imminent | 114ad38ef50939dbc71a24923dff65aad0167b7679805d3c3a5a2fd4b6925247

Analysis

max time kernel
148s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a37ecfea5074fff2de431e643e74af0.exe
Size

693KB
MD5

0a37ecfea5074fff2de431e643e74af0
SHA1

4ff3dfa39ae7fd46772c30ff547ed935e134396f
SHA256

114ad38ef50939dbc71a24923dff65aad0167b7679805d3c3a5a2fd4b6925247
SHA512

7ee5854e7e3cebf76de910b47f427095c420cd27c227d74cd0c62e44f2adfc429c1abb02391cc7ca15df28a99ce471c4912d4a41fc43e234d78029f330f3c33f
SSDEEP

12288:tSIzbMSwyUI2buNNqwfVsQV2wWU4dh2hPnmrTVr5i38VeUbBxjv:tSibMSws2SqwGuZUgz3kXjv

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 3 IoCs

pid	Process
2492	0a37ecfea5074fff2de431e643e74af0.exe
2036	0a37ecfea5074fff2de431e643e74af0.exe
1944	0a37ecfea5074fff2de431e643e74af0.exe

Loads dropped DLL 3 IoCs

pid	Process
1648	0a37ecfea5074fff2de431e643e74af0.exe
1648	0a37ecfea5074fff2de431e643e74af0.exe
1648	0a37ecfea5074fff2de431e643e74af0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sidebar = "C:\\Users\\Admin\\AppData\\Roaming\\Sample.lnk"	0a37ecfea5074fff2de431e643e74af0.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1648 set thread context of 1944	1648	0a37ecfea5074fff2de431e643e74af0.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1648	0a37ecfea5074fff2de431e643e74af0.exe
1648	0a37ecfea5074fff2de431e643e74af0.exe
1648	0a37ecfea5074fff2de431e643e74af0.exe
1648	0a37ecfea5074fff2de431e643e74af0.exe
1648	0a37ecfea5074fff2de431e643e74af0.exe
1648	0a37ecfea5074fff2de431e643e74af0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1944	0a37ecfea5074fff2de431e643e74af0.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1648	0a37ecfea5074fff2de431e643e74af0.exe
Token: SeDebugPrivilege	1944	0a37ecfea5074fff2de431e643e74af0.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2628	DllHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1944	0a37ecfea5074fff2de431e643e74af0.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2976	1648	0a37ecfea5074fff2de431e643e74af0.exe	28
PID 1648 wrote to memory of 2976	1648	0a37ecfea5074fff2de431e643e74af0.exe	28
PID 1648 wrote to memory of 2976	1648	0a37ecfea5074fff2de431e643e74af0.exe	28
PID 1648 wrote to memory of 2976	1648	0a37ecfea5074fff2de431e643e74af0.exe	28
PID 1648 wrote to memory of 2320	1648	0a37ecfea5074fff2de431e643e74af0.exe	30
PID 1648 wrote to memory of 2320	1648	0a37ecfea5074fff2de431e643e74af0.exe	30
PID 1648 wrote to memory of 2320	1648	0a37ecfea5074fff2de431e643e74af0.exe	30
PID 1648 wrote to memory of 2320	1648	0a37ecfea5074fff2de431e643e74af0.exe	30
PID 1648 wrote to memory of 2492	1648	0a37ecfea5074fff2de431e643e74af0.exe	33
PID 1648 wrote to memory of 2492	1648	0a37ecfea5074fff2de431e643e74af0.exe	33
PID 1648 wrote to memory of 2492	1648	0a37ecfea5074fff2de431e643e74af0.exe	33
PID 1648 wrote to memory of 2492	1648	0a37ecfea5074fff2de431e643e74af0.exe	33
PID 1648 wrote to memory of 2036	1648	0a37ecfea5074fff2de431e643e74af0.exe	34
PID 1648 wrote to memory of 2036	1648	0a37ecfea5074fff2de431e643e74af0.exe	34
PID 1648 wrote to memory of 2036	1648	0a37ecfea5074fff2de431e643e74af0.exe	34
PID 1648 wrote to memory of 2036	1648	0a37ecfea5074fff2de431e643e74af0.exe	34
PID 1648 wrote to memory of 1944	1648	0a37ecfea5074fff2de431e643e74af0.exe	35
PID 1648 wrote to memory of 1944	1648	0a37ecfea5074fff2de431e643e74af0.exe	35
PID 1648 wrote to memory of 1944	1648	0a37ecfea5074fff2de431e643e74af0.exe	35
PID 1648 wrote to memory of 1944	1648	0a37ecfea5074fff2de431e643e74af0.exe	35
PID 1648 wrote to memory of 1944	1648	0a37ecfea5074fff2de431e643e74af0.exe	35
PID 1648 wrote to memory of 1944	1648	0a37ecfea5074fff2de431e643e74af0.exe	35
PID 1648 wrote to memory of 1944	1648	0a37ecfea5074fff2de431e643e74af0.exe	35
PID 1648 wrote to memory of 1944	1648	0a37ecfea5074fff2de431e643e74af0.exe	35
PID 1648 wrote to memory of 1944	1648	0a37ecfea5074fff2de431e643e74af0.exe	35
PID 1648 wrote to memory of 1944	1648	0a37ecfea5074fff2de431e643e74af0.exe	35
PID 1648 wrote to memory of 1944	1648	0a37ecfea5074fff2de431e643e74af0.exe	35

