Malware Analysis Report

2024-11-15 08:09

Sample ID 221003-a2fldahda8
Target c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab
SHA256 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab
Tags
imminent persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab

Threat Level: Known bad

The file c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab was found to be: Known bad.

Malicious Activity Summary

imminent persistence spyware trojan

Imminent RAT

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Deletes itself

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in Windows directory

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-03 00:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-03 00:42

Reported

2022-10-03 05:33

Platform

win7-20220901-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe"

Signatures

Imminent RAT

trojan spyware imminent

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\System32\\javaq.exe" C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\\System32\\javaq.exe" C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1380 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe
PID 1380 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe
PID 1380 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe
PID 1380 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe
PID 1380 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe C:\Windows\SysWOW64\cmd.exe
PID 1380 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe C:\Windows\SysWOW64\cmd.exe
PID 1380 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe C:\Windows\SysWOW64\cmd.exe
PID 1380 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe C:\Windows\SysWOW64\cmd.exe
PID 1168 wrote to memory of 524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1168 wrote to memory of 524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1168 wrote to memory of 524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1168 wrote to memory of 524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe

"C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe"

C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe

"C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

Network

Country Destination Domain Proto
BR 179.111.141.10:9003 tcp
BR 179.111.141.10:9003 tcp
BR 179.111.141.10:9003 tcp
BR 179.111.141.10:9003 tcp
BR 179.111.141.10:9003 tcp
BR 179.111.141.10:9003 tcp

Files

memory/1380-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

memory/1428-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe

MD5 6742b8f2ce2a31ea67be7a05b27a7450
SHA1 ea8db160fa12648a1b1819c82c2db25205f51c84
SHA256 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab
SHA512 8cdab5ad6991187cceb1201d4c762aea5ac4dcaaa2ed90d24a07bcb90edb141d5c6c26f4a783cc7a795f6f8d2b81db45175c2e836585e57d9369be6f8e6fff3a

\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe

MD5 6742b8f2ce2a31ea67be7a05b27a7450
SHA1 ea8db160fa12648a1b1819c82c2db25205f51c84
SHA256 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab
SHA512 8cdab5ad6991187cceb1201d4c762aea5ac4dcaaa2ed90d24a07bcb90edb141d5c6c26f4a783cc7a795f6f8d2b81db45175c2e836585e57d9369be6f8e6fff3a

\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe

MD5 6742b8f2ce2a31ea67be7a05b27a7450
SHA1 ea8db160fa12648a1b1819c82c2db25205f51c84
SHA256 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab
SHA512 8cdab5ad6991187cceb1201d4c762aea5ac4dcaaa2ed90d24a07bcb90edb141d5c6c26f4a783cc7a795f6f8d2b81db45175c2e836585e57d9369be6f8e6fff3a

C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe

MD5 6742b8f2ce2a31ea67be7a05b27a7450
SHA1 ea8db160fa12648a1b1819c82c2db25205f51c84
SHA256 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab
SHA512 8cdab5ad6991187cceb1201d4c762aea5ac4dcaaa2ed90d24a07bcb90edb141d5c6c26f4a783cc7a795f6f8d2b81db45175c2e836585e57d9369be6f8e6fff3a

memory/1168-61-0x0000000000000000-mapping.dmp

memory/1380-63-0x0000000073F20000-0x00000000744CB000-memory.dmp

memory/524-62-0x0000000000000000-mapping.dmp

memory/1428-64-0x0000000073F20000-0x00000000744CB000-memory.dmp

memory/1428-65-0x0000000073F20000-0x00000000744CB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-03 00:42

Reported

2022-10-03 05:33

Platform

win10v2004-20220901-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe"

Signatures

Imminent RAT

trojan spyware imminent

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\\System32\\javaq.exe" C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\System32\\javaq.exe" C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4168 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe
PID 4168 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe
PID 4168 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe
PID 4168 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe C:\Windows\SysWOW64\cmd.exe
PID 4168 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe C:\Windows\SysWOW64\cmd.exe
PID 4168 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 1192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4164 wrote to memory of 1192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4164 wrote to memory of 1192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe

"C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe"

C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe

"C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

Network

Country Destination Domain Proto
IE 52.109.77.0:443 tcp
BR 179.111.141.10:9003 tcp
US 20.42.65.84:443 tcp
BR 179.111.141.10:9003 tcp
US 209.197.3.8:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
BR 179.111.141.10:9003 tcp
US 8.8.8.8:53 15.89.54.20.in-addr.arpa udp
BR 179.111.141.10:9003 tcp
US 93.184.221.240:80 tcp
NL 104.80.229.204:443 tcp
BR 179.111.141.10:9003 tcp
BR 179.111.141.10:9003 tcp
BR 179.111.141.10:9003 tcp

Files

memory/4168-132-0x0000000074D40000-0x00000000752F1000-memory.dmp

memory/4684-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe

MD5 6742b8f2ce2a31ea67be7a05b27a7450
SHA1 ea8db160fa12648a1b1819c82c2db25205f51c84
SHA256 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab
SHA512 8cdab5ad6991187cceb1201d4c762aea5ac4dcaaa2ed90d24a07bcb90edb141d5c6c26f4a783cc7a795f6f8d2b81db45175c2e836585e57d9369be6f8e6fff3a

C:\Users\Admin\AppData\Local\Temp\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab\c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab.exe

MD5 6742b8f2ce2a31ea67be7a05b27a7450
SHA1 ea8db160fa12648a1b1819c82c2db25205f51c84
SHA256 c727a0856eb82a40b891d09f262817eb4cd61fe116d9e4337cfef420b2864cab
SHA512 8cdab5ad6991187cceb1201d4c762aea5ac4dcaaa2ed90d24a07bcb90edb141d5c6c26f4a783cc7a795f6f8d2b81db45175c2e836585e57d9369be6f8e6fff3a

memory/4164-136-0x0000000000000000-mapping.dmp

memory/4168-137-0x0000000074D40000-0x00000000752F1000-memory.dmp

memory/1192-138-0x0000000000000000-mapping.dmp

memory/4684-139-0x0000000074D40000-0x00000000752F1000-memory.dmp

memory/4684-140-0x0000000074D40000-0x00000000752F1000-memory.dmp