imminent | 3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/03/2025, 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe
Size

803KB
MD5

bcfc0f409a85ca08b9cc4aadc642d2db
SHA1

158934868163c72c134eb2e4f91da0bc6adc8a7c
SHA256

3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85
SHA512

e14bf36cd66c6cfa2e94c84d6e3eb22c21e6152c8ad38ae2ebdcafef4a4ec2717c98ba939c86358f9f5602ddbf9a107f4b545eff4cf1de4b5bfecc371f4cbb1c
SSDEEP

24576:bkGvM/P1U4bBTOKr26GU5OYsnXgxvrQrAnuIws:b2/P1UOtOKC6GrYsgxTQTIH

Score

10^/10

imminent discovery spyware trojan upx

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent
Imminent family
imminent

Executes dropped EXE 3 IoCs

pid	Process
1976	refsutil.exe
1840	refsutil.exe
604	refsutil.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2736-13-0x00000000000E0000-0x0000000000268000-memory.dmp	autoit_exe
behavioral1/memory/1976-35-0x00000000013A0000-0x0000000001528000-memory.dmp	autoit_exe
behavioral1/memory/1840-49-0x00000000013A0000-0x0000000001528000-memory.dmp	autoit_exe
behavioral1/memory/604-64-0x00000000003D0000-0x0000000000558000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2736 set thread context of 2812	2736	3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe	31
PID 1976 set thread context of 2800	1976	refsutil.exe	40
PID 1840 set thread context of 912	1840	refsutil.exe	44
PID 604 set thread context of 1836	604	refsutil.exe	48

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2736-0-0x00000000000E0000-0x0000000000268000-memory.dmp	upx
behavioral1/memory/2736-13-0x00000000000E0000-0x0000000000268000-memory.dmp	upx
behavioral1/files/0x0008000000015d07-21.dat	upx
behavioral1/memory/1976-23-0x00000000013A0000-0x0000000001528000-memory.dmp	upx
behavioral1/memory/1976-35-0x00000000013A0000-0x0000000001528000-memory.dmp	upx
behavioral1/memory/1840-49-0x00000000013A0000-0x0000000001528000-memory.dmp	upx
behavioral1/memory/604-53-0x00000000003D0000-0x0000000000558000-memory.dmp	upx
behavioral1/memory/604-64-0x00000000003D0000-0x0000000000558000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	refsutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	refsutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	refsutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2520	schtasks.exe
2652	schtasks.exe
1968	schtasks.exe
2064	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2812	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	RegAsm.exe
Token: 33	2812	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2812	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2812	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2812	2736	3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe	31
PID 2736 wrote to memory of 2812	2736	3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe	31
PID 2736 wrote to memory of 2812	2736	3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe	31
PID 2736 wrote to memory of 2812	2736	3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe	31
PID 2736 wrote to memory of 2812	2736	3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe	31
PID 2736 wrote to memory of 2812	2736	3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe	31
PID 2736 wrote to memory of 2812	2736	3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe	31
PID 2736 wrote to memory of 2812	2736	3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe	31
PID 2736 wrote to memory of 2812	2736	3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe	31
PID 2736 wrote to memory of 2652	2736	3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe	32
PID 2736 wrote to memory of 2652	2736	3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe	32
PID 2736 wrote to memory of 2652	2736	3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe	32
PID 2736 wrote to memory of 2652	2736	3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe	32
PID 1884 wrote to memory of 1976	1884	taskeng.exe	39
PID 1884 wrote to memory of 1976	1884	taskeng.exe	39
PID 1884 wrote to memory of 1976	1884	taskeng.exe	39
PID 1884 wrote to memory of 1976	1884	taskeng.exe	39
PID 1976 wrote to memory of 2800	1976	refsutil.exe	40
PID 1976 wrote to memory of 2800	1976	refsutil.exe	40
PID 1976 wrote to memory of 2800	1976	refsutil.exe	40
PID 1976 wrote to memory of 2800	1976	refsutil.exe	40
PID 1976 wrote to memory of 2800	1976	refsutil.exe	40
PID 1976 wrote to memory of 2800	1976	refsutil.exe	40
PID 1976 wrote to memory of 2800	1976	refsutil.exe	40
PID 1976 wrote to memory of 2800	1976	refsutil.exe	40
PID 1976 wrote to memory of 2800	1976	refsutil.exe	40
PID 1976 wrote to memory of 1968	1976	refsutil.exe	41
PID 1976 wrote to memory of 1968	1976	refsutil.exe	41
PID 1976 wrote to memory of 1968	1976	refsutil.exe	41
PID 1976 wrote to memory of 1968	1976	refsutil.exe	41
PID 1884 wrote to memory of 1840	1884	taskeng.exe	43
PID 1884 wrote to memory of 1840	1884	taskeng.exe	43
PID 1884 wrote to memory of 1840	1884	taskeng.exe	43
PID 1884 wrote to memory of 1840	1884	taskeng.exe	43
PID 1840 wrote to memory of 912	1840	refsutil.exe	44
PID 1840 wrote to memory of 912	1840	refsutil.exe	44
PID 1840 wrote to memory of 912	1840	refsutil.exe	44
PID 1840 wrote to memory of 912	1840	refsutil.exe	44
PID 1840 wrote to memory of 912	1840	refsutil.exe	44
PID 1840 wrote to memory of 912	1840	refsutil.exe	44
PID 1840 wrote to memory of 912	1840	refsutil.exe	44
PID 1840 wrote to memory of 912	1840	refsutil.exe	44
PID 1840 wrote to memory of 912	1840	refsutil.exe	44
PID 1840 wrote to memory of 2064	1840	refsutil.exe	45
PID 1840 wrote to memory of 2064	1840	refsutil.exe	45
PID 1840 wrote to memory of 2064	1840	refsutil.exe	45
PID 1840 wrote to memory of 2064	1840	refsutil.exe	45
PID 1884 wrote to memory of 604	1884	taskeng.exe	47
PID 1884 wrote to memory of 604	1884	taskeng.exe	47
PID 1884 wrote to memory of 604	1884	taskeng.exe	47
PID 1884 wrote to memory of 604	1884	taskeng.exe	47
PID 604 wrote to memory of 1836	604	refsutil.exe	48
PID 604 wrote to memory of 1836	604	refsutil.exe	48
PID 604 wrote to memory of 1836	604	refsutil.exe	48
PID 604 wrote to memory of 1836	604	refsutil.exe	48
PID 604 wrote to memory of 1836	604	refsutil.exe	48
PID 604 wrote to memory of 1836	604	refsutil.exe	48
PID 604 wrote to memory of 1836	604	refsutil.exe	48
PID 604 wrote to memory of 1836	604	refsutil.exe	48
PID 604 wrote to memory of 1836	604	refsutil.exe	48
PID 604 wrote to memory of 2520	604	refsutil.exe	49
PID 604 wrote to memory of 2520	604	refsutil.exe	49
PID 604 wrote to memory of 2520	604	refsutil.exe	49
PID 604 wrote to memory of 2520	604	refsutil.exe	49

