imminent | 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490

Analysis

max time kernel
120s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/11/2024, 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
Size

442KB
MD5

48a52bf6785639698f907abd05e40f84
SHA1

6de2644a5742e53fe497be30388e952455833713
SHA256

03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490
SHA512

6605fddd77733550bbdbf5772b3718444717c420281ebcb3a3f1fb9155c3ae5aa6cea9c87381a0866fb59098a08397f6c02ac0f11a879265d331e4948d843574
SSDEEP

12288:gO3nzR81/CPPYYg8btjp5lQ6GGb2I+ON3BVHLIcgwazbXkZ:5zO1/mYYg85N5lB2PEzOU

Score

10^/10

imminent discovery spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent
Imminent family
imminent

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe

Executes dropped EXE 2 IoCs

pid	Process
2080	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2208 set thread context of 3584	2208	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	82
PID 2080 set thread context of 1224	2080	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	88

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
File created	C:\Windows\assembly\Desktop.ini	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
32	cmd.exe
4288	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4288	PING.EXE

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
Token: SeDebugPrivilege	3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
Token: SeDebugPrivilege	2080	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
Token: SeDebugPrivilege	1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
Token: 33	1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
Token: SeIncBasePriorityPrivilege	1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1224	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 3584	2208	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	82
PID 2208 wrote to memory of 3584	2208	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	82
PID 2208 wrote to memory of 3584	2208	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	82
PID 2208 wrote to memory of 3584	2208	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	82
PID 2208 wrote to memory of 3584	2208	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	82
PID 2208 wrote to memory of 3584	2208	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	82
PID 2208 wrote to memory of 3584	2208	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	82
PID 2208 wrote to memory of 3584	2208	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	82
PID 3584 wrote to memory of 2080	3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	84
PID 3584 wrote to memory of 2080	3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	84
PID 3584 wrote to memory of 2080	3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	84
PID 3584 wrote to memory of 32	3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	85
PID 3584 wrote to memory of 32	3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	85
PID 3584 wrote to memory of 32	3584	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	85
PID 32 wrote to memory of 4288	32	cmd.exe	87
PID 32 wrote to memory of 4288	32	cmd.exe	87
PID 32 wrote to memory of 4288	32	cmd.exe	87
PID 2080 wrote to memory of 1224	2080	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	88
PID 2080 wrote to memory of 1224	2080	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	88
PID 2080 wrote to memory of 1224	2080	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	88
PID 2080 wrote to memory of 1224	2080	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	88
PID 2080 wrote to memory of 1224	2080	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	88
PID 2080 wrote to memory of 1224	2080	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	88
PID 2080 wrote to memory of 1224	2080	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	88
PID 2080 wrote to memory of 1224	2080	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	88

C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
"C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
  "C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
    "C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
      "C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:32
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4288

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe.log

Filesize
400B

MD5
0a9b4592cd49c3c21f6767c2dabda92f

SHA1
f534297527ae5ccc0ecb2221ddeb8e58daeb8b74

SHA256
c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd

SHA512
6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

Download Submit
C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe

Filesize
442KB

MD5
48a52bf6785639698f907abd05e40f84

SHA1
6de2644a5742e53fe497be30388e952455833713

SHA256
03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490

SHA512
6605fddd77733550bbdbf5772b3718444717c420281ebcb3a3f1fb9155c3ae5aa6cea9c87381a0866fb59098a08397f6c02ac0f11a879265d331e4948d843574

Download Submit
memory/2080-35-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/2080-28-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/2080-26-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/2080-27-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/2208-1-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/2208-2-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/2208-0-0x0000000075342000-0x0000000075343000-memory.dmp

Filesize
4KB

Download
memory/2208-12-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/2208-11-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/3584-5-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3584-13-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/3584-10-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/3584-9-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/3584-7-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/3584-4-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3584-29-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/3584-3-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download