Malware Analysis Report

2024-11-30 16:02

Sample ID 220615-ht9hgsahap
Target 2a0c397b31f6b926f1d87ee1c6f50a7fae8a22d01ca0446add80440a0022a723
SHA256 2a0c397b31f6b926f1d87ee1c6f50a7fae8a22d01ca0446add80440a0022a723
Tags
upx imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a0c397b31f6b926f1d87ee1c6f50a7fae8a22d01ca0446add80440a0022a723

Threat Level: Known bad

The file 2a0c397b31f6b926f1d87ee1c6f50a7fae8a22d01ca0446add80440a0022a723 was found to be: Known bad.

Malicious Activity Summary

upx imminent spyware trojan

Imminent RAT

UPX packed file

Drops startup file

AutoIT Executable

Suspicious use of SetThreadContext

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-06-15 07:02

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-15 07:02

Reported

2022-06-15 13:22

Platform

win7-20220414-en

Max time kernel

37s

Max time network

43s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a0c397b31f6b926f1d87ee1c6f50a7fae8a22d01ca0446add80440a0022a723.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\2a0c397b31f6b926f1d87ee1c6f50a7fae8a22d01ca0446add80440a0022a723.exe

"C:\Users\Admin\AppData\Local\Temp\2a0c397b31f6b926f1d87ee1c6f50a7fae8a22d01ca0446add80440a0022a723.exe"

Network

N/A

Files

memory/1888-54-0x00000000759E1000-0x00000000759E3000-memory.dmp

memory/1888-55-0x0000000000250000-0x0000000000441000-memory.dmp

memory/1888-56-0x0000000000250000-0x0000000000441000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-15 07:02

Reported

2022-06-15 13:22

Platform

win10v2004-20220414-en

Max time kernel

160s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a0c397b31f6b926f1d87ee1c6f50a7fae8a22d01ca0446add80440a0022a723.exe"

Signatures

Imminent RAT

trojan spyware imminent

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMEWDBLD.url C:\Users\Admin\AppData\Local\Temp\2a0c397b31f6b926f1d87ee1c6f50a7fae8a22d01ca0446add80440a0022a723.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3444 set thread context of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2a0c397b31f6b926f1d87ee1c6f50a7fae8a22d01ca0446add80440a0022a723.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2a0c397b31f6b926f1d87ee1c6f50a7fae8a22d01ca0446add80440a0022a723.exe

"C:\Users\Admin\AppData\Local\Temp\2a0c397b31f6b926f1d87ee1c6f50a7fae8a22d01ca0446add80440a0022a723.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
NL 20.190.160.67:443 tcp
US 52.182.143.208:443 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
US 13.107.21.200:443 tcp
NL 20.190.160.136:443 tcp
NL 20.190.160.71:443 tcp
US 8.8.8.8:53 maxibrainz.warzonedns.com udp
US 8.8.8.8:53 maxibrainz.warzonedns.com udp
US 8.8.8.8:53 maxibrainz.warzonedns.com udp
US 8.8.8.8:53 maxibrainz.warzonedns.com udp
US 8.8.8.8:53 maxibrainz.warzonedns.com udp
US 8.8.8.8:53 maxibrainz.warzonedns.com udp
US 8.8.8.8:53 maxibrainz.warzonedns.com udp
US 8.8.8.8:53 maxibrainz.warzonedns.com udp
US 8.8.8.8:53 maxibrainz.warzonedns.com udp
US 8.8.8.8:53 maxibrainz.warzonedns.com udp
US 8.8.8.8:53 maxibrainz.warzonedns.com udp
US 8.8.8.8:53 maxibrainz.warzonedns.com udp
US 8.8.8.8:53 maxibrainz.warzonedns.com udp
US 8.8.8.8:53 maxibrainz.warzonedns.com udp
US 8.8.8.8:53 maxibrainz.warzonedns.com udp

Files

memory/3444-130-0x0000000000030000-0x0000000000221000-memory.dmp

memory/3444-131-0x0000000000030000-0x0000000000221000-memory.dmp

memory/1796-132-0x0000000000000000-mapping.dmp

memory/1796-133-0x0000000000400000-0x0000000000458000-memory.dmp

memory/3444-138-0x0000000000030000-0x0000000000221000-memory.dmp

memory/1796-139-0x00000000069B0000-0x0000000006A4C000-memory.dmp

memory/1796-140-0x0000000007000000-0x00000000075A4000-memory.dmp

memory/1796-141-0x0000000006C30000-0x0000000006CC2000-memory.dmp

memory/1796-142-0x0000000007620000-0x0000000007686000-memory.dmp

memory/1796-143-0x0000000007D10000-0x0000000007D1A000-memory.dmp