imminent | 9b74f7badba83335183324f9d1f19cbc16de16e4df0d2b8a6b98f41f49b7c487

Analysis

max time kernel
134s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cdd03e8e53429c22f46ce41ae406d06.exe
Size

354KB
MD5

5cdd03e8e53429c22f46ce41ae406d06
SHA1

a2670c96f331f146c125f8eea81b03aaa1ccdbdd
SHA256

9b74f7badba83335183324f9d1f19cbc16de16e4df0d2b8a6b98f41f49b7c487
SHA512

0c60c1a9495f1e3c150aec8bf0394ae3011344f17c89fb28081ec37ed08aa811f595ae3535ded1c49f135a0031d137e6a9076d2151c7e15df0672c5250186e87
SSDEEP

3072:swi51kpjgUdkY8NvIKq7BexmKWWVcXKiB9n5qa4bScysIVkMmL9N0g9zWfwabXlj:IopjgUqY86BtWVo5VRIeY/QvDROyEQJ

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\\Microsoft\\svchost.exe"	5cdd03e8e53429c22f46ce41ae406d06.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\svchost.exe"	5cdd03e8e53429c22f46ce41ae406d06.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	5cdd03e8e53429c22f46ce41ae406d06.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	5cdd03e8e53429c22f46ce41ae406d06.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	5cdd03e8e53429c22f46ce41ae406d06.exe
File opened for modification	C:\Windows\assembly	5cdd03e8e53429c22f46ce41ae406d06.exe
File created	C:\Windows\assembly\Desktop.ini	5cdd03e8e53429c22f46ce41ae406d06.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4372	5cdd03e8e53429c22f46ce41ae406d06.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4372	5cdd03e8e53429c22f46ce41ae406d06.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4372	5cdd03e8e53429c22f46ce41ae406d06.exe

C:\Users\Admin\AppData\Local\Temp\5cdd03e8e53429c22f46ce41ae406d06.exe
"C:\Users\Admin\AppData\Local\Temp\5cdd03e8e53429c22f46ce41ae406d06.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Imminent\Path.dat

Filesize
50B

MD5
90f2ffc1a3fd2305dd15911cbe17b87c

SHA1
c3618ae54941e6ebb5a9481915415d4649eb2099

SHA256
8a785776156d3c062f4677e54d737ec6ab48cf8994f5bc3b6b0e2efd734b32f2

SHA512
df95d46bb66e4d507b3f30f1a20561e2e8aef907480d71247ec6b5f06eefc8139aefcebb9e3985d0a26a87c45e1f9219283757a447a34577727c10c35581c005

Download Submit
memory/4372-0-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/4372-1-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/4372-2-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

Filesize
64KB

Download
memory/4372-22-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/4372-26-0x0000000075210000-0x00000000757C1000-memory.dmp

Filesize
5.7MB

Download
memory/4372-29-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads