imminent | f8d5d2a97dcf6dae00ac56d1d8732065af21623a97e081e6518d1e1e878e1c41

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AbitSmarter4.6.1.exe
Size

1.3MB
MD5

7e8236fd0047d8c807d0439b0b77d1d5
SHA1

6a33b3aeab36d5158c7a3dbf1ae306cea1642025
SHA256

f8d5d2a97dcf6dae00ac56d1d8732065af21623a97e081e6518d1e1e878e1c41
SHA512

04e565721f07201fff2af942279c5fbb523e85d1069ad3188ac4111fa8eaa31b970955882b81bc42364f1978a3032c066cb392a5352628b8f58aaa1e4c62da4e
SSDEEP

24576:SMXAF2jHlk02cIwiW0eKGepqMY8QZaYXhGuWLl/n1DFYkI5:S0IOHlUcti/PGoaXYuAtK

Score

10^/10

imminent discovery spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Executes dropped EXE 3 IoCs

pid	Process
2796	A bit Smarter Public Version.exe
2768	netprotocol.exe
1440	spoolsc.exe

Loads dropped DLL 5 IoCs

pid	Process
1904	AbitSmarter4.6.1.exe
1904	AbitSmarter4.6.1.exe
1904	AbitSmarter4.6.1.exe
2768	netprotocol.exe
2768	netprotocol.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2768 set thread context of 2884	2768	netprotocol.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AbitSmarter4.6.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A bit Smarter Public Version.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netprotocol.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2796	A bit Smarter Public Version.exe
2768	netprotocol.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe
1440	spoolsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2884	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	RegAsm.exe
Token: SeDebugPrivilege	2768	netprotocol.exe
Token: SeDebugPrivilege	1440	spoolsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2884	RegAsm.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 2796	1904	AbitSmarter4.6.1.exe	31
PID 1904 wrote to memory of 2796	1904	AbitSmarter4.6.1.exe	31
PID 1904 wrote to memory of 2796	1904	AbitSmarter4.6.1.exe	31
PID 1904 wrote to memory of 2796	1904	AbitSmarter4.6.1.exe	31
PID 1904 wrote to memory of 2768	1904	AbitSmarter4.6.1.exe	32
PID 1904 wrote to memory of 2768	1904	AbitSmarter4.6.1.exe	32
PID 1904 wrote to memory of 2768	1904	AbitSmarter4.6.1.exe	32
PID 1904 wrote to memory of 2768	1904	AbitSmarter4.6.1.exe	32
PID 2768 wrote to memory of 1668	2768	netprotocol.exe	33
PID 2768 wrote to memory of 1668	2768	netprotocol.exe	33
PID 2768 wrote to memory of 1668	2768	netprotocol.exe	33
PID 2768 wrote to memory of 1668	2768	netprotocol.exe	33
PID 1668 wrote to memory of 2632	1668	cmd.exe	35
PID 1668 wrote to memory of 2632	1668	cmd.exe	35
PID 1668 wrote to memory of 2632	1668	cmd.exe	35
PID 1668 wrote to memory of 2632	1668	cmd.exe	35
PID 2768 wrote to memory of 3032	2768	netprotocol.exe	36
PID 2768 wrote to memory of 3032	2768	netprotocol.exe	36
PID 2768 wrote to memory of 3032	2768	netprotocol.exe	36
PID 2768 wrote to memory of 3032	2768	netprotocol.exe	36
PID 3032 wrote to memory of 1884	3032	vbc.exe	38
PID 3032 wrote to memory of 1884	3032	vbc.exe	38
PID 3032 wrote to memory of 1884	3032	vbc.exe	38
PID 3032 wrote to memory of 1884	3032	vbc.exe	38
PID 2768 wrote to memory of 2884	2768	netprotocol.exe	39
PID 2768 wrote to memory of 2884	2768	netprotocol.exe	39
PID 2768 wrote to memory of 2884	2768	netprotocol.exe	39
PID 2768 wrote to memory of 2884	2768	netprotocol.exe	39
PID 2768 wrote to memory of 2884	2768	netprotocol.exe	39
PID 2768 wrote to memory of 2884	2768	netprotocol.exe	39
PID 2768 wrote to memory of 2884	2768	netprotocol.exe	39
PID 2768 wrote to memory of 2884	2768	netprotocol.exe	39
PID 2768 wrote to memory of 2884	2768	netprotocol.exe	39
PID 2768 wrote to memory of 2884	2768	netprotocol.exe	39
PID 2768 wrote to memory of 2884	2768	netprotocol.exe	39
PID 2768 wrote to memory of 2884	2768	netprotocol.exe	39
PID 2768 wrote to memory of 1440	2768	netprotocol.exe	40
PID 2768 wrote to memory of 1440	2768	netprotocol.exe	40
PID 2768 wrote to memory of 1440	2768	netprotocol.exe	40
PID 2768 wrote to memory of 1440	2768	netprotocol.exe	40

C:\Users\Admin\AppData\Local\Temp\AbitSmarter4.6.1.exe
"C:\Users\Admin\AppData\Local\Temp\AbitSmarter4.6.1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\A bit Smarter Public Version.exe
  "C:\Users\Admin\AppData\Local\Temp\A bit Smarter Public Version.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2796
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -n
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "cmd /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "cmd /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2632
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g4ydaz4d.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFBFC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFBFB.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1884
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2884
- - C:\Users\Admin\AppData\Local\Temp\spoolsc.exe
    "C:\Users\Admin\AppData\Local\Temp\spoolsc.exe" -n
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFBFC.tmp

