imminent | 4ebe663b8181a37b172efded649a5ac0f61a0bfa570737c9dda3464e7d3654a0

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
Size

587KB
MD5

62f6fad0fda5914ffe98a696b39d2664
SHA1

622fbba68efba634088a783ebb7e6e931f7ecd9f
SHA256

4ebe663b8181a37b172efded649a5ac0f61a0bfa570737c9dda3464e7d3654a0
SHA512

484bb8cbacc9907dd3ae9b8922af5169f4ad44385318f193aaf639404cc483aedad3ec9805188ca0bab9206f3538ef04848476206777e8152c21863d66265644
SSDEEP

12288:teR05v6rCmKni142PLmjcrRFTu6VsMSnbtg/nQEUHkk/:Sbqnl2PL9HiMSnJgUj/

Score

10^/10

imminent spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
Executes dropped EXE 2 IoCs

Processes:

tmp.exe.exe

pid process

1192 tmp.exe
3964 .exe
Drops desktop.ini file(s) 2 IoCs

Processes:

tmp.exe

description ioc process

File created C:\Windows\assembly\Desktop.ini tmp.exe
File opened for modification C:\Windows\assembly\Desktop.ini tmp.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe

description pid process target process

PID 2764 set thread context of 3964 2764 62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe .exe
Drops file in Windows directory 3 IoCs

Processes:

tmp.exe

description ioc process

File opened for modification C:\Windows\assembly tmp.exe
File created C:\Windows\assembly\Desktop.ini tmp.exe
File opened for modification C:\Windows\assembly\Desktop.ini tmp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe

pid	process
1192	tmp.exe
3964	.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	tmp.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	tmp.exe

description	pid	process	target process
PID 2764 set thread context of 3964	2764	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	tmp.exe
File created	C:\Windows\assembly\Desktop.ini	tmp.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	tmp.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe

pid	process
2764	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
2764	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
2764	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
2764	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
2764	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
2764	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
2764	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

tmp.exe

pid process

1192 tmp.exe
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exetmp.exe

description pid process

Token: SeDebugPrivilege 2764 62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
Token: SeDebugPrivilege 1192 tmp.exe
Token: 33 1192 tmp.exe
Token: SeIncBasePriorityPrivilege 1192 tmp.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

tmp.exe

pid process

1192 tmp.exe

pid	process
1192	tmp.exe

description	pid	process
Token: SeDebugPrivilege	2764	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
Token: SeDebugPrivilege	1192	tmp.exe
Token: 33	1192	tmp.exe
Token: SeIncBasePriorityPrivilege	1192	tmp.exe

pid	process
1192	tmp.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe

description	pid	process	target process
PID 2764 wrote to memory of 1192	2764	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	tmp.exe
PID 2764 wrote to memory of 1192	2764	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	tmp.exe
PID 2764 wrote to memory of 1192	2764	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	tmp.exe
PID 2764 wrote to memory of 3964	2764	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	.exe
PID 2764 wrote to memory of 3964	2764	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	.exe
PID 2764 wrote to memory of 3964	2764	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	.exe
PID 2764 wrote to memory of 3964	2764	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	.exe
PID 2764 wrote to memory of 3964	2764	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	.exe
PID 2764 wrote to memory of 3964	2764	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	.exe
PID 2764 wrote to memory of 3964	2764	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	.exe
PID 2764 wrote to memory of 3964	2764	62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe	.exe

C:\Users\Admin\AppData\Local\Temp\62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\62f6fad0fda5914ffe98a696b39d2664_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1192

C:\Users\Admin\AppData\Local\Temp\.exe
"C:\Users\Admin\AppData\Local\Temp\.exe"
2⤵
- Executes dropped EXE
PID:3964

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.exe
Filesize
89KB

MD5
84c42d0f2c1ae761bef884638bc1eacd

SHA1
4353881e7f4e9c7610f4e0489183b55bb58bb574

SHA256
331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3

SHA512
43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
323KB

MD5
4b92b21c941444bd7e2f94732bd60f61

SHA1
838c0a98dd4b6769aa4cedbf408a76dfd7bde7c0

SHA256
cfd3cf21481b62f928e8d11af1b49b4c02feaab3491da54afe9ec7f31193205d

SHA512
44b917dc4f2dd7e0118947dab1791c5a1154d25db75ab770ca8c82e453cf3ea2f7f58dc294adfb1b751fcc47da35650afc8ffbbff65855a9d676f4ecda690d63

Download Submit
memory/1192-25-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/1192-40-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/1192-39-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/1192-16-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/1192-20-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/1192-38-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/1192-21-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/1192-37-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/1192-30-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/2764-32-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/2764-0-0x0000000074A22000-0x0000000074A23000-memory.dmp

Filesize
4KB

Download
memory/2764-2-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/2764-1-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/3964-24-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/3964-27-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/3964-23-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/3964-22-0x0000000074A20000-0x0000000074FD1000-memory.dmp

Filesize
5.7MB

Download
memory/3964-17-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download