C:\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe
"C:\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\CMD.exe
  "CMD"
  2⤵
  PID:2976
- C:\Windows\SysWOW64\CMD.exe
  "CMD"
  2⤵
  PID:2320
- C:\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe
  "C:\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe"
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe
  "C:\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe"
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe
  "C:\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1944

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ab8875048b2c6353971789955e85bcea

SHA1
9743b4b6e900a8560d53a6829eb768d39858eea2

SHA256
44ebe65b38bfc066b8f18f062e79396915fc77d38e8695d4851e4fd50095477e

SHA512
dbd2bc003dee6a9be5ff538ee4c3f3c2af28e73ed26128cfa519f0937d6833a880e03f6363443e3ca7835c53abcac7fde91f4e48b76a13e136215768e2a31d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe

Filesize
177KB

MD5
d3c32556686197f92029b73f8593b042

SHA1
a52a6d258d17047a471af0632324d03c6041373a

SHA256
ac3ea94fad834c8d0d3cb90e736ef8d6ec295e89cbe2d54aaa75d6eb009a536e

SHA512
c76a0e60274acbed1d2955d5d829c0257e001ad8df32c5b49d3c929b51fafabdbd18af4652f9229f948b01c7c9ca34a8b6f6d990d594ac6f285c744ba8311338

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe

Filesize
122KB

MD5
42988b1d164a67de5f99ba9a3955230d

SHA1
a15a43f3a7afc30f1950877d551deef21ca17969

SHA256
45b8c7e5844d39815a8a2427fa3c2dd0a8bd04896338cf4bdbcc8887f3415be6

SHA512
3cc27981b8f0ff1be44c5c7ebbce24b295dffe7d87a02dfecb54132483a19528d787e4901e00c20b627175cb86b5c4aa37bc81f37b7174fec25f1f1a135136fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe

Filesize
90KB

MD5
bc706401d7e46030b8925c3862c9a3bb

SHA1
6e3ce8f731128f3f04b578206b5566fdf1897fc7

SHA256
368e0a1c922b21981735a170a90640ca8f8628401c53c0c483e7262e68ce3f0e

SHA512
2a4d1af3879b068a4901805cdede5912eda02f2887a5f0b581608545ba3e2d7db74135e3778a7847007f44afb032365c0f420063ccff90f67b64ea37e79b296b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBD18.tmp