Filesize
1KB

MD5
a5c36aaa3794a2de91521db63a49e065

SHA1
803914595454b92e569e68bfe7c497c20dbb9471

SHA256
1f1aed20ec65276925e22e842dce367963b7dd3b0af1b3752e067c1a6e733554

SHA512
82364b22b0b273f47051fa7b51130d4ca70a8f9be017d821b30ef7fcffe3f69138fc69112cf5958963cfba8b028e5e5d548838218de67abe8a44573284efb828

Download Submit
C:\Users\Admin\AppData\Local\Temp\g4ydaz4d.0.vb

Filesize
3KB

MD5
900786350171abc675d131ec7800fcfc

SHA1
ba08346708a18f2007f784145ccc40e109cddcd7

SHA256
3179cb6eb51a8be5bb60cc7b40182cc24db339d7131104b06d2dab0014afcb03

SHA512
20b88b3dcf52bce9ab8a34f7e78db6c54bdefbfa77c54c9c5a06a9ec6b77bf912809b564a1a1a4cac0b98cfccccdb4496d822c12b8cabc3b4861034d33267845

Download Submit
C:\Users\Admin\AppData\Local\Temp\g4ydaz4d.cmdline

Filesize
200B

MD5
e41706ddbdba4c6994a80aee63298b26

SHA1
476994dcd1114230d2a0f50934201caa59ba593f

SHA256
d52ac72b211d4fda9ac7cea1bf0ee3cf9dcf649645532a3e00cb140039036db2

SHA512
ec46a77e9c40f490a5c6b6c767e679f0522a846e4e4f3bca47bc8b3eab31183a38b9909cc4af372b558c62f52b17f25a66fc57a3d7f376415840066e49897b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\spoolsc.exe

Filesize
7KB

MD5
33369d083d8038bc5b27b013806fcccb

SHA1
1358c605aa75d737a12e0c82c7eff9d8dd749186

SHA256
e330da32cfffebb8850d846db80a44be61835b0b91e4f7637cef432059cd8aea

SHA512
847940b8566e4a621d7cd4ccb21c067c3c481002a1381ef8cb7f77aabffe4354ce92e8f3a81fa84452911f89502f29f040ca2a219941907ec104bbb6f69b42a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFBFB.tmp

Filesize
932B

MD5
a4f1b6d3bf61f6ce1983cf7185422302

SHA1
1ed985cc7a181dc850cc34b1e93ae8e78d350255

SHA256
49910004977b290d4e70d3179bae001ecc38ae455f662e05b5a56d4592bc8125

SHA512
bbb184d02e291fadc27547321b386cb7bfc83ebb64cf26f3058f119dd5de1384f1b514415ac88295c9ccc434f68bcf0a7107760e92eeba53ec26ea7a5e583a4a

Download Submit
\Users\Admin\AppData\Local\Temp\A bit Smarter Public Version.exe

Filesize
496KB

MD5
9ab9b5b94fd820b4d1a642bab1c6d667

SHA1
d7cb65462fa1bc213c3c499925b4dae0e6d3c0a9

SHA256
172341e4b37b0555b4ad2def2ad2939f402c80c91ee6a270feb741a8b9379c94

SHA512
160361057f3b4038260f0038e5fab5167b7a12ca1445eb0e0153587e57e6bbf4753b57e1900abf3664851e27961d3b2182a2eb9bde3f7bad32968f6cbf0523bb

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe

Filesize
1.3MB

MD5
7e8236fd0047d8c807d0439b0b77d1d5

SHA1
6a33b3aeab36d5158c7a3dbf1ae306cea1642025

SHA256
f8d5d2a97dcf6dae00ac56d1d8732065af21623a97e081e6518d1e1e878e1c41

SHA512
04e565721f07201fff2af942279c5fbb523e85d1069ad3188ac4111fa8eaa31b970955882b81bc42364f1978a3032c066cb392a5352628b8f58aaa1e4c62da4e

Download Submit
memory/1904-26-0x0000000074320000-0x00000000748CB000-memory.dmp

Filesize
5.7MB

Download
memory/1904-0-0x0000000074321000-0x0000000074322000-memory.dmp

Filesize
4KB

Download
memory/1904-2-0x0000000074320000-0x00000000748CB000-memory.dmp

Filesize
5.7MB

Download
memory/1904-1-0x0000000074320000-0x00000000748CB000-memory.dmp

Filesize
5.7MB

Download
memory/2768-24-0x0000000074321000-0x0000000074322000-memory.dmp

Filesize
4KB

Download
memory/2768-58-0x0000000074320000-0x00000000748CB000-memory.dmp

Filesize
5.7MB

Download
memory/2768-25-0x0000000074320000-0x00000000748CB000-memory.dmp

Filesize
5.7MB

Download
memory/2796-53-0x00000000047E0000-0x0000000004820000-memory.dmp

Filesize
256KB

Download
memory/2796-11-0x0000000000D10000-0x0000000000D91000-memory.dmp

Filesize
516KB

Download
memory/2796-10-0x00000000711EE000-0x00000000711EF000-memory.dmp

Filesize
4KB

Download
memory/2884-41-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2884-44-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2884-49-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2884-50-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2884-51-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2884-46-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2884-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2884-42-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download