Malware Analysis Report

2024-11-30 16:01

Sample ID 220621-v5qkzagfan
Target 3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b
SHA256 3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b
Tags
imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b

Threat Level: Known bad

The file 3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b was found to be: Known bad.

Malicious Activity Summary

imminent spyware trojan

Imminent RAT

Checks computer location settings

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-21 17:34

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-21 17:34

Reported

2022-06-21 17:39

Platform

win10v2004-20220414-en

Max time kernel

163s

Max time network

166s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe"

Signatures

Imminent RAT

trojan spyware imminent

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 392 set thread context of 3544 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1296 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 1296 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 1296 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 392 wrote to memory of 2532 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\SysWOW64\schtasks.exe
PID 392 wrote to memory of 2532 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\SysWOW64\schtasks.exe
PID 392 wrote to memory of 2532 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\SysWOW64\schtasks.exe
PID 392 wrote to memory of 3544 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 392 wrote to memory of 3544 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 392 wrote to memory of 3544 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 392 wrote to memory of 3544 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 392 wrote to memory of 3544 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 392 wrote to memory of 3544 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 392 wrote to memory of 3544 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 392 wrote to memory of 3544 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe

"C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe" /logtoconsole=false /logfile= /u "C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzXipsZcwgn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp87CD.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
NL 104.110.191.140:80 tcp
NL 104.110.191.133:80 tcp
US 20.189.173.11:443 tcp
NL 104.110.191.140:80 tcp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
BE 8.238.110.126:80 tcp
NL 104.110.191.133:80 tcp
US 8.8.8.8:53 deoffice2018.ddns.net udp

Files

memory/1296-130-0x0000000074FE0000-0x0000000075591000-memory.dmp

memory/1296-131-0x0000000074FE0000-0x0000000075591000-memory.dmp

memory/392-132-0x0000000000000000-mapping.dmp

memory/1296-133-0x0000000074FE0000-0x0000000075591000-memory.dmp

memory/392-134-0x0000000074FE0000-0x0000000075591000-memory.dmp

memory/392-135-0x0000000074FE0000-0x0000000075591000-memory.dmp

memory/2532-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp87CD.tmp

MD5 fd6326c611061193c278fbdb5f9efa80
SHA1 818c2e7be48d422683b7795e8f1c9b6d6b2ee591
SHA256 3b8c26207c73de67d4d7f2b39618ec6fc02be9750290f5d581db08d276b05d2f
SHA512 0f11e1c883215fdd28e049a538df40c34dd258f12175553b12251dd05f44c0411cd91eb0d88d3572ace805fe12cc40ca4aa57ac371ac716326e233b67f7ab8a6

memory/3544-138-0x0000000000000000-mapping.dmp

memory/3544-139-0x0000000000400000-0x0000000000456000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\installutil.exe.log

MD5 7a4a84f4d2df1fe011638038702dad89
SHA1 64e9856d95b2064ff51e1c77819c818e6e5b3291
SHA256 cfd5734d90e6889355768ae5a723076000d88af2e5b6b435d55fa5bfa3e29590
SHA512 cbe9f7724806d161e70a161525c89199e10e6f38ad425533defaa1e02a12bf2cf28cba6788ed68e446cbd4286541e341b55c40133c134f9fcf94cae79b34092d

memory/392-141-0x0000000074FE0000-0x0000000075591000-memory.dmp

memory/3544-142-0x0000000074FE0000-0x0000000075591000-memory.dmp

memory/3544-143-0x0000000074FE0000-0x0000000075591000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-21 17:34

Reported

2022-06-21 17:40

Platform

win7-20220414-en

Max time kernel

169s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe"

Signatures

Imminent RAT

trojan spyware imminent

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 632 set thread context of 932 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\debug\WIA\SzXipsZcwgn.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A
File opened for modification C:\Windows\debug\WIA\SzXipsZcwgn.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1832 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 1832 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 1832 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 1832 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 1832 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 1832 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 1832 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 632 wrote to memory of 1792 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\SysWOW64\schtasks.exe
PID 632 wrote to memory of 1792 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\SysWOW64\schtasks.exe
PID 632 wrote to memory of 1792 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\SysWOW64\schtasks.exe
PID 632 wrote to memory of 1792 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\SysWOW64\schtasks.exe
PID 632 wrote to memory of 932 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 632 wrote to memory of 932 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 632 wrote to memory of 932 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 632 wrote to memory of 932 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 632 wrote to memory of 932 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 632 wrote to memory of 932 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 632 wrote to memory of 932 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 632 wrote to memory of 932 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 632 wrote to memory of 932 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 632 wrote to memory of 932 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 632 wrote to memory of 932 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 632 wrote to memory of 932 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe

"C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe" /logtoconsole=false /logfile= /u "C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzXipsZcwgn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8AA4.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 deoffice2018.ddns.net udp

Files

memory/1832-54-0x0000000074F91000-0x0000000074F93000-memory.dmp

memory/1832-55-0x0000000073FB0000-0x000000007455B000-memory.dmp

memory/632-56-0x0000000000000000-mapping.dmp

memory/1832-58-0x0000000073FB0000-0x000000007455B000-memory.dmp

memory/632-59-0x0000000073FB0000-0x000000007455B000-memory.dmp

memory/632-60-0x0000000073FB0000-0x000000007455B000-memory.dmp

memory/1792-61-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8AA4.tmp

MD5 a9338171b45140f38858428d30278082
SHA1 1f33a6dbeb2cb60a1d47f116492e890ec366ca36
SHA256 016876ac4eda3813361eb2808cabc5119cbfb93fb55766c064f24820f80456d3
SHA512 ea19b4b01d6b6d5fb2a162fc00521dfbd0585393f24117d3d361a38cc5e0c815a49b877d11624a65cc03f87522f7209d4544f0aab69fd22061bd9bafa6f54a4c

memory/932-63-0x0000000000400000-0x0000000000456000-memory.dmp

memory/932-66-0x0000000000400000-0x0000000000456000-memory.dmp

memory/932-68-0x0000000000400000-0x0000000000456000-memory.dmp

memory/932-67-0x0000000000400000-0x0000000000456000-memory.dmp

memory/932-69-0x0000000000451E9E-mapping.dmp

memory/632-71-0x0000000073FB0000-0x000000007455B000-memory.dmp

memory/932-72-0x0000000000400000-0x0000000000456000-memory.dmp

memory/932-64-0x0000000000400000-0x0000000000456000-memory.dmp

memory/932-74-0x0000000000400000-0x0000000000456000-memory.dmp

memory/932-76-0x0000000073A00000-0x0000000073FAB000-memory.dmp

memory/932-77-0x0000000073A00000-0x0000000073FAB000-memory.dmp