imminent | bc5200fff8d5ea7c7e5af68a336b009e598f4d1a079d1a5f32b7f849ed67594f

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-03-2024 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc5200fff8d5ea7c7e5af68a336b009e598f4d1a079d1a5f32b7f849ed67594f.exe
Size

643KB
MD5

a39935cae2a9b4d98dffd139a77908fe
SHA1

6510a8cefe68276ec135cd0f369f78dc6ee364af
SHA256

bc5200fff8d5ea7c7e5af68a336b009e598f4d1a079d1a5f32b7f849ed67594f
SHA512

bca572882272cb306d63c7ca6e8cb4b1402584c0f93aa589d0e5403665239ebbdb00a98e8b8c1f8830c9d6c43b831111da87fe4614a4600e5f0bc0cbe50021bf
SSDEEP

12288:0WvWgQsk9VZQjoOi1dkxVU6S8HWK/a1KPesnWwNnuFBbSEWEEEHnmfY5JdutJRMC:tv7kVii1yUiH5

Score

10^/10

imminent persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Loads dropped DLL 2 IoCs

pid	Process
2888	taskmgr.exe
2888	taskmgr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost\\svchost.exe"	bc5200fff8d5ea7c7e5af68a336b009e598f4d1a079d1a5f32b7f849ed67594f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\\svchost\\svchost.exe"	bc5200fff8d5ea7c7e5af68a336b009e598f4d1a079d1a5f32b7f849ed67594f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2320	bc5200fff8d5ea7c7e5af68a336b009e598f4d1a079d1a5f32b7f849ed67594f.exe
2320	bc5200fff8d5ea7c7e5af68a336b009e598f4d1a079d1a5f32b7f849ed67594f.exe
2320	bc5200fff8d5ea7c7e5af68a336b009e598f4d1a079d1a5f32b7f849ed67594f.exe
2320	bc5200fff8d5ea7c7e5af68a336b009e598f4d1a079d1a5f32b7f849ed67594f.exe
2320	bc5200fff8d5ea7c7e5af68a336b009e598f4d1a079d1a5f32b7f849ed67594f.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2320	bc5200fff8d5ea7c7e5af68a336b009e598f4d1a079d1a5f32b7f849ed67594f.exe
2888	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	bc5200fff8d5ea7c7e5af68a336b009e598f4d1a079d1a5f32b7f849ed67594f.exe
Token: SeDebugPrivilege	2888	taskmgr.exe
Token: 33	2320	bc5200fff8d5ea7c7e5af68a336b009e598f4d1a079d1a5f32b7f849ed67594f.exe
Token: SeIncBasePriorityPrivilege	2320	bc5200fff8d5ea7c7e5af68a336b009e598f4d1a079d1a5f32b7f849ed67594f.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2320	bc5200fff8d5ea7c7e5af68a336b009e598f4d1a079d1a5f32b7f849ed67594f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2888	2320	bc5200fff8d5ea7c7e5af68a336b009e598f4d1a079d1a5f32b7f849ed67594f.exe	29
PID 2320 wrote to memory of 2888	2320	bc5200fff8d5ea7c7e5af68a336b009e598f4d1a079d1a5f32b7f849ed67594f.exe	29
PID 2320 wrote to memory of 2888	2320	bc5200fff8d5ea7c7e5af68a336b009e598f4d1a079d1a5f32b7f849ed67594f.exe	29
PID 2320 wrote to memory of 2888	2320	bc5200fff8d5ea7c7e5af68a336b009e598f4d1a079d1a5f32b7f849ed67594f.exe	29

C:\Users\Admin\AppData\Local\Temp\bc5200fff8d5ea7c7e5af68a336b009e598f4d1a079d1a5f32b7f849ed67594f.exe
"C:\Users\Admin\AppData\Local\Temp\bc5200fff8d5ea7c7e5af68a336b009e598f4d1a079d1a5f32b7f849ed67594f.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SysWOW64\taskmgr.exe
  "C:\Windows\System32\taskmgr.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2888

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Imminent\Path.dat

Filesize
50B

MD5
5e5949ab86f7e6eb19f2a7d1d11313e9

SHA1
4a92320fc66ef89ae83584962371fe2d7543ffa1

SHA256
581df2cddc7a7b8753b6f7a448ef410500222a70c265e481ce4bd815d3ac0db6

SHA512
dc5f4d1db3484512cc042f566570b9c4c91372a8fa22039d953597df81d5b616e285a0e7893e77d9d9f8ecd7ffed3a8983a62fca4f54159ccd7cf19fb261065c

Download Submit
\Users\Admin\AppData\Local\Temp\bc5200fff8d5ea7c7e5af68a336b009e598f4d1a079d1a5f32b7f849ed67594f.exe

Filesize
643KB

MD5
a39935cae2a9b4d98dffd139a77908fe

SHA1
6510a8cefe68276ec135cd0f369f78dc6ee364af

SHA256
bc5200fff8d5ea7c7e5af68a336b009e598f4d1a079d1a5f32b7f849ed67594f

SHA512
bca572882272cb306d63c7ca6e8cb4b1402584c0f93aa589d0e5403665239ebbdb00a98e8b8c1f8830c9d6c43b831111da87fe4614a4600e5f0bc0cbe50021bf

Download Submit
memory/2320-1-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/2320-0-0x00000000011A0000-0x0000000001248000-memory.dmp

Filesize
672KB

Download
memory/2320-2-0x0000000000490000-0x00000000004B8000-memory.dmp

Filesize
160KB

Download
memory/2320-3-0x0000000004A90000-0x0000000004AD0000-memory.dmp

Filesize
256KB

Download
memory/2320-6-0x00000000005E0000-0x00000000005F6000-memory.dmp

Filesize
88KB

Download
memory/2320-32-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/2320-35-0x0000000004A90000-0x0000000004AD0000-memory.dmp

Filesize
256KB

Download