imminent | b0368cae653f4d839e417afb7875e71a54324806382951f44c9e19598ebc3e27

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
06-03-2024 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6268d11a8352702f4d032c379932907.exe
Size

645KB
MD5

b6268d11a8352702f4d032c379932907
SHA1

99e1fd77dc77bbe2cd36394b47eff6c5300dc233
SHA256

b0368cae653f4d839e417afb7875e71a54324806382951f44c9e19598ebc3e27
SHA512

6613eb0dc1229bbfa2ba7fc87fcf70e4108d8f5f3ab2b9db443fe59054209de94e77d5058062aedf0afa85c27442de043cf17afb5018bff32543adc3f1fe3267
SSDEEP

12288:9lQwbcauT1dH2kCuPsTZXHyyf1/pqsVKLqdz4keFyLP5:9QauTTzPs1yzsEjwLP5

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Deletes itself 1 IoCs

pid	Process
2528	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2624	b6268d11a8352702f4d032c379932907.exe

Loads dropped DLL 3 IoCs

pid	Process
2924	b6268d11a8352702f4d032c379932907.exe
2532	taskmgr.exe
2532	taskmgr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Office = "C:\\Users\\Admin\\AppData\\Local\\Microsoft Office Collection\\office365.exe"	b6268d11a8352702f4d032c379932907.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Office = "\\Microsoft Office Collection\\office365.exe"	b6268d11a8352702f4d032c379932907.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2776	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2624	b6268d11a8352702f4d032c379932907.exe
2624	b6268d11a8352702f4d032c379932907.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2624	b6268d11a8352702f4d032c379932907.exe
2532	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2924	b6268d11a8352702f4d032c379932907.exe
Token: SeDebugPrivilege	2624	b6268d11a8352702f4d032c379932907.exe
Token: SeDebugPrivilege	2532	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe
2532	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2624	b6268d11a8352702f4d032c379932907.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2624	2924	b6268d11a8352702f4d032c379932907.exe	28
PID 2924 wrote to memory of 2624	2924	b6268d11a8352702f4d032c379932907.exe	28
PID 2924 wrote to memory of 2624	2924	b6268d11a8352702f4d032c379932907.exe	28
PID 2924 wrote to memory of 2624	2924	b6268d11a8352702f4d032c379932907.exe	28
PID 2924 wrote to memory of 2528	2924	b6268d11a8352702f4d032c379932907.exe	29
PID 2924 wrote to memory of 2528	2924	b6268d11a8352702f4d032c379932907.exe	29
PID 2924 wrote to memory of 2528	2924	b6268d11a8352702f4d032c379932907.exe	29
PID 2924 wrote to memory of 2528	2924	b6268d11a8352702f4d032c379932907.exe	29
PID 2528 wrote to memory of 2776	2528	cmd.exe	31
PID 2528 wrote to memory of 2776	2528	cmd.exe	31
PID 2528 wrote to memory of 2776	2528	cmd.exe	31
PID 2528 wrote to memory of 2776	2528	cmd.exe	31
PID 2624 wrote to memory of 2532	2624	b6268d11a8352702f4d032c379932907.exe	32
PID 2624 wrote to memory of 2532	2624	b6268d11a8352702f4d032c379932907.exe	32
PID 2624 wrote to memory of 2532	2624	b6268d11a8352702f4d032c379932907.exe	32
PID 2624 wrote to memory of 2532	2624	b6268d11a8352702f4d032c379932907.exe	32

C:\Users\Admin\AppData\Local\Temp\b6268d11a8352702f4d032c379932907.exe
"C:\Users\Admin\AppData\Local\Temp\b6268d11a8352702f4d032c379932907.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\b6268d11a8352702f4d032c379932907\b6268d11a8352702f4d032c379932907.exe
  "C:\Users\Admin\AppData\Local\Temp\b6268d11a8352702f4d032c379932907\b6268d11a8352702f4d032c379932907.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\SysWOW64\taskmgr.exe
    "C:\Windows\System32\taskmgr.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2532
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\b6268d11a8352702f4d032c379932907.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 1000
    3⤵
    - Runs ping.exe
    PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Imminent\Path.dat

Filesize
70B

MD5
8efaf0f5e37779d7e6bc815e51fd10a7

SHA1
725071d4f33ec443738395a5d7b651711424df05

SHA256
17b71f1c104f2d0830d27d0f8b502f39a319c95f303b6e23d6c3b9f364ae2413

SHA512
200e2ebd49706df349c1e47abe0724f258c114586acb4f30e3fe5dde8aa5d7e3040cae0359262439d2566292794386cd463feb02dc2c81b6c74675cd8b738548

Download Submit
\Users\Admin\AppData\Local\Temp\b6268d11a8352702f4d032c379932907\b6268d11a8352702f4d032c379932907.exe

Filesize
645KB

MD5
b6268d11a8352702f4d032c379932907

SHA1
99e1fd77dc77bbe2cd36394b47eff6c5300dc233

SHA256
b0368cae653f4d839e417afb7875e71a54324806382951f44c9e19598ebc3e27

SHA512
6613eb0dc1229bbfa2ba7fc87fcf70e4108d8f5f3ab2b9db443fe59054209de94e77d5058062aedf0afa85c27442de043cf17afb5018bff32543adc3f1fe3267

Download Submit
memory/2624-15-0x0000000004F80000-0x0000000004FC0000-memory.dmp

Filesize
256KB

Download
memory/2624-12-0x00000000010A0000-0x00000000010AA000-memory.dmp

Filesize
40KB

Download
memory/2624-13-0x0000000074AA0000-0x000000007518E000-memory.dmp

Filesize
6.9MB

Download
memory/2624-18-0x0000000000500000-0x000000000050E000-memory.dmp

Filesize
56KB

Download
memory/2624-20-0x0000000000A30000-0x0000000000A46000-memory.dmp

Filesize
88KB

Download
memory/2624-45-0x0000000074AA0000-0x000000007518E000-memory.dmp

Filesize
6.9MB

Download
memory/2924-3-0x0000000000510000-0x0000000000538000-memory.dmp

Filesize
160KB

Download
memory/2924-4-0x00000000054C0000-0x0000000005500000-memory.dmp

Filesize
256KB

Download
memory/2924-2-0x0000000000610000-0x000000000066E000-memory.dmp

Filesize
376KB

Download
memory/2924-14-0x0000000074AA0000-0x000000007518E000-memory.dmp

Filesize
6.9MB

Download
memory/2924-0-0x0000000000A50000-0x0000000000A5A000-memory.dmp

Filesize
40KB

Download
memory/2924-1-0x0000000074AA0000-0x000000007518E000-memory.dmp

Filesize
6.9MB

Download