imminent | 03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
Size

442KB
MD5

48a52bf6785639698f907abd05e40f84
SHA1

6de2644a5742e53fe497be30388e952455833713
SHA256

03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490
SHA512

6605fddd77733550bbdbf5772b3718444717c420281ebcb3a3f1fb9155c3ae5aa6cea9c87381a0866fb59098a08397f6c02ac0f11a879265d331e4948d843574
SSDEEP

12288:gO3nzR81/CPPYYg8btjp5lQ6GGb2I+ON3BVHLIcgwazbXkZ:5zO1/mYYg85N5lB2PEzOU

Score

10^/10

imminent discovery spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent
Imminent family
imminent

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe

Executes dropped EXE 2 IoCs

pid	Process
2072	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
File created	C:\Windows\assembly\Desktop.ini	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 640 set thread context of 4132	640	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	82
PID 2072 set thread context of 3292	2072	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	91

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
File created	C:\Windows\assembly\Desktop.ini	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3416	PING.EXE
4136	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3416	PING.EXE

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	640	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
Token: SeDebugPrivilege	4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
Token: SeDebugPrivilege	2072	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
Token: SeDebugPrivilege	3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
Token: 33	3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
Token: SeIncBasePriorityPrivilege	3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3292	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 4132	640	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	82
PID 640 wrote to memory of 4132	640	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	82
PID 640 wrote to memory of 4132	640	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	82
PID 640 wrote to memory of 4132	640	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	82
PID 640 wrote to memory of 4132	640	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	82
PID 640 wrote to memory of 4132	640	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	82
PID 640 wrote to memory of 4132	640	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	82
PID 640 wrote to memory of 4132	640	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	82
PID 4132 wrote to memory of 2072	4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	87
PID 4132 wrote to memory of 2072	4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	87
PID 4132 wrote to memory of 2072	4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	87
PID 4132 wrote to memory of 4136	4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	88
PID 4132 wrote to memory of 4136	4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	88
PID 4132 wrote to memory of 4136	4132	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	88
PID 4136 wrote to memory of 3416	4136	cmd.exe	90
PID 4136 wrote to memory of 3416	4136	cmd.exe	90
PID 4136 wrote to memory of 3416	4136	cmd.exe	90
PID 2072 wrote to memory of 3292	2072	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	91
PID 2072 wrote to memory of 3292	2072	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	91
PID 2072 wrote to memory of 3292	2072	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	91
PID 2072 wrote to memory of 3292	2072	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	91
PID 2072 wrote to memory of 3292	2072	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	91
PID 2072 wrote to memory of 3292	2072	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	91
PID 2072 wrote to memory of 3292	2072	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	91
PID 2072 wrote to memory of 3292	2072	03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe	91

C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
"C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640
- C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
  "C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
    "C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe
      "C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3292
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3416

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe.log

Filesize
400B

MD5
0a9b4592cd49c3c21f6767c2dabda92f

SHA1
f534297527ae5ccc0ecb2221ddeb8e58daeb8b74

SHA256
c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd

SHA512
6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

Download Submit
C:\Users\Admin\AppData\Local\Temp\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490\03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490.exe

Filesize
442KB

MD5
48a52bf6785639698f907abd05e40f84

SHA1
6de2644a5742e53fe497be30388e952455833713

SHA256
03bab0daf2e3285f26ced738fc0fd010404cf07513a2135b9f2fd8f894a15490

SHA512
6605fddd77733550bbdbf5772b3718444717c420281ebcb3a3f1fb9155c3ae5aa6cea9c87381a0866fb59098a08397f6c02ac0f11a879265d331e4948d843574

Download Submit
memory/640-10-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/640-1-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/640-2-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/640-11-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/640-0-0x00000000754C2000-0x00000000754C3000-memory.dmp

Filesize
4KB

Download
memory/2072-25-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/2072-26-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/2072-27-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/2072-34-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/4132-8-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/4132-7-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/4132-4-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4132-12-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/4132-5-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4132-3-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4132-28-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download