Filesize
14KB

MD5
1062a8b443c9e52249c0483399753c22

SHA1
a83e07abeaeb0c4eec045ba4ad7cda8922195b5a

SHA256
fefc9277505b308bb9eb4678c4bc2c1ac01ca3151381356b3dbbf967f1d63eb8

SHA512
be399c5f201c66d380ea82c12d435975b4d09af9fc1618ec8ee8b2e1d53a835611f4a41f96c65323c8c3561612e438c9da8eeb545044e99bc9322ef88c80661a

Download Submit
C:\Users\Admin\AppData\Local\Temp\small13.jpg

Filesize
18KB

MD5
80fb8abb9c3accd6a5040f9d35c4cfba

SHA1
856cf9162631fb5b1c3118560b0d20340d95d4a0

SHA256
6a81e3a9a8591ac8b6db2636cd0a130b033212848a6118b0217b4e8f1d6d6cee

SHA512
d962aaf75641d936da2d532479434ad6452a688859cd38000af51aad72e4a08d4b0c9d618e2ba38aef4316957d47a51049abe988f10f8c077d8de74f2bd39ec8

Download Submit
\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe

Filesize
693KB

MD5
0a37ecfea5074fff2de431e643e74af0

SHA1
4ff3dfa39ae7fd46772c30ff547ed935e134396f

SHA256
114ad38ef50939dbc71a24923dff65aad0167b7679805d3c3a5a2fd4b6925247

SHA512
7ee5854e7e3cebf76de910b47f427095c420cd27c227d74cd0c62e44f2adfc429c1abb02391cc7ca15df28a99ce471c4912d4a41fc43e234d78029f330f3c33f

Download Submit
\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe

Filesize
192KB

MD5
c1e05afc3b2c20e1e1085cf95879e01d

SHA1
41ff52fa19c454f1711465471e18df253e79a2fa

SHA256
b172e6597b9f2f34a3f72f4efde6b824342f75bb8be50e41e57602e681518bd0

SHA512
bb782a543c93aebef51c32460b7a92449367785c3047e0a399d161337d0d8c31f3d000b66ce2e53d7ebb6952b6795a0bc2ec7c7198a001964142bd74c51a3897

Download Submit
\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe

Filesize
100KB

MD5
9ed3cbc43c492c4014472b23f67a9738

SHA1
9f8baf23d141183a78f488d986836db93e75925a

SHA256
f74b868a3e3c474fe882e44b284178fdd9cb786546029306821baf8165b7f045

SHA512
15a42cb5c4aca0569f5c2ede1005c49b52cbc3f485e4b98dad164180e870d4a9a118f7c2a9ca8a3cfa9bfcc4015055a1cb0148e1f69240345e898a29235f5ddb

Download Submit
memory/1648-22-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/1648-14-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/1648-61-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/1648-0-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/1648-21-0x00000000023E0000-0x0000000002420000-memory.dmp

Filesize
256KB

Download
memory/1648-60-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/1648-2-0x00000000023E0000-0x0000000002420000-memory.dmp

Filesize
256KB

Download
memory/1648-1-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/1648-23-0x0000000000980000-0x0000000000982000-memory.dmp

Filesize
8KB

Download
memory/1648-20-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/1648-19-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/1648-13-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/1648-15-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/1944-55-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/1944-46-0x0000000002140000-0x0000000002180000-memory.dmp

Filesize
256KB

Download
memory/1944-39-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1944-36-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1944-35-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1944-33-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1944-31-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1944-42-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1944-45-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/1944-41-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1944-64-0x0000000002140000-0x0000000002180000-memory.dmp

Filesize
256KB

Download
memory/1944-44-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1944-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1944-63-0x0000000074E80000-0x000000007542B000-memory.dmp

Filesize
5.7MB

Download
memory/2628-62-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2628-24-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2628-26-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download