imminent | d0c55a35e1e92414c67c3f8f79c6e5c8736e6039cac4b13378c7abd3e87579b7

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NjRAT 0.7D/njRAT v0.7d/njRAT v0.7d.exe
Size

2.1MB
MD5

82797e8e4f73c21fbafe42c0f0a6af02
SHA1

3a3c35c40b15969ea5c4ab466d5df56f3cfd60ed
SHA256

903d1bf52ade4faa221f0b264f1ac2bc816ff82c21542fde9b03d650f85d5ec9
SHA512

21a547080da7aafcd62e3fa588e80d99a3eec23a9bc70789a9402331b41a9996086061748b2ca9b3ad056fb44b585fc85aad7a98950bca543a0979d4aaf06c97
SSDEEP

24576:/tNAFB4Uzr6UeRmmZg8ADHWsJuFfo5jYbYzHSG/UpnMUnFz3Y/l0FbKXjGHO/gF7:/Xw+Fb3HOYF2

Score

10^/10

imminent evasion persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	CRACK.EXE

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	CRACK.EXE

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CRACK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CRACK.EXE

Executes dropped EXE 7 IoCs

pid	Process
1812	CRACK.EXE
1600	NJRAT V0.7D.EXE
1996	SVHOST.EXE
2192	svhost.exe
2840	SVHOST.EXE
1700	svhost.exe
2412	SVHOST.EXE

Loads dropped DLL 13 IoCs

pid	Process
2392	njRAT v0.7d.exe
2392	njRAT v0.7d.exe
2392	njRAT v0.7d.exe
2392	njRAT v0.7d.exe
2392	njRAT v0.7d.exe
1996	SVHOST.EXE
1996	SVHOST.EXE
1812	CRACK.EXE
1812	CRACK.EXE
2840	SVHOST.EXE
2840	SVHOST.EXE
1812	CRACK.EXE
1812	CRACK.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft Corporation\\svhost.exe"	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2764	PING.EXE
2760	PING.EXE
2120	PING.EXE

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
1996	SVHOST.EXE
1996	SVHOST.EXE
1996	SVHOST.EXE
1996	SVHOST.EXE
1996	SVHOST.EXE
1996	SVHOST.EXE
1996	SVHOST.EXE
1996	SVHOST.EXE
1996	SVHOST.EXE
1996	SVHOST.EXE
1996	SVHOST.EXE
1996	SVHOST.EXE
1996	SVHOST.EXE
1996	SVHOST.EXE
1996	SVHOST.EXE
1996	SVHOST.EXE
1996	SVHOST.EXE
2840	SVHOST.EXE
2840	SVHOST.EXE
2840	SVHOST.EXE
2840	SVHOST.EXE
2840	SVHOST.EXE
2840	SVHOST.EXE
2840	SVHOST.EXE
2840	SVHOST.EXE
2840	SVHOST.EXE
2840	SVHOST.EXE
2840	SVHOST.EXE
2840	SVHOST.EXE
2840	SVHOST.EXE
2840	SVHOST.EXE
2840	SVHOST.EXE
2840	SVHOST.EXE
2840	SVHOST.EXE
1700	svhost.exe
1700	svhost.exe
1700	svhost.exe
1700	svhost.exe
1700	svhost.exe
1700	svhost.exe
1700	svhost.exe
1700	svhost.exe
1700	svhost.exe
1700	svhost.exe
1700	svhost.exe
1700	svhost.exe
1700	svhost.exe
1700	svhost.exe
1700	svhost.exe
1700	svhost.exe
1700	svhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1700	svhost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1812	CRACK.EXE
Token: SeDebugPrivilege	1996	SVHOST.EXE
Token: SeDebugPrivilege	2840	SVHOST.EXE
Token: SeDebugPrivilege	1700	svhost.exe
Token: 33	1700	svhost.exe
Token: SeIncBasePriorityPrivilege	1700	svhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1700	svhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 1812	2392	njRAT v0.7d.exe	28
PID 2392 wrote to memory of 1812	2392	njRAT v0.7d.exe	28
PID 2392 wrote to memory of 1812	2392	njRAT v0.7d.exe	28
PID 2392 wrote to memory of 1812	2392	njRAT v0.7d.exe	28
PID 2392 wrote to memory of 1600	2392	njRAT v0.7d.exe	29
PID 2392 wrote to memory of 1600	2392	njRAT v0.7d.exe	29
PID 2392 wrote to memory of 1600	2392	njRAT v0.7d.exe	29
PID 2392 wrote to memory of 1600	2392	njRAT v0.7d.exe	29
PID 2392 wrote to memory of 1996	2392	njRAT v0.7d.exe	30
PID 2392 wrote to memory of 1996	2392	njRAT v0.7d.exe	30
PID 2392 wrote to memory of 1996	2392	njRAT v0.7d.exe	30
PID 2392 wrote to memory of 1996	2392	njRAT v0.7d.exe	30
PID 1996 wrote to memory of 1812	1996	SVHOST.EXE	28
PID 1996 wrote to memory of 1812	1996	SVHOST.EXE	28
PID 1996 wrote to memory of 1812	1996	SVHOST.EXE	28
PID 1996 wrote to memory of 1812	1996	SVHOST.EXE	28
PID 1996 wrote to memory of 1812	1996	SVHOST.EXE	28
PID 1996 wrote to memory of 2192	1996	SVHOST.EXE	32
PID 1996 wrote to memory of 2192	1996	SVHOST.EXE	32
PID 1996 wrote to memory of 2192	1996	SVHOST.EXE	32
PID 1996 wrote to memory of 2192	1996	SVHOST.EXE	32
PID 1996 wrote to memory of 2184	1996	SVHOST.EXE	33
PID 1996 wrote to memory of 2184	1996	SVHOST.EXE	33
PID 1996 wrote to memory of 2184	1996	SVHOST.EXE	33
PID 1996 wrote to memory of 2184	1996	SVHOST.EXE	33
PID 2184 wrote to memory of 2764	2184	cmd.exe	35
PID 2184 wrote to memory of 2764	2184	cmd.exe	35
PID 2184 wrote to memory of 2764	2184	cmd.exe	35
PID 2184 wrote to memory of 2764	2184	cmd.exe	35
PID 1812 wrote to memory of 2840	1812	CRACK.EXE	36
PID 1812 wrote to memory of 2840	1812	CRACK.EXE	36
PID 1812 wrote to memory of 2840	1812	CRACK.EXE	36
PID 1812 wrote to memory of 2840	1812	CRACK.EXE	36
PID 2840 wrote to memory of 1812	2840	SVHOST.EXE	28
PID 2840 wrote to memory of 1812	2840	SVHOST.EXE	28
PID 2840 wrote to memory of 1812	2840	SVHOST.EXE	28
PID 2840 wrote to memory of 1812	2840	SVHOST.EXE	28
PID 2840 wrote to memory of 1812	2840	SVHOST.EXE	28
PID 2840 wrote to memory of 1700	2840	SVHOST.EXE	37
PID 2840 wrote to memory of 1700	2840	SVHOST.EXE	37
PID 2840 wrote to memory of 1700	2840	SVHOST.EXE	37
PID 2840 wrote to memory of 1700	2840	SVHOST.EXE	37
PID 2840 wrote to memory of 1564	2840	SVHOST.EXE	38
PID 2840 wrote to memory of 1564	2840	SVHOST.EXE	38
PID 2840 wrote to memory of 1564	2840	SVHOST.EXE	38
PID 2840 wrote to memory of 1564	2840	SVHOST.EXE	38
PID 1564 wrote to memory of 2760	1564	cmd.exe	40
PID 1564 wrote to memory of 2760	1564	cmd.exe	40
PID 1564 wrote to memory of 2760	1564	cmd.exe	40
PID 1564 wrote to memory of 2760	1564	cmd.exe	40
PID 1812 wrote to memory of 2412	1812	CRACK.EXE	41
PID 1812 wrote to memory of 2412	1812	CRACK.EXE	41
PID 1812 wrote to memory of 2412	1812	CRACK.EXE	41
PID 1812 wrote to memory of 2412	1812	CRACK.EXE	41
PID 1700 wrote to memory of 1812	1700	svhost.exe	28
PID 1700 wrote to memory of 1812	1700	svhost.exe	28
PID 1700 wrote to memory of 1812	1700	svhost.exe	28
PID 1700 wrote to memory of 1812	1700	svhost.exe	28
PID 1700 wrote to memory of 1812	1700	svhost.exe	28
PID 1812 wrote to memory of 1748	1812	CRACK.EXE	43
PID 1812 wrote to memory of 1748	1812	CRACK.EXE	43
PID 1812 wrote to memory of 1748	1812	CRACK.EXE	43
PID 1812 wrote to memory of 1748	1812	CRACK.EXE	43
PID 1812 wrote to memory of 1840	1812	CRACK.EXE	44

C:\Users\Admin\AppData\Local\Temp\NjRAT 0.7D\njRAT v0.7d\njRAT v0.7d.exe
"C:\Users\Admin\AppData\Local\Temp\NjRAT 0.7D\njRAT v0.7d\njRAT v0.7d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\CRACK.EXE
  "C:\Users\Admin\AppData\Local\Temp\CRACK.EXE"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Users\Admin\AppData\Local\Temp\SVHOST.EXE
    "C:\Users\Admin\AppData\Local\Temp\SVHOST.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\svhost\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost\svhost.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1700
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\SVHOST.EXE"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1564
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 1000
        5⤵
        Runs ping.exe
        
        PID:2760
- - C:\Users\Admin\AppData\Local\Temp\SVHOST.EXE
    "C:\Users\Admin\AppData\Local\Temp\SVHOST.EXE"
    3⤵
    - Executes dropped EXE
    PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\CRACK.EXE
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ping 127.0.0.1 -n 5&del "C:\Users\Admin\AppData\Local\Temp\CRACK.EXE"
    3⤵
    PID:1544
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 5
      4⤵
      Runs ping.exe
      PID:2120
- C:\Users\Admin\AppData\Local\Temp\NJRAT V0.7D.EXE
  "C:\Users\Admin\AppData\Local\Temp\NJRAT V0.7D.EXE"
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Users\Admin\AppData\Local\Temp\SVHOST.EXE
  "C:\Users\Admin\AppData\Local\Temp\SVHOST.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Users\Admin\AppData\Local\Temp\svhost\svhost.exe
    "C:\Users\Admin\AppData\Local\Temp\svhost\svhost.exe"
    3⤵
    - Executes dropped EXE
    PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\SVHOST.EXE"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      Runs ping.exe
      PID:2764

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NJRAT V0.7D.EXE

Filesize
1.6MB

MD5
473e1a7be89c3a727176d4f9f5a64b69

SHA1
501eb2c1432ff2b4e5ff582ad82d0fca152adebc

SHA256
bf853789b938bdc5da8aaeb52511379a332c7cf238266a21bfcb0318a62e85cb

SHA512
4d0ef049c83fe2790e8c201c643b68be26ae854feaeb154e7b1703c9f7c7250abc7307cef035f723fe8d5cf9d85175ff19a7bd37c403536617c8df9f9a7079fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVHOST.EXE

Filesize
321KB

MD5
fadfa817c5a1253997e1552850f4192c

SHA1
444f0fb74b3b270b6e4d90b88f97eb44805edd52

SHA256
05dd7d0db8be999edd96dcbe6c53684b194b423e2c34d94f220143f558570daf

SHA512
63338ebee99609dd50df7d3a64d94955079b2dabc64029d5eb17742b0032e3f47dd1609c41a16af050d99b2002c9d5732c51e10a208e03f42825f1c7baabe5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\delself.bat

Filesize
360B

MD5
491b310d228b446b3a0aa1cef7301e4a

SHA1
c512625ad65a257fec46f37fd112805e08f5b125

SHA256
f56b3f7c5b0d72f5599f83399570c60f0740f3aa503207add746cafc8845b936

SHA512
5560539414e65bf6aa2f73bc74758f8fef687c7fc926ef503ce4707c1c04b3cbd2473dec8508234dfe55e6a7175ecf8992b299308bf5ef65ae22c9f8af6bac0f

Download Submit
C:\Users\Admin\AppData\Roaming\Imminent\Path.dat

Filesize
63B

MD5
ec8dc8d118b2eb2ed9f10e518a6144c7

SHA1
3a8eb270e8c391f6829366402c236c43363ff116

SHA256
79f10e43a8fdbcd03e3aaedd85b1b7dd460c419a7b4c61c6b24d597880402c1c

SHA512
0a1462494be1e85a1293063e787a7b0a46e55f2d5f6a4fef94f2f5bbc33d136734d27a2be5910c44a90c635df2be9347796e040a2fc2eb6d4d30537ee7ffde62

Download Submit
\Users\Admin\AppData\Local\Temp\CRACK.EXE

Filesize
85KB

MD5
caa83316e90e94b2c2620434a8ac2f5d

SHA1
299a978130cb359d2f9e2b2f1e1d4a6e8ccb2259

SHA256
330fee0fa9b36c20a546a8f9867623c73bd00421681cc703f2be1688fc1c5718

SHA512
18da0883735a51b5bee3724deb68e1703e220ed1478cff420ccbde388d6858f7b8691f9238a078624a29d38de35fee7cbe23073f8021a4c2b15f4a90ddd34705

Download Submit
memory/1812-50-0x0000000000360000-0x0000000000365000-memory.dmp

Filesize
20KB

Download
memory/1812-53-0x00000000003F0000-0x00000000003F5000-memory.dmp

Filesize
20KB

Download
memory/1812-29-0x0000000000360000-0x0000000000365000-memory.dmp

Filesize
20KB

Download
memory/1812-26-0x0000000000360000-0x0000000000365000-memory.dmp

Filesize
20KB

Download
memory/1812-25-0x0000000000360000-0x0000000000365000-memory.dmp

Filesize
20KB

Download
memory/1812-32-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1812-60-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/1812-57-0x00000000003F0000-0x00000000003F5000-memory.dmp

Filesize
20KB

Download
memory/1812-55-0x00000000003F0000-0x00000000003F5000-memory.dmp

Filesize
20KB

Download
memory/1812-31-0x0000000000360000-0x0000000000365000-memory.dmp

Filesize
20KB

Download
memory/1812-75-0x00000000003F0000-0x00000000003F5000-memory.dmp

Filesize
20KB

Download
memory/1812-86-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1812-83-0x0000000000560000-0x0000000000565000-memory.dmp

Filesize
20KB

Download
memory/1812-81-0x0000000000560000-0x0000000000565000-memory.dmp

Filesize
20KB

Download
memory/1812-79-0x0000000000560000-0x0000000000565000-memory.dmp

Filesize
20KB

Download
memory/1812-34-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1812-27-0x0000000000360000-0x0000000000365000-memory.dmp

Filesize
20KB

Download