C:\Users\Admin\AppData\Local\Temp\3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe
"C:\Users\Admin\AppData\Local\Temp\3e4cc9062e2e97a4a780c31c2f5405c534772ba8702c952945629356a3984a85.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2812
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn NgcIso /tr "C:\Users\Admin\advpack\refsutil.exe" /sc minute /mo 1 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2652

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2884

C:\Windows\system32\taskeng.exe
taskeng.exe {D2791D31-9ACD-4B2B-BA67-086BEAC10E8A} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Users\Admin\advpack\refsutil.exe
  C:\Users\Admin\advpack\refsutil.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2800
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn NgcIso /tr "C:\Users\Admin\advpack\refsutil.exe" /sc minute /mo 1 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1968
- C:\Users\Admin\advpack\refsutil.exe
  C:\Users\Admin\advpack\refsutil.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:912
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn NgcIso /tr "C:\Users\Admin\advpack\refsutil.exe" /sc minute /mo 1 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2064
- C:\Users\Admin\advpack\refsutil.exe
  C:\Users\Admin\advpack\refsutil.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:604
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1836
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn NgcIso /tr "C:\Users\Admin\advpack\refsutil.exe" /sc minute /mo 1 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\advpack\refsutil.exe

Filesize
803KB

MD5
be6b354c0cb65ace3fde0c7f92884157

SHA1
a6e06e32316ec9bce641568e7b7ef1642fa19abe

SHA256
76588615d5fcdd509e65e78295d919dcfa3a7470fa7fc8444734771460d0b55f

SHA512
95623f03cac652fb53ba73e5c04b6266ef2c3ae705858fbd120990d05d4e33d854fbfeac8bda01a76fa39cf1333f3a756bb70fbcef032e48b18c5ef73e9f4b81

Download Submit
memory/604-64-0x00000000003D0000-0x0000000000558000-memory.dmp

Filesize
1.5MB

Download
memory/604-53-0x00000000003D0000-0x0000000000558000-memory.dmp

Filesize
1.5MB

Download
memory/1840-49-0x00000000013A0000-0x0000000001528000-memory.dmp

Filesize
1.5MB

Download
memory/1976-35-0x00000000013A0000-0x0000000001528000-memory.dmp

Filesize
1.5MB

Download
memory/1976-23-0x00000000013A0000-0x0000000001528000-memory.dmp

Filesize
1.5MB

Download
memory/2736-1-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2736-0-0x00000000000E0000-0x0000000000268000-memory.dmp

Filesize
1.5MB

Download
memory/2736-13-0x00000000000E0000-0x0000000000268000-memory.dmp

Filesize
1.5MB

Download
memory/2812-10-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2812-20-0x0000000074612000-0x0000000074614000-memory.dmp

Filesize
8KB

Download
memory/2812-14-0x0000000074612000-0x0000000074614000-memory.dmp

Filesize
8KB

Download
memory/2812-3-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2812-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2812-9-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2812-2-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads