Malware Analysis Report

2024-11-30 15:57

Sample ID 220724-z7kvqahaej
Target b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f
SHA256 b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f
Tags
imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f

Threat Level: Known bad

The file b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f was found to be: Known bad.

Malicious Activity Summary

imminent spyware trojan

Imminent RAT

Checks computer location settings

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-24 21:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-24 21:21

Reported

2022-07-24 21:24

Platform

win7-20220715-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe"

Signatures

Imminent RAT

trojan spyware imminent

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 864 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe C:\Windows\SysWOW64\schtasks.exe
PID 864 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe C:\Windows\SysWOW64\schtasks.exe
PID 864 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe C:\Windows\SysWOW64\schtasks.exe
PID 864 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe C:\Windows\SysWOW64\schtasks.exe
PID 864 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe
PID 864 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe
PID 864 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe
PID 864 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe
PID 864 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe
PID 864 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe
PID 864 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe
PID 864 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe
PID 864 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe

"C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wXVvZUlYeblXg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDEEB.tmp"

C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe

"C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 linkadrum.nl udp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
US 8.8.8.8:53 linkadrum.nl udp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
US 8.8.8.8:53 linkadrum.nl udp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp

Files

memory/864-54-0x0000000074F71000-0x0000000074F73000-memory.dmp

memory/864-55-0x00000000746C0000-0x0000000074C6B000-memory.dmp

memory/864-56-0x00000000746C0000-0x0000000074C6B000-memory.dmp

memory/1280-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpDEEB.tmp

MD5 f564dbab279ac66482e5ce04ef7f92d4
SHA1 2011db1c7328bd7ee1db54f5e106cedd84033d5d
SHA256 26c78b118e7da049db8360503f4cdaf914389e962cf2e5cc3c6618b138192144
SHA512 d015c78f839f4e25287e835e7b9841541d79ce4131d4be28fbcccab286fc90e24e507bb8e6924179301191e7af4ef212ccc9ad1b6e82f4a4ce9f88bcc5287f68

memory/892-59-0x0000000000400000-0x0000000000456000-memory.dmp

memory/892-60-0x0000000000400000-0x0000000000456000-memory.dmp

memory/892-62-0x0000000000400000-0x0000000000456000-memory.dmp

memory/892-65-0x0000000000451D1E-mapping.dmp

memory/892-64-0x0000000000400000-0x0000000000456000-memory.dmp

memory/892-63-0x0000000000400000-0x0000000000456000-memory.dmp

memory/864-67-0x00000000746C0000-0x0000000074C6B000-memory.dmp

memory/892-68-0x0000000000400000-0x0000000000456000-memory.dmp

memory/892-70-0x0000000000400000-0x0000000000456000-memory.dmp

memory/892-72-0x0000000074650000-0x0000000074BFB000-memory.dmp

memory/892-73-0x0000000074650000-0x0000000074BFB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-24 21:21

Reported

2022-07-24 21:24

Platform

win10v2004-20220721-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe"

Signatures

Imminent RAT

trojan spyware imminent

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4720 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe C:\Windows\SysWOW64\schtasks.exe
PID 4720 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe C:\Windows\SysWOW64\schtasks.exe
PID 4720 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe C:\Windows\SysWOW64\schtasks.exe
PID 4720 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe
PID 4720 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe
PID 4720 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe
PID 4720 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe
PID 4720 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe
PID 4720 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe
PID 4720 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe
PID 4720 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe

"C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wXVvZUlYeblXg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8FBD.tmp"

C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe

"C:\Users\Admin\AppData\Local\Temp\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
FR 2.18.109.224:443 tcp
US 8.8.8.8:53 linkadrum.nl udp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
US 8.8.8.8:53 linkadrum.nl udp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
US 8.8.8.8:53 linkadrum.nl udp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp
DE 185.140.53.144:9630 linkadrum.nl tcp

Files

memory/4720-130-0x0000000075380000-0x0000000075931000-memory.dmp

memory/4720-131-0x0000000075380000-0x0000000075931000-memory.dmp

memory/4736-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8FBD.tmp

MD5 1d0dc1097df772e778e7ff4df969b96e
SHA1 fd71299aae4355dd3534637aa9c61d9d871f224a
SHA256 7689f00ddf30881bcded6430f118fcf2692958adfb9bd173e55c61e53d96dce0
SHA512 67ced21fb01bfc3e94443d4f4c19cc60994e8aa900ea025e109c9fd3bd1d679d6b9b3dc6a874032f75df1c96b8eef52362c0b6acc8b5394f3cb7e29219aaa744

memory/2312-134-0x0000000000000000-mapping.dmp

memory/2312-135-0x0000000000400000-0x0000000000456000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\b8e4cbe128510e8cd0701d8266db956bd1a9fded8a599f59b222ab50aa7be63f.exe.log

MD5 f09b18de068f5d3b00bf97d8c6b28542
SHA1 41b4356341b9ba28711ca911ae47983e26415626
SHA256 e431fc364d7fb15cf7679b139ef48208190a8ac3809d8f05ad5504e8d18599a1
SHA512 90b77b97c54ab2d2fe9e1a36ad124f9f9461e0facf1868ad61b34e8e0ebd05dc46ad0b160d879b457d943e2904671059cebb499e1a922e7064c027f1fb22afc0

memory/4720-137-0x0000000075380000-0x0000000075931000-memory.dmp

memory/2312-138-0x0000000075380000-0x0000000075931000-memory.dmp

memory/2312-139-0x0000000075380000-0x0000000075931000-memory.dmp