4b3ee7bf8152203aa77fb6acb14c.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2304
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\54ce4b3ee7bf8152203aa77fb6acb14c.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2856

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
1⤵
- Runs ping.exe
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Default Folder\System2.exe

Filesize
186KB

MD5
2b55f25a6f3a092471119eee2a9dbc1d

SHA1
f1aaf99afd818ed9fad91219e74294ce3230dd2f

SHA256
daa8a84f635e2d4a7387bec421fb18d5b75d3e8ed669d63e6f183e6265a5e489

SHA512
58e1523d6edf2f044d1f3fcacc6f3c5004d9c9eb295ac4d7714cf2c46c5e9a792733295b0756bf5fb2dcf576318b7e1dc8c174e83684df9bf351d5f1b4918637

Download Submit
C:\Users\Admin\AppData\Local\Temp\54ce4b3ee7bf8152203aa77fb6acb14c\54ce4b3ee7bf8152203aa77fb6acb14c.exe

Filesize
272KB

MD5
3c5b406f8c355944db1e9924fd1a1772

SHA1
3452ab21f712ad800fb973f2aeb3034b6d35c3af

SHA256
4c17082d8a4bd11b4db75ff2634970a12713b93203bd85fccca65fb71be8bff4

SHA512
e681d47e41e30853948bce7292968d3c19f34f6c647119822fb7330307659948869ef04346572879c2da0741cafb50b4bf0414e893bcb1b432ab0ceef465609f

Download Submit
C:\Users\Admin\AppData\Local\Temp\54ce4b3ee7bf8152203aa77fb6acb14c\54ce4b3ee7bf8152203aa77fb6acb14c.exe

Filesize
252KB

MD5
f7e7193cd2637d8bc54f230cc502c107

SHA1
92de7885229b841f4e6fbd324f02ab91d0045082

SHA256
e4d928f4edb2ab4b32c8de5a00c08af38f3fd72dd1dfc944ecb4da3cfd4624ec

SHA512
e2e152a67eaa4d53f6929e96fbe674c16666c36684f94c4630b78b5e93d4c1e9eb03415dd93435a087641cb6dff8a1010a78396188725bc7a5bf7286b589c3f5

Download Submit
C:\Users\Admin\AppData\Roaming\Imminent\Path.dat

Filesize
55B

MD5
033d552c7c12e6de0868b70b09b20ed8

SHA1
552a55923384e6f0797b41be3cbb3ad95eda2033

SHA256
bb89b2ce056a7158bec4876f772b1b91e9302e21c4766adea3eb7921f4df8e99

SHA512
5897e58d6050f568bdd712cfa08e0d550007cd1a5bbe99f6ac918b196fff7ec5760271b28b84fb749e30b602baa973a64e4d72084f8d35ff282b3c5c1d22a138

Download Submit
\Users\Admin\AppData\Local\Temp\54ce4b3ee7bf8152203aa77fb6acb14c\54ce4b3ee7bf8152203aa77fb6acb14c.exe

Filesize
326KB

MD5
6fcaa41551c3647e1f3243b8ff42f9d5

SHA1
b0618f39eeffc0e7c2dd2eebb5cf7dbef0393025

SHA256
74dfdd747778942bbfae5b242eaff33d81a1ac82d1b8909ce57bc77fb9ed8253

SHA512
260d126cdc42254c8f92a56bbbabe803abdb79bdef25bbb800ef9a54652a97b1626d750563198c1cc17c306e1695f8835eacb105b8e84b5266b41258c62c2f98

Download Submit
memory/2304-13-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/2304-12-0x0000000001050000-0x00000000010D4000-memory.dmp

Filesize
528KB

Download
memory/2304-14-0x0000000000640000-0x0000000000680000-memory.dmp

Filesize
256KB

Download
memory/2304-18-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/2304-20-0x0000000000340000-0x0000000000356000-memory.dmp

Filesize
88KB

Download
memory/2304-41-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/2304-47-0x0000000000640000-0x0000000000680000-memory.dmp

Filesize
256KB

Download
memory/2532-4-0x00000000003B0000-0x00000000003D8000-memory.dmp

Filesize
160KB

Download
memory/2532-3-0x0000000002010000-0x000000000206E000-memory.dmp

Filesize
376KB

Download
memory/2532-15-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/2532-2-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

Filesize
256KB

Download
memory/2532-0-0x00000000008F0000-0x0000000000974000-memory.dmp

Filesize
528KB

Download
memory/2532-1-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads