imminent | f8d5d2a97dcf6dae00ac56d1d8732065af21623a97e081e6518d1e1e878e1c41

Analysis

max time kernel
13s
max time network
9s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

A bit Smarter 4.6.1.exe
Size

1.3MB
MD5

7e8236fd0047d8c807d0439b0b77d1d5
SHA1

6a33b3aeab36d5158c7a3dbf1ae306cea1642025
SHA256

f8d5d2a97dcf6dae00ac56d1d8732065af21623a97e081e6518d1e1e878e1c41
SHA512

04e565721f07201fff2af942279c5fbb523e85d1069ad3188ac4111fa8eaa31b970955882b81bc42364f1978a3032c066cb392a5352628b8f58aaa1e4c62da4e
SSDEEP

24576:SMXAF2jHlk02cIwiW0eKGepqMY8QZaYXhGuWLl/n1DFYkI5:S0IOHlUcti/PGoaXYuAtK

Score

10^/10

imminent discovery spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 3 IoCs

pid	Process
2620	A bit Smarter Public Version.exe
1308	netprotocol.exe
2940	spoolsc.exe

Loads dropped DLL 5 IoCs

pid	Process
3032	A bit Smarter 4.6.1.exe
3032	A bit Smarter 4.6.1.exe
3032	A bit Smarter 4.6.1.exe
1308	netprotocol.exe
1308	netprotocol.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1308 set thread context of 2720	1308	netprotocol.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A bit Smarter 4.6.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A bit Smarter Public Version.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netprotocol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2620	A bit Smarter Public Version.exe
1308	netprotocol.exe
2940	spoolsc.exe
2940	spoolsc.exe
2940	spoolsc.exe
2940	spoolsc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	RegAsm.exe
Token: SeDebugPrivilege	1308	netprotocol.exe
Token: SeDebugPrivilege	2940	spoolsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2720	RegAsm.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2620	3032	A bit Smarter 4.6.1.exe	30
PID 3032 wrote to memory of 2620	3032	A bit Smarter 4.6.1.exe	30
PID 3032 wrote to memory of 2620	3032	A bit Smarter 4.6.1.exe	30
PID 3032 wrote to memory of 2620	3032	A bit Smarter 4.6.1.exe	30
PID 3032 wrote to memory of 1308	3032	A bit Smarter 4.6.1.exe	31
PID 3032 wrote to memory of 1308	3032	A bit Smarter 4.6.1.exe	31
PID 3032 wrote to memory of 1308	3032	A bit Smarter 4.6.1.exe	31
PID 3032 wrote to memory of 1308	3032	A bit Smarter 4.6.1.exe	31
PID 1308 wrote to memory of 1940	1308	netprotocol.exe	32
PID 1308 wrote to memory of 1940	1308	netprotocol.exe	32
PID 1308 wrote to memory of 1940	1308	netprotocol.exe	32
PID 1308 wrote to memory of 1940	1308	netprotocol.exe	32
PID 1940 wrote to memory of 2496	1940	cmd.exe	34
PID 1940 wrote to memory of 2496	1940	cmd.exe	34
PID 1940 wrote to memory of 2496	1940	cmd.exe	34
PID 1940 wrote to memory of 2496	1940	cmd.exe	34
PID 1308 wrote to memory of 2924	1308	netprotocol.exe	35
PID 1308 wrote to memory of 2924	1308	netprotocol.exe	35
PID 1308 wrote to memory of 2924	1308	netprotocol.exe	35
PID 1308 wrote to memory of 2924	1308	netprotocol.exe	35
PID 2924 wrote to memory of 1540	2924	vbc.exe	37
PID 2924 wrote to memory of 1540	2924	vbc.exe	37
PID 2924 wrote to memory of 1540	2924	vbc.exe	37
PID 2924 wrote to memory of 1540	2924	vbc.exe	37
PID 1308 wrote to memory of 2720	1308	netprotocol.exe	38
PID 1308 wrote to memory of 2720	1308	netprotocol.exe	38
PID 1308 wrote to memory of 2720	1308	netprotocol.exe	38
PID 1308 wrote to memory of 2720	1308	netprotocol.exe	38
PID 1308 wrote to memory of 2720	1308	netprotocol.exe	38
PID 1308 wrote to memory of 2720	1308	netprotocol.exe	38
PID 1308 wrote to memory of 2720	1308	netprotocol.exe	38
PID 1308 wrote to memory of 2720	1308	netprotocol.exe	38
PID 1308 wrote to memory of 2720	1308	netprotocol.exe	38
PID 1308 wrote to memory of 2720	1308	netprotocol.exe	38
PID 1308 wrote to memory of 2720	1308	netprotocol.exe	38
PID 1308 wrote to memory of 2720	1308	netprotocol.exe	38
PID 1308 wrote to memory of 2940	1308	netprotocol.exe	39
PID 1308 wrote to memory of 2940	1308	netprotocol.exe	39
PID 1308 wrote to memory of 2940	1308	netprotocol.exe	39
PID 1308 wrote to memory of 2940	1308	netprotocol.exe	39

