Malware Analysis Report

2024-11-30 15:59

Sample ID 220701-gjt5daefej
Target 6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a
SHA256 6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a
Tags
imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a

Threat Level: Known bad

The file 6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a was found to be: Known bad.

Malicious Activity Summary

imminent spyware trojan

Imminent RAT

Executes dropped EXE

Deletes itself

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Runs ping.exe

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-01 05:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-01 05:50

Reported

2022-07-01 07:00

Platform

win7-20220414-en

Max time kernel

149s

Max time network

189s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe"

Signatures

Imminent RAT

trojan spyware imminent

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1636 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe
PID 1636 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe
PID 1636 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe
PID 1636 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe
PID 1636 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe C:\Windows\SysWOW64\cmd.exe
PID 928 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 928 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 928 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 928 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe

"C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe"

C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe

"C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 solarintel.linkpc.net udp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp

Files

memory/1636-54-0x0000000075721000-0x0000000075723000-memory.dmp

memory/1636-55-0x00000000744D0000-0x0000000074A7B000-memory.dmp

\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe

MD5 5facc81dd393a13770c9051558b55c3b
SHA1 eb22872bb2a24200461ffbfe0821e45d9b0e0a0a
SHA256 6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a
SHA512 fb8ae3b46a62193f61b778c1250e3a98a2ede970d50ec403131cd22035f81dc2234b896cf8c97217b9c647fa79342ac600527ecc76f1d5a9fddc0745bdad570e

\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe

MD5 5facc81dd393a13770c9051558b55c3b
SHA1 eb22872bb2a24200461ffbfe0821e45d9b0e0a0a
SHA256 6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a
SHA512 fb8ae3b46a62193f61b778c1250e3a98a2ede970d50ec403131cd22035f81dc2234b896cf8c97217b9c647fa79342ac600527ecc76f1d5a9fddc0745bdad570e

memory/872-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe

MD5 5facc81dd393a13770c9051558b55c3b
SHA1 eb22872bb2a24200461ffbfe0821e45d9b0e0a0a
SHA256 6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a
SHA512 fb8ae3b46a62193f61b778c1250e3a98a2ede970d50ec403131cd22035f81dc2234b896cf8c97217b9c647fa79342ac600527ecc76f1d5a9fddc0745bdad570e

C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe

MD5 5facc81dd393a13770c9051558b55c3b
SHA1 eb22872bb2a24200461ffbfe0821e45d9b0e0a0a
SHA256 6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a
SHA512 fb8ae3b46a62193f61b778c1250e3a98a2ede970d50ec403131cd22035f81dc2234b896cf8c97217b9c647fa79342ac600527ecc76f1d5a9fddc0745bdad570e

memory/928-62-0x0000000000000000-mapping.dmp

memory/1548-63-0x0000000000000000-mapping.dmp

memory/1636-64-0x00000000744D0000-0x0000000074A7B000-memory.dmp

memory/872-65-0x00000000744D0000-0x0000000074A7B000-memory.dmp

memory/872-66-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-01 05:50

Reported

2022-07-01 06:59

Platform

win10v2004-20220414-en

Max time kernel

96s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 624 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe
PID 624 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe
PID 624 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe
PID 624 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe C:\Windows\SysWOW64\cmd.exe
PID 372 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 372 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 372 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe

"C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe"

C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe

"C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

Network

Country Destination Domain Proto
NL 88.221.144.192:80 tcp
NL 88.221.144.192:80 tcp

Files

memory/624-130-0x0000000074C10000-0x00000000751C1000-memory.dmp

memory/624-131-0x0000000074C10000-0x00000000751C1000-memory.dmp

memory/5076-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe

MD5 5facc81dd393a13770c9051558b55c3b
SHA1 eb22872bb2a24200461ffbfe0821e45d9b0e0a0a
SHA256 6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a
SHA512 fb8ae3b46a62193f61b778c1250e3a98a2ede970d50ec403131cd22035f81dc2234b896cf8c97217b9c647fa79342ac600527ecc76f1d5a9fddc0745bdad570e

C:\Users\Admin\AppData\Local\Temp\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe

MD5 5facc81dd393a13770c9051558b55c3b
SHA1 eb22872bb2a24200461ffbfe0821e45d9b0e0a0a
SHA256 6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a
SHA512 fb8ae3b46a62193f61b778c1250e3a98a2ede970d50ec403131cd22035f81dc2234b896cf8c97217b9c647fa79342ac600527ecc76f1d5a9fddc0745bdad570e

memory/5076-135-0x0000000074C10000-0x00000000751C1000-memory.dmp

memory/372-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\6f9587dc0858a61e3b691c3279abed22444ea095cf99b3653bedb63e357cec3a.exe.log

MD5 c0ed926cd0e608944ad99322aaedb97a
SHA1 007e5bc9d8650a46f48f75045034702c24be39c5
SHA256 eb035294fbea39baa6e6c65cb7e06451987c51c5536586f23de5dc7f91096943
SHA512 83891a4984208720a224937101313759ffec75f5ebb2225c30555e5a28c7cc753162d802b176694ecc7404e2723f75d86d313adb835d4ec826ac13ff24cce42a

memory/5076-138-0x0000000074C10000-0x00000000751C1000-memory.dmp

memory/624-139-0x0000000074C10000-0x00000000751C1000-memory.dmp

memory/4472-140-0x0000000000000000-mapping.dmp