Malware Analysis Report

2024-11-30 16:01

Sample ID 220625-lwebxahfg2
Target 8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130
SHA256 8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130
Tags
imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130

Threat Level: Known bad

The file 8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130 was found to be: Known bad.

Malicious Activity Summary

imminent spyware trojan

Imminent RAT

Checks computer location settings

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-25 09:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-25 09:52

Reported

2022-06-25 11:53

Platform

win7-20220414-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe"

Signatures

Imminent RAT

trojan spyware imminent

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe C:\Windows\SysWOW64\schtasks.exe
PID 2032 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe C:\Windows\SysWOW64\schtasks.exe
PID 2032 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe C:\Windows\SysWOW64\schtasks.exe
PID 2032 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe C:\Windows\SysWOW64\schtasks.exe
PID 2032 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe
PID 2032 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe
PID 2032 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe
PID 2032 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe
PID 2032 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe
PID 2032 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe
PID 2032 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe
PID 2032 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe
PID 2032 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe

"C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jIiSnAesg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp14C9.tmp"

C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe

"C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 linkadrum.nl udp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
US 8.8.8.8:53 linkadrum.nl udp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
US 8.8.8.8:53 linkadrum.nl udp
DE 185.140.53.144:9630 linkadrum.nl tcp

Files

memory/2032-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

memory/2032-55-0x0000000074E00000-0x00000000753AB000-memory.dmp

memory/2032-56-0x0000000074E00000-0x00000000753AB000-memory.dmp

memory/1156-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp14C9.tmp

MD5 3979c756ee138356291b7a636498b37e
SHA1 82e2bfff4eb45f43aca8acd24a6c6bea8629f7e6
SHA256 7550885461ce336a5c3e482fa7f86a79e354cb202bdf5f06631544cc29a060de
SHA512 61673647aa212543f1fb367f67240d7838882ec1b0b81c2e385b9d287633aaf71131d3869ca77fc5811bd13910310d966bfb619923c5cffec71a3b2cdcefd60e

memory/844-59-0x0000000000400000-0x0000000000456000-memory.dmp

memory/844-60-0x0000000000400000-0x0000000000456000-memory.dmp

memory/844-62-0x0000000000400000-0x0000000000456000-memory.dmp

memory/844-63-0x0000000000400000-0x0000000000456000-memory.dmp

memory/844-65-0x0000000000451D1E-mapping.dmp

memory/844-64-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2032-67-0x0000000074E00000-0x00000000753AB000-memory.dmp

memory/844-68-0x0000000000400000-0x0000000000456000-memory.dmp

memory/844-70-0x0000000000400000-0x0000000000456000-memory.dmp

memory/844-72-0x0000000074D90000-0x000000007533B000-memory.dmp

memory/844-73-0x0000000074D90000-0x000000007533B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-25 09:52

Reported

2022-06-25 11:55

Platform

win10v2004-20220414-en

Max time kernel

169s

Max time network

175s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe"

Signatures

Imminent RAT

trojan spyware imminent

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe N/A
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1000 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe C:\Windows\SysWOW64\schtasks.exe
PID 1000 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe C:\Windows\SysWOW64\schtasks.exe
PID 1000 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe C:\Windows\SysWOW64\schtasks.exe
PID 1000 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe
PID 1000 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe
PID 1000 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe
PID 1000 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe
PID 1000 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe
PID 1000 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe
PID 1000 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe
PID 1000 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe

"C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jIiSnAesg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC63E.tmp"

C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe

"C:\Users\Admin\AppData\Local\Temp\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 13.89.178.27:443 tcp
US 13.107.4.50:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 linkadrum.nl udp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
US 8.8.8.8:53 linkadrum.nl udp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp

Files

memory/1000-130-0x0000000075000000-0x00000000755B1000-memory.dmp

memory/1000-131-0x0000000075000000-0x00000000755B1000-memory.dmp

memory/4500-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC63E.tmp

MD5 ce232744cdc816d66c89f0787522090e
SHA1 14d9763734c32cb4fe1734a0db797c96e9ac18dc
SHA256 be8186195de9bc964b4ca3351d3c3a63fdb3500fe109d18a00ab9f0c193e6bc1
SHA512 13bd5cbf493e137673ddaacc55f76f17052d4e289306b2195e3ef6d23b893179e0cf9a774647916246bff655bd6ada180cbcf9df04e3805057340a8b5da7c636

memory/2136-134-0x0000000000000000-mapping.dmp

memory/2136-135-0x0000000000400000-0x0000000000456000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\8ae0490cfd0e001a1c4dd6067658293554db517ab63187298fd88ea26607b130.exe.log

MD5 85dac674f699b59130cd2f4d7e2e04c5
SHA1 bc28aa347d27da7e9121ed2d823c63daf4ec5f58
SHA256 688549abc7e5071c610eaf9aa5b0b308f43116b1e14f118ff3e7fe1c969a9cde
SHA512 a045d0a3c45aa54ca922056139b13605fbefa48365b9b17ff513d2e8d61a214df6119adb7ba9ad4fe7ffb61c5244c5514704499efbf3aca7c9a954796fea76c3

memory/1000-137-0x0000000075000000-0x00000000755B1000-memory.dmp

memory/2136-138-0x0000000075000000-0x00000000755B1000-memory.dmp

memory/2136-139-0x0000000075000000-0x00000000755B1000-memory.dmp