C:\Users\Admin\AppData\Local\Temp\A bit Smarter 4.6.1.exe
"C:\Users\Admin\AppData\Local\Temp\A bit Smarter 4.6.1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\A bit Smarter Public Version.exe
  "C:\Users\Admin\AppData\Local\Temp\A bit Smarter Public Version.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2620
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -n
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "cmd /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "cmd /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2496
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wa-xr-gf.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES253.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc252.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1540
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2720
- - C:\Users\Admin\AppData\Local\Temp\spoolsc.exe
    "C:\Users\Admin\AppData\Local\Temp\spoolsc.exe" -n
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES253.tmp

Filesize
1KB

MD5
d479ee586ccc8d2c8577e3002e229af5

SHA1
7911f34e1b39f81a9baf592891d66f14f9d77a81

SHA256
0342c1f743cb17759c9922e59e623447e07872d1adff2153eab083107f392b69

SHA512
6fc1df9570194e1ee5d26d346e9b586dba13c1a535588c465d9d57c05be37cb524c7c090f4c8111968b526c924c4c8f936d7c453dc6613c00ad48977b8822141

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc252.tmp

Filesize
932B

MD5
a4f1b6d3bf61f6ce1983cf7185422302

SHA1
1ed985cc7a181dc850cc34b1e93ae8e78d350255

SHA256
49910004977b290d4e70d3179bae001ecc38ae455f662e05b5a56d4592bc8125

SHA512
bbb184d02e291fadc27547321b386cb7bfc83ebb64cf26f3058f119dd5de1384f1b514415ac88295c9ccc434f68bcf0a7107760e92eeba53ec26ea7a5e583a4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wa-xr-gf.0.vb

Filesize
3KB

MD5
900786350171abc675d131ec7800fcfc

SHA1
ba08346708a18f2007f784145ccc40e109cddcd7

SHA256
3179cb6eb51a8be5bb60cc7b40182cc24db339d7131104b06d2dab0014afcb03

SHA512
20b88b3dcf52bce9ab8a34f7e78db6c54bdefbfa77c54c9c5a06a9ec6b77bf912809b564a1a1a4cac0b98cfccccdb4496d822c12b8cabc3b4861034d33267845

Download Submit
C:\Users\Admin\AppData\Local\Temp\wa-xr-gf.cmdline

Filesize
200B

MD5
c272476df634cc6b187e2a6228d85ffd

SHA1
bbf9705e3a22f2a58813270310f672f16a090d1a

SHA256
a546902b878b72d70ed8fe337a4b196444032c3d32ec4264b8a1a87b73a40b37

SHA512
fa62e9e821bafb55e474f1cc702be99505ae1d4e5ff8a91a6e30b7f6a8770b3913f8b17638803b0abdabf8ef089c327e15b210ff198f706d483ca1019d109c35

Download Submit
\Users\Admin\AppData\Local\Temp\A bit Smarter Public Version.exe

Filesize
496KB

MD5
9ab9b5b94fd820b4d1a642bab1c6d667

SHA1
d7cb65462fa1bc213c3c499925b4dae0e6d3c0a9

SHA256
172341e4b37b0555b4ad2def2ad2939f402c80c91ee6a270feb741a8b9379c94

SHA512
160361057f3b4038260f0038e5fab5167b7a12ca1445eb0e0153587e57e6bbf4753b57e1900abf3664851e27961d3b2182a2eb9bde3f7bad32968f6cbf0523bb

Download Submit
\Users\Admin\AppData\Local\Temp\spoolsc.exe

Filesize
7KB

MD5
50d4223169fd22d5f7cd55428f8a6f5f

SHA1
cc4446d6e8565f774c48718eea5bf5c4d62c65ea

SHA256
e6862143c0e76d15d5ff4fbaa06a075852f44e6a7429bf92640075cb1030b4c1

SHA512
a555745eae4a086d1e6e422c9b6254ccb0d3ea906ec7bf32f7f640565f1c94d183934886f8aca8a08ffc8c67bdd864ec4e9e08058f74fe3263358b5063010d51

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe

Filesize
1.3MB

MD5
7e8236fd0047d8c807d0439b0b77d1d5

SHA1
6a33b3aeab36d5158c7a3dbf1ae306cea1642025

SHA256
f8d5d2a97dcf6dae00ac56d1d8732065af21623a97e081e6518d1e1e878e1c41

SHA512
04e565721f07201fff2af942279c5fbb523e85d1069ad3188ac4111fa8eaa31b970955882b81bc42364f1978a3032c066cb392a5352628b8f58aaa1e4c62da4e

Download Submit
memory/1308-25-0x0000000074CD1000-0x0000000074CD2000-memory.dmp

Filesize
4KB

Download
memory/1308-27-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/1308-26-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/1308-61-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/2620-51-0x0000000004890000-0x00000000048D0000-memory.dmp

Filesize
256KB

Download
memory/2620-11-0x0000000000270000-0x00000000002F1000-memory.dmp

Filesize
516KB

Download
memory/2620-10-0x000000007165E000-0x000000007165F000-memory.dmp

Filesize
4KB

Download
memory/2720-43-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2720-50-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2720-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2720-47-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2720-45-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2720-41-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2720-53-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2720-52-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3032-2-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/3032-0-0x0000000074CD1000-0x0000000074CD2000-memory.dmp

Filesize
4KB

Download
memory/3032-1-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/3032-24-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download