Malware Analysis Report

2024-11-30 16:01

Sample ID 220703-jvfggabcal
Target 3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206
SHA256 3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206
Tags
imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206

Threat Level: Known bad

The file 3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206 was found to be: Known bad.

Malicious Activity Summary

imminent spyware trojan

Imminent RAT

Executes dropped EXE

Checks computer location settings

Deletes itself

Loads dropped DLL

Drops desktop.ini file(s)

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-03 07:59

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-03 07:59

Reported

2022-07-03 08:15

Platform

win10v2004-20220414-en

Max time kernel

151s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe"

Signatures

Imminent RAT

trojan spyware imminent

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4516 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe
PID 4516 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe
PID 4516 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe
PID 4516 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe C:\Windows\SysWOW64\cmd.exe
PID 4516 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe C:\Windows\SysWOW64\cmd.exe
PID 4516 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe C:\Windows\SysWOW64\cmd.exe
PID 3940 wrote to memory of 3092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3940 wrote to memory of 3092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3940 wrote to memory of 3092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe

"C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe"

C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe

"C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 solarintel.linkpc.net udp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
FR 2.18.109.224:443 tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
IE 13.69.239.73:443 tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 104.18.25.243:80 tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
US 209.197.3.8:80 tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp

Files

memory/4516-130-0x0000000074F90000-0x0000000075541000-memory.dmp

memory/4536-131-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe

MD5 3e81b3743b1b34ede2ad6b0783b747fc
SHA1 010333b924790625fb557ed234e026cbd2ebceca
SHA256 3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206
SHA512 726dd459b510f8137a516a6db2d04929994a5ccf6e30ca2098442a95026efe5b42dc6a59d9aa815bc0c15f3f5bf7d7f87dfb063a821449b6f04cb2223960e42e

C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe

MD5 3e81b3743b1b34ede2ad6b0783b747fc
SHA1 010333b924790625fb557ed234e026cbd2ebceca
SHA256 3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206
SHA512 726dd459b510f8137a516a6db2d04929994a5ccf6e30ca2098442a95026efe5b42dc6a59d9aa815bc0c15f3f5bf7d7f87dfb063a821449b6f04cb2223960e42e

memory/3940-134-0x0000000000000000-mapping.dmp

memory/4516-135-0x0000000074F90000-0x0000000075541000-memory.dmp

memory/3092-136-0x0000000000000000-mapping.dmp

memory/4536-137-0x0000000074F90000-0x0000000075541000-memory.dmp

memory/4536-138-0x0000000074F90000-0x0000000075541000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-03 07:59

Reported

2022-07-03 08:16

Platform

win7-20220414-en

Max time kernel

150s

Max time network

174s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe"

Signatures

Imminent RAT

trojan spyware imminent

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1888 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe
PID 1888 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe
PID 1888 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe
PID 1888 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe
PID 1888 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe C:\Windows\SysWOW64\cmd.exe
PID 1160 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1160 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1160 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1160 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe

"C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe"

C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe

"C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 solarintel.linkpc.net udp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp
US 192.254.74.210:9009 solarintel.linkpc.net tcp

Files

memory/1888-54-0x0000000076191000-0x0000000076193000-memory.dmp

memory/1888-55-0x0000000074580000-0x0000000074B2B000-memory.dmp

memory/1888-56-0x0000000074580000-0x0000000074B2B000-memory.dmp

\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe

MD5 3e81b3743b1b34ede2ad6b0783b747fc
SHA1 010333b924790625fb557ed234e026cbd2ebceca
SHA256 3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206
SHA512 726dd459b510f8137a516a6db2d04929994a5ccf6e30ca2098442a95026efe5b42dc6a59d9aa815bc0c15f3f5bf7d7f87dfb063a821449b6f04cb2223960e42e

\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe

MD5 3e81b3743b1b34ede2ad6b0783b747fc
SHA1 010333b924790625fb557ed234e026cbd2ebceca
SHA256 3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206
SHA512 726dd459b510f8137a516a6db2d04929994a5ccf6e30ca2098442a95026efe5b42dc6a59d9aa815bc0c15f3f5bf7d7f87dfb063a821449b6f04cb2223960e42e

memory/884-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe

MD5 3e81b3743b1b34ede2ad6b0783b747fc
SHA1 010333b924790625fb557ed234e026cbd2ebceca
SHA256 3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206
SHA512 726dd459b510f8137a516a6db2d04929994a5ccf6e30ca2098442a95026efe5b42dc6a59d9aa815bc0c15f3f5bf7d7f87dfb063a821449b6f04cb2223960e42e

C:\Users\Admin\AppData\Local\Temp\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206\3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206.exe

MD5 3e81b3743b1b34ede2ad6b0783b747fc
SHA1 010333b924790625fb557ed234e026cbd2ebceca
SHA256 3c4a92b18d969dc610d6ed1d3e73dbbe176310afb5dfb81ec306b90d96526206
SHA512 726dd459b510f8137a516a6db2d04929994a5ccf6e30ca2098442a95026efe5b42dc6a59d9aa815bc0c15f3f5bf7d7f87dfb063a821449b6f04cb2223960e42e

memory/1160-63-0x0000000000000000-mapping.dmp

memory/1852-64-0x0000000000000000-mapping.dmp

memory/1888-65-0x0000000074580000-0x0000000074B2B000-memory.dmp

memory/884-66-0x0000000074580000-0x0000000074B2B000-memory.dmp

memory/884-67-0x0000000074580000-0x0000000074B2B000-memory.dmp