imminent | beace8df01346080162d047f3fd3ead1e2b87d7bdaf03525000d51386285cb7a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bc2d486735244a0b77768ba6c0d320c.exe
Size

1.2MB
MD5

1bc2d486735244a0b77768ba6c0d320c
SHA1

2d5690f5572384cc343ea7bcc6e67aac585f1f8b
SHA256

beace8df01346080162d047f3fd3ead1e2b87d7bdaf03525000d51386285cb7a
SHA512

c9e583b71a9dac8929b61914e5a03f640c7353166591b896e984a26de0802923bb49009967e1497a35f18a20169a0c295815a8e9da15a2d9ced5e913afd9e700
SSDEEP

24576:Ltb20pkaCqT5TBWgNQ7aIw9j5A4O9Hwuqj61ZZlRDMsNV6A6:IVg5tQ7aIw9ju4OW56XzSsr56

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tpgknwazxqhbcpq.fr.url	1bc2d486735244a0b77768ba6c0d320c.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3120 set thread context of 4052	3120	1bc2d486735244a0b77768ba6c0d320c.exe	46

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3120	1bc2d486735244a0b77768ba6c0d320c.exe
3120	1bc2d486735244a0b77768ba6c0d320c.exe
3120	1bc2d486735244a0b77768ba6c0d320c.exe
3120	1bc2d486735244a0b77768ba6c0d320c.exe
3120	1bc2d486735244a0b77768ba6c0d320c.exe
3120	1bc2d486735244a0b77768ba6c0d320c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4052	RegAsm.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3120	1bc2d486735244a0b77768ba6c0d320c.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4052	RegAsm.exe
Token: 33	4052	RegAsm.exe
Token: SeIncBasePriorityPrivilege	4052	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4052	RegAsm.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 4052	3120	1bc2d486735244a0b77768ba6c0d320c.exe	46
PID 3120 wrote to memory of 4052	3120	1bc2d486735244a0b77768ba6c0d320c.exe	46
PID 3120 wrote to memory of 4052	3120	1bc2d486735244a0b77768ba6c0d320c.exe	46
PID 3120 wrote to memory of 4052	3120	1bc2d486735244a0b77768ba6c0d320c.exe	46

C:\Users\Admin\AppData\Local\Temp\1bc2d486735244a0b77768ba6c0d320c.exe
"C:\Users\Admin\AppData\Local\Temp\1bc2d486735244a0b77768ba6c0d320c.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Users\Admin\AppData\Local\Temp\1bc2d486735244a0b77768ba6c0d320c.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4052

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut4788.tmp

Filesize
144KB

MD5
c3f3d05f73388a427835ea9eb8e09722

SHA1
af3e172e8768eaf75e5beb8b39669381cffc1ca1

SHA256
b9105cf66267ff70d5790a615ea9bd0a2d85ad552956bffa4c75b66c89cc9783

SHA512
1bfff340280937b52a313b24d663d462e6836a2253309b74b7579f163363864af238e3bd87ac0f30624e58a9d4c0dae1f44524f1c50a994d7fb2f7d57336c062

Download Submit
memory/3120-11-0x0000000001020000-0x0000000001023000-memory.dmp

Filesize
12KB

Download
memory/4052-19-0x0000000007150000-0x00000000076F4000-memory.dmp

Filesize
5.6MB

Download
memory/4052-21-0x0000000007770000-0x00000000077D6000-memory.dmp

Filesize
408KB

Download
memory/4052-15-0x00000000015B0000-0x00000000015C0000-memory.dmp

Filesize
64KB

Download
memory/4052-16-0x0000000005640000-0x00000000056EE000-memory.dmp

Filesize
696KB

Download
memory/4052-17-0x0000000008A70000-0x0000000008A98000-memory.dmp

Filesize
160KB

Download
memory/4052-18-0x0000000006B00000-0x0000000006B9C000-memory.dmp

Filesize
624KB

Download
memory/4052-12-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4052-14-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/4052-20-0x0000000006D80000-0x0000000006E12000-memory.dmp

Filesize
584KB

Download
memory/4052-13-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/4052-22-0x0000000007750000-0x0000000007768000-memory.dmp

Filesize
96KB

Download
memory/4052-23-0x0000000007DB0000-0x0000000007DC6000-memory.dmp

Filesize
88KB

Download
memory/4052-24-0x00000000058D0000-0x00000000058DA000-memory.dmp

Filesize
40KB

Download
memory/4052-30-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/4052-31-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download