imminent | 32ad611697fbd9c7dbe438fa7e0f2a4d7c59edbc21ac668741f276a747016c4f

General

Target

59c5cb3570cb24fabecd0675b81255f0.exe
Size

315KB
MD5

59c5cb3570cb24fabecd0675b81255f0
SHA1

efaebb4328c3753bb02075ba768b1d1ab0d76bfc
SHA256

32ad611697fbd9c7dbe438fa7e0f2a4d7c59edbc21ac668741f276a747016c4f
SHA512

45b4dedfbec5107bf661b206ad40bc7c2d3d171751225abff913ebb2192cb4372b850d1eeecc20115b8f1ce23a84d56aee0ede141a401d9d08b4b2ed59856dfa
SSDEEP

6144:/dL4Z3U5O08lC1/rOFh5rboJHDwoqFoNaVFqa5p3jqkXHFxSEnZts:/F4Z3n08WrQ3r6w5os3OkXlxS7

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Deletes itself 1 IoCs

pid	Process
636	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1528	59c5cb3570cb24fabecd0675b81255f0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\\Windows\\svchost.exe"	59c5cb3570cb24fabecd0675b81255f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Windows\\svchost.exe"	59c5cb3570cb24fabecd0675b81255f0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	59c5cb3570cb24fabecd0675b81255f0.exe
File opened for modification	C:\Windows\svchost.exe	59c5cb3570cb24fabecd0675b81255f0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2592	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1528	59c5cb3570cb24fabecd0675b81255f0.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	59c5cb3570cb24fabecd0675b81255f0.exe
Token: SeDebugPrivilege	1528	59c5cb3570cb24fabecd0675b81255f0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1528	59c5cb3570cb24fabecd0675b81255f0.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 1528	2176	59c5cb3570cb24fabecd0675b81255f0.exe	31
PID 2176 wrote to memory of 1528	2176	59c5cb3570cb24fabecd0675b81255f0.exe	31
PID 2176 wrote to memory of 1528	2176	59c5cb3570cb24fabecd0675b81255f0.exe	31
PID 2176 wrote to memory of 636	2176	59c5cb3570cb24fabecd0675b81255f0.exe	28
PID 2176 wrote to memory of 636	2176	59c5cb3570cb24fabecd0675b81255f0.exe	28
PID 2176 wrote to memory of 636	2176	59c5cb3570cb24fabecd0675b81255f0.exe	28
PID 636 wrote to memory of 2592	636	cmd.exe	30
PID 636 wrote to memory of 2592	636	cmd.exe	30
PID 636 wrote to memory of 2592	636	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\59c5cb3570cb24fabecd0675b81255f0.exe
"C:\Users\Admin\AppData\Local\Temp\59c5cb3570cb24fabecd0675b81255f0.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\59c5cb3570cb24fabecd0675b81255f0.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:2592
- C:\Users\Admin\AppData\Local\Temp\59c5cb3570cb24fabecd0675b81255f0\59c5cb3570cb24fabecd0675b81255f0.exe
  "C:\Users\Admin\AppData\Local\Temp\59c5cb3570cb24fabecd0675b81255f0\59c5cb3570cb24fabecd0675b81255f0.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\59c5cb3570cb24fabecd0675b81255f0\59c5cb3570cb24fabecd0675b81255f0.exe

Filesize
207KB

MD5
f0588c40a73ee9d21efb2b5a01c94d1c

SHA1
4a06fbcb32e6ae168fe991f35ddcf4fa91707cc6

SHA256
ddd5ad2bc4a902c4d106a83246076f0d96ad2836b4a7c67948da3d00e2066adc

SHA512
849f00b14fc0748293dc684587b6fc0d71b1b35e353e1c9704beb490755a50471cb0011bda5dacc052469e34d44e648b51d81fdfe924c3a717645f4960c00c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\59c5cb3570cb24fabecd0675b81255f0\59c5cb3570cb24fabecd0675b81255f0.exe

Filesize
229KB

MD5
4799c8e3ad00364e0c1a4a83b1f9d318

SHA1
36ae2703584f52de849820494a1fe09c5095a6cf

SHA256
264468bd4910a610369fbdeee12cc487366b3ece3199add1b972aac0eb1cacac

SHA512
347d269589eeb38899725460d7b8355d65a6db383f8c7b592340765f3425cb8b11b67911210d3306bd4fed4a976de552b0a6fc6bdd4a7a046ef2eda5fb9b75b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\59c5cb3570cb24fabecd0675b81255f0\59c5cb3570cb24fabecd0675b81255f0.exe

Filesize
220KB

MD5
6e143dd54e49ab723540aa0ca455f834

SHA1
4347d06a61835cc84b77c2f2d54c707b87078821

SHA256
c20d6455026db1aab107989cba48b034b622998202d458c5abd106e2d35d76f3

SHA512
7de846b78a7d48f67ea304c8d695212407266d924259df93c9445ca9e3d1e9f6fbd347e44f27eb4044f82f7a2ba00aecf5fc627d39e49df54497aa615f6cfba9

Download Submit
C:\Users\Admin\AppData\Roaming\Imminent\Path.dat

Filesize
48B

MD5
bd4b58aca703e38b7155b9087a885a09

SHA1
11ad89b4608c0e0756d3616239c034072e82df32

SHA256
840b600bd58fe1c0aaec1830c224a6800ff616f48b80bbde7cb9383334684777

SHA512
ecbfe9f1c8d36ab4b282e6017b1ef5933d0c3e5d93e401176f2cf71b73b282655cef44dff20fe157e18ea7a493f1f3cd78cad539e4d23eaa5ce26bafd9e6d97f

Download Submit
memory/1528-15-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

Filesize
9.6MB

Download
memory/1528-19-0x0000000000160000-0x000000000016E000-memory.dmp

Filesize
56KB

Download
memory/1528-13-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

Filesize
9.6MB

Download
memory/1528-49-0x0000000000C30000-0x0000000000CB0000-memory.dmp

Filesize
512KB

Download
memory/1528-48-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

Filesize
9.6MB

Download
memory/1528-22-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/1528-14-0x0000000000C30000-0x0000000000CB0000-memory.dmp

Filesize
512KB

Download
memory/1528-23-0x00000000003E0000-0x00000000003F6000-memory.dmp

Filesize
88KB

Download
memory/2176-0-0x000000001AE70000-0x000000001AF92000-memory.dmp

Filesize
1.1MB

Download
memory/2176-2-0x0000000000B30000-0x0000000000BB0000-memory.dmp

Filesize
512KB

Download
memory/2176-4-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

Filesize
9.6MB

Download
memory/2176-16-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

Filesize
9.6MB

Download
memory/2176-1-0x000007FEF5D50000-0x000007FEF66ED000-memory.dmp

Filesize
9.6MB

Download
memory/2176-5-0x0000000000B00000-0x0000000000B28000-memory.dmp

Filesize
160KB

Download
memory/2176-3-0x0000000000500000-0x000000000055E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads