Malware Analysis Report

2024-11-30 15:59

Sample ID 220626-2byg2segf3
Target 35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b
SHA256 35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b
Tags
imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b

Threat Level: Known bad

The file 35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b was found to be: Known bad.

Malicious Activity Summary

imminent spyware trojan

Imminent RAT

Checks computer location settings

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-26 22:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-26 22:25

Reported

2022-06-26 22:32

Platform

win7-20220414-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe"

Signatures

Imminent RAT

trojan spyware imminent

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe C:\Windows\SysWOW64\schtasks.exe
PID 1972 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe C:\Windows\SysWOW64\schtasks.exe
PID 1972 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe C:\Windows\SysWOW64\schtasks.exe
PID 1972 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe C:\Windows\SysWOW64\schtasks.exe
PID 1972 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe
PID 1972 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe
PID 1972 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe
PID 1972 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe
PID 1972 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe
PID 1972 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe
PID 1972 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe
PID 1972 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe
PID 1972 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe

Processes

C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe

"C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbRezOawnhi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp31FA.tmp"

C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe

"C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 linkadrum.nl udp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
US 8.8.8.8:53 linkadrum.nl udp
DE 185.140.53.144:9630 linkadrum.nl tcp
US 8.8.8.8:53 linkadrum.nl udp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp

Files

memory/1972-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

memory/1972-55-0x0000000074D60000-0x000000007530B000-memory.dmp

memory/1972-56-0x0000000074D60000-0x000000007530B000-memory.dmp

memory/1108-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp31FA.tmp

MD5 2566e055b3f059478c39cd0c52aa3ea0
SHA1 2a4a4a40197c1fc22c23152350e502a483b7ba7e
SHA256 fc7c29184c63bb28aff0cae3ee27280e90eabdcd8d49aa669a65660f3252d6eb
SHA512 cd689165e2f58d571d16c7f3f2c44bdcf0819b779d07649b5cd08afa48a63b229759e5f01c1f4b4e81cf907c286b30845caeabdef7a3c9a065aaa36ea34d1d87

memory/1300-59-0x0000000000080000-0x00000000000D6000-memory.dmp

memory/1300-60-0x0000000000080000-0x00000000000D6000-memory.dmp

memory/1300-62-0x0000000000080000-0x00000000000D6000-memory.dmp

memory/1300-63-0x0000000000080000-0x00000000000D6000-memory.dmp

memory/1300-65-0x0000000000451D1E-mapping.dmp

memory/1300-66-0x0000000000080000-0x00000000000D6000-memory.dmp

memory/1300-67-0x0000000000080000-0x00000000000D6000-memory.dmp

memory/1300-71-0x0000000000080000-0x00000000000D6000-memory.dmp

memory/1300-74-0x0000000000080000-0x00000000000D6000-memory.dmp

memory/1972-76-0x0000000074D60000-0x000000007530B000-memory.dmp

memory/1300-77-0x0000000074D60000-0x000000007530B000-memory.dmp

memory/1300-78-0x0000000074D60000-0x000000007530B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-26 22:25

Reported

2022-06-26 22:32

Platform

win10v2004-20220414-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe"

Signatures

Imminent RAT

trojan spyware imminent

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe C:\Windows\SysWOW64\schtasks.exe
PID 2160 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe C:\Windows\SysWOW64\schtasks.exe
PID 2160 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe C:\Windows\SysWOW64\schtasks.exe
PID 2160 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe
PID 2160 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe
PID 2160 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe
PID 2160 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe
PID 2160 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe
PID 2160 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe
PID 2160 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe
PID 2160 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe

Processes

C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe

"C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NbRezOawnhi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB1DB.tmp"

C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe

"C:\Users\Admin\AppData\Local\Temp\35ff2888fadc04bb8184f63f89f5c202345dd57621ff3f3875b9658abe945a7b.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 20.189.173.10:443 tcp
IE 52.109.76.31:443 tcp
DE 67.24.27.254:80 tcp
BE 8.238.110.126:80 tcp
BE 8.238.110.126:80 tcp
US 8.8.8.8:53 linkadrum.nl udp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
BE 8.238.110.126:80 tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
US 8.8.8.8:53 linkadrum.nl udp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
US 8.8.8.8:53 linkadrum.nl udp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp

Files

memory/2160-130-0x0000000074660000-0x0000000074C11000-memory.dmp

memory/2160-131-0x0000000074660000-0x0000000074C11000-memory.dmp

memory/1516-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB1DB.tmp

MD5 75191cf6996dc18a53ac7af553cbb78c
SHA1 497ac1790a6fe63ef6c092d5cf3f1e22f34baf98
SHA256 e032e425b83efbf2104cc9cdddc2ba125e1e33710c2b983b9b14d63eb917f387
SHA512 f20074cbe963990f76058b548d5658b47d450bff2d5ec51138c14cbf56fc2d34e74bbf04151d38bcaf3b55711b916aa5295418a14b3eb1832cce41453b529957

memory/212-134-0x0000000000000000-mapping.dmp

memory/212-135-0x0000000000400000-0x0000000000456000-memory.dmp

memory/2160-136-0x0000000074660000-0x0000000074C11000-memory.dmp

memory/212-137-0x0000000074660000-0x0000000074C11000-memory.dmp

memory/212-138-0x0000000074660000-0x0000000074C11000-memory.dmp