Malware Analysis Report

2024-11-30 16:01

Sample ID 220615-ccbbgabgb8
Target 2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680
SHA256 2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680
Tags
imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680

Threat Level: Known bad

The file 2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680 was found to be: Known bad.

Malicious Activity Summary

imminent spyware trojan

Imminent RAT

Drops startup file

AutoIT Executable

Suspicious use of SetThreadContext

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-06-15 01:55

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-15 01:55

Reported

2022-06-15 07:16

Platform

win7-20220414-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe"

Signatures

Imminent RAT

trojan spyware imminent

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RiBH.com.url C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 848 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 848 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 848 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 848 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 848 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 848 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 848 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 848 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 848 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 848 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 848 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 848 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe

"C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp

Files

memory/848-54-0x0000000075951000-0x0000000075953000-memory.dmp

memory/1100-55-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1100-57-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1100-59-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1100-60-0x00000000003E0000-0x00000000003F0000-memory.dmp

memory/1100-61-0x00000000048A0000-0x000000000494E000-memory.dmp

memory/1100-62-0x0000000000950000-0x0000000000978000-memory.dmp

memory/1100-64-0x0000000000900000-0x0000000000916000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-15 01:55

Reported

2022-06-15 07:16

Platform

win10v2004-20220414-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe"

Signatures

Imminent RAT

trojan spyware imminent

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RiBH.com.url C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4912 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4912 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4912 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4912 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4912 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4912 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4912 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4912 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe

"C:\Users\Admin\AppData\Local\Temp\2b8440fccbeb5d15bb7f10edbcceb9f0e266834f7e37dfd325b46b022fb00680.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
US 13.89.178.26:443 tcp
US 13.107.21.200:443 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
GB 92.123.140.25:80 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp
US 185.158.139.144:5645 tcp

Files

memory/4952-130-0x0000000000000000-mapping.dmp

memory/4952-131-0x0000000000400000-0x0000000000456000-memory.dmp

memory/4952-132-0x00000000067F0000-0x000000000688C000-memory.dmp

memory/4952-133-0x0000000006E40000-0x00000000073E4000-memory.dmp

memory/4952-134-0x00000000069D0000-0x0000000006A62000-memory.dmp

memory/4952-135-0x00000000073F0000-0x0000000007456000-memory.dmp

memory/4952-136-0x0000000007B10000-0x0000000007B1A000-memory.dmp