imminent | 114ad38ef50939dbc71a24923dff65aad0167b7679805d3c3a5a2fd4b6925247

General

Target

0a37ecfea5074fff2de431e643e74af0.exe
Size

693KB
MD5

0a37ecfea5074fff2de431e643e74af0
SHA1

4ff3dfa39ae7fd46772c30ff547ed935e134396f
SHA256

114ad38ef50939dbc71a24923dff65aad0167b7679805d3c3a5a2fd4b6925247
SHA512

7ee5854e7e3cebf76de910b47f427095c420cd27c227d74cd0c62e44f2adfc429c1abb02391cc7ca15df28a99ce471c4912d4a41fc43e234d78029f330f3c33f
SSDEEP

12288:tSIzbMSwyUI2buNNqwfVsQV2wWU4dh2hPnmrTVr5i38VeUbBxjv:tSibMSws2SqwGuZUgz3kXjv

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 1 IoCs

pid	Process
2668	0a37ecfea5074fff2de431e643e74af0.exe

Loads dropped DLL 1 IoCs

pid	Process
1220	0a37ecfea5074fff2de431e643e74af0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sidebar = "C:\\Users\\Admin\\AppData\\Roaming\\Sample.lnk"	0a37ecfea5074fff2de431e643e74af0.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1220 set thread context of 2668	1220	0a37ecfea5074fff2de431e643e74af0.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1220	0a37ecfea5074fff2de431e643e74af0.exe
1220	0a37ecfea5074fff2de431e643e74af0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2668	0a37ecfea5074fff2de431e643e74af0.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1220	0a37ecfea5074fff2de431e643e74af0.exe
Token: SeDebugPrivilege	2668	0a37ecfea5074fff2de431e643e74af0.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2384	DllHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2668	0a37ecfea5074fff2de431e643e74af0.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2244	1220	0a37ecfea5074fff2de431e643e74af0.exe	28
PID 1220 wrote to memory of 2244	1220	0a37ecfea5074fff2de431e643e74af0.exe	28
PID 1220 wrote to memory of 2244	1220	0a37ecfea5074fff2de431e643e74af0.exe	28
PID 1220 wrote to memory of 2244	1220	0a37ecfea5074fff2de431e643e74af0.exe	28
PID 1220 wrote to memory of 2748	1220	0a37ecfea5074fff2de431e643e74af0.exe	30
PID 1220 wrote to memory of 2748	1220	0a37ecfea5074fff2de431e643e74af0.exe	30
PID 1220 wrote to memory of 2748	1220	0a37ecfea5074fff2de431e643e74af0.exe	30
PID 1220 wrote to memory of 2748	1220	0a37ecfea5074fff2de431e643e74af0.exe	30
PID 1220 wrote to memory of 2668	1220	0a37ecfea5074fff2de431e643e74af0.exe	33
PID 1220 wrote to memory of 2668	1220	0a37ecfea5074fff2de431e643e74af0.exe	33
PID 1220 wrote to memory of 2668	1220	0a37ecfea5074fff2de431e643e74af0.exe	33
PID 1220 wrote to memory of 2668	1220	0a37ecfea5074fff2de431e643e74af0.exe	33
PID 1220 wrote to memory of 2668	1220	0a37ecfea5074fff2de431e643e74af0.exe	33
PID 1220 wrote to memory of 2668	1220	0a37ecfea5074fff2de431e643e74af0.exe	33
PID 1220 wrote to memory of 2668	1220	0a37ecfea5074fff2de431e643e74af0.exe	33
PID 1220 wrote to memory of 2668	1220	0a37ecfea5074fff2de431e643e74af0.exe	33
PID 1220 wrote to memory of 2668	1220	0a37ecfea5074fff2de431e643e74af0.exe	33
PID 1220 wrote to memory of 2668	1220	0a37ecfea5074fff2de431e643e74af0.exe	33
PID 1220 wrote to memory of 2668	1220	0a37ecfea5074fff2de431e643e74af0.exe	33

C:\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe
"C:\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\SysWOW64\CMD.exe
  "CMD"
  2⤵
  PID:2244
- C:\Windows\SysWOW64\CMD.exe
  "CMD"
  2⤵
  PID:2748
- C:\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe
  "C:\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2668

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dfbad7c4f2dcf58c8edbe69f42d33456

SHA1
49aa287a806865aa55741ac279c2208bfbe89118

SHA256
ef2b31ec17c9b6774aa672c911874b96d927c0d52c7e8bbb9b7c3f7879047525

SHA512
40c44f340a1f38ea28a3ca0f086359815a827da77e4eef3db3b2d787b2ec23cefa10cefe9c2b2bc387bcc18f8b4b995a02619f47e9d3403243425153df2c9977

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA66D.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\small13.jpg

Filesize
18KB

MD5
80fb8abb9c3accd6a5040f9d35c4cfba

SHA1
856cf9162631fb5b1c3118560b0d20340d95d4a0

SHA256
6a81e3a9a8591ac8b6db2636cd0a130b033212848a6118b0217b4e8f1d6d6cee

SHA512
d962aaf75641d936da2d532479434ad6452a688859cd38000af51aad72e4a08d4b0c9d618e2ba38aef4316957d47a51049abe988f10f8c077d8de74f2bd39ec8

Download Submit
\Users\Admin\AppData\Local\Temp\0a37ecfea5074fff2de431e643e74af0.exe

Filesize
693KB

MD5
0a37ecfea5074fff2de431e643e74af0

SHA1
4ff3dfa39ae7fd46772c30ff547ed935e134396f

SHA256
114ad38ef50939dbc71a24923dff65aad0167b7679805d3c3a5a2fd4b6925247

SHA512
7ee5854e7e3cebf76de910b47f427095c420cd27c227d74cd0c62e44f2adfc429c1abb02391cc7ca15df28a99ce471c4912d4a41fc43e234d78029f330f3c33f

Download Submit
memory/1220-37-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/1220-19-0x0000000004A40000-0x0000000004A42000-memory.dmp

Filesize
8KB

Download
memory/1220-53-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/1220-0-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/1220-1-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/1220-51-0x0000000000320000-0x0000000000420000-memory.dmp

Filesize
1024KB

Download
memory/1220-15-0x0000000000320000-0x0000000000420000-memory.dmp

Filesize
1024KB

Download
memory/1220-50-0x0000000002050000-0x0000000002090000-memory.dmp

Filesize
256KB

Download
memory/1220-49-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/1220-2-0x0000000002050000-0x0000000002090000-memory.dmp

Filesize
256KB

Download
memory/1220-13-0x0000000000320000-0x0000000000420000-memory.dmp

Filesize
1024KB

Download
memory/2384-25-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2384-20-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/2384-56-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2668-27-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2668-39-0x00000000001F0000-0x0000000000230000-memory.dmp

Filesize
256KB

Download
memory/2668-38-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2668-31-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2668-34-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2668-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2668-28-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2668-24-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2668-22-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2668-33-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2668-36-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2668-58-0x00000000001F0000-0x0000000000230000-memory.dmp

Filesize
256KB

Download
memory/2668-57-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads