imminent | 3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca

Analysis

max time kernel
99s
max time network
110s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-11-2024 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca.exe
Size

1.6MB
MD5

1fbedc7b8c82a26cb3776bbc30c48a5c
SHA1

3b6e3f62f1b5c7ba16bb86bcbc4609678e1ba0bf
SHA256

3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca
SHA512

83835506a4b4c8099fcad057250cd852a3385ee9c52f1cbeba538bdbe4d6d0985dffba85d21490a0a13f0e0da47a35a8a0f5ecbac004137299c5fcf1a84eee85
SSDEEP

12288:FS5O2oHOQsPmB73yWuPYHXDJB/g8buYR1wpoaanFC2oe6weFC9VfDPgnXPh8WiBb:FS5O2oJB73yG/giR0oVye4ep6XOjmzhE

Score

10^/10

imminent discovery persistence spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent
Imminent family
imminent

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\file.exe"	3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca.exe

Executes dropped EXE 1 IoCs

pid	Process
2148	System interrupts .exe

Loads dropped DLL 1 IoCs

pid	Process
2316	3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2316 set thread context of 2148	2316	3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System interrupts .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2936	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2316	3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca.exe
2316	3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca.exe
2316	3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2148	System interrupts .exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca.exe
Token: SeDebugPrivilege	2148	System interrupts .exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2148	System interrupts .exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 3008	2316	3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca.exe	30
PID 2316 wrote to memory of 3008	2316	3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca.exe	30
PID 2316 wrote to memory of 3008	2316	3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca.exe	30
PID 2316 wrote to memory of 3008	2316	3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca.exe	30
PID 2316 wrote to memory of 2148	2316	3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca.exe	32
PID 2316 wrote to memory of 2148	2316	3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca.exe	32
PID 2316 wrote to memory of 2148	2316	3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca.exe	32
PID 2316 wrote to memory of 2148	2316	3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca.exe	32
PID 2316 wrote to memory of 2148	2316	3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca.exe	32
PID 2316 wrote to memory of 2148	2316	3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca.exe	32
PID 2316 wrote to memory of 2148	2316	3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca.exe	32
PID 2316 wrote to memory of 2148	2316	3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca.exe	32
PID 2316 wrote to memory of 2148	2316	3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca.exe	32
PID 3008 wrote to memory of 1224	3008	cmd.exe	33
PID 3008 wrote to memory of 1224	3008	cmd.exe	33
PID 3008 wrote to memory of 1224	3008	cmd.exe	33
PID 3008 wrote to memory of 1224	3008	cmd.exe	33
PID 1224 wrote to memory of 2752	1224	wscript.exe	34
PID 1224 wrote to memory of 2752	1224	wscript.exe	34
PID 1224 wrote to memory of 2752	1224	wscript.exe	34
PID 1224 wrote to memory of 2752	1224	wscript.exe	34
PID 2316 wrote to memory of 1640	2316	3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca.exe	37
PID 2316 wrote to memory of 1640	2316	3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca.exe	37
PID 2316 wrote to memory of 1640	2316	3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca.exe	37
PID 2316 wrote to memory of 1640	2316	3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca.exe	37
PID 1640 wrote to memory of 2936	1640	cmd.exe	39
PID 1640 wrote to memory of 2936	1640	cmd.exe	39
PID 1640 wrote to memory of 2936	1640	cmd.exe	39
PID 1640 wrote to memory of 2936	1640	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca.exe
"C:\Users\Admin\AppData\Local\Temp\3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2752
- C:\Users\Admin\AppData\Roaming\System interrupts .exe
  "C:\Users\Admin\AppData\Roaming\System interrupts .exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2148
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\FolderName\stres.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 300
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata.bat

Filesize
75B

MD5
b33985e3fc0ff1814a70626c744d2fd9

SHA1
269ff1b7ff5510822cd5207ca8593e48672d7431

SHA256
b4a06f7d7c2b2887801515c8f0cdc7a4cf8245af5afa38314f72952bd18fb357

SHA512
689de361836ff6053e2f0c88942e0b7ac62a3cbc8e8ef923d49c6e84e4c28e65c11588b6d88b69abad86e06d5eb22586d22cafe1abff1ceb6e0fc0d930a97769

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat

Filesize
77B

MD5
a557a61b017faddffbf634b01b09afa2

SHA1
324addd96cc2878fe77c1de25fa59b90afa81172

SHA256
9d605915f3bfafc681b550536c203f51698b695dcf1b44f991f517cfa2bc85aa

SHA512
0666502bac0b965c4bc0fa6f7e360c9ca44df50a5fb85a0754d8db534a7db85297ae1654207b9fe16b8525603fefa8ddb96a792da30f0846af38266fbb2a9178

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\rundll11-.txt

Filesize
1.6MB

MD5
1fbedc7b8c82a26cb3776bbc30c48a5c

SHA1
3b6e3f62f1b5c7ba16bb86bcbc4609678e1ba0bf

SHA256
3b603c01ce2e49044dd3355cac57e02a049c558a680fa108683af452b7fc53ca

SHA512
83835506a4b4c8099fcad057250cd852a3385ee9c52f1cbeba538bdbe4d6d0985dffba85d21490a0a13f0e0da47a35a8a0f5ecbac004137299c5fcf1a84eee85

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\stres.bat

Filesize
228B

MD5
e832589ab098b4e9894b27f3f37d97fb

SHA1
d379434086919ff1a1f369feaffe56c45ab0b6c6

SHA256
718e1e8c2c7c0d0ff617b11fef703affe7818e82d6aad2d84982d1200742a62a

SHA512
1d0b0dc46d361b0f2c221bbd5092cd42d5a504f88c4e982ff93663a84b2f149f7b56fce9cceef26c9fea6d5e9b658f6cee016185a1f6c7a7419bd7f4391940e5

Download Submit
\Users\Admin\AppData\Roaming\System interrupts .exe

Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
memory/2148-41-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2148-25-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2148-23-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2148-21-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2148-19-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2148-35-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2148-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2148-39-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2316-0-0x00000000749D1000-0x00000000749D2000-memory.dmp

Filesize
4KB

Download
memory/2316-2-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/2316-34-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/2316-1-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download
memory/2316-55-0x00000000749D0000-0x0000000074F7B000-memory.dmp

Filesize
5.7MB

Download