Malware Analysis Report

2024-11-15 08:09

Sample ID 221004-by33yafgb7
Target a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527
SHA256 a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527
Tags
imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527

Threat Level: Known bad

The file a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527 was found to be: Known bad.

Malicious Activity Summary

imminent spyware trojan

Imminent RAT

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-04 01:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-04 01:34

Reported

2022-10-04 04:28

Platform

win7-20220812-en

Max time kernel

153s

Max time network

50s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe"

Signatures

Imminent RAT

trojan spyware imminent

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\temp\notepad.exe N/A
N/A N/A C:\Users\Admin\AppData\RoamingRealmPlayer.exe N/A
N/A N/A C:\Windows\temp\notepad.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1012 set thread context of 1388 N/A C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe C:\Windows\temp\notepad.exe
PID 1388 set thread context of 1032 N/A C:\Windows\temp\notepad.exe C:\Windows\temp\notepad.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\temp\notepad.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\temp\notepad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\temp\notepad.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\temp\notepad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1012 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe C:\Windows\temp\notepad.exe
PID 1012 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe C:\Windows\temp\notepad.exe
PID 1012 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe C:\Windows\temp\notepad.exe
PID 1012 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe C:\Windows\temp\notepad.exe
PID 1012 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe C:\Windows\temp\notepad.exe
PID 1012 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe C:\Windows\temp\notepad.exe
PID 1012 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe C:\Windows\temp\notepad.exe
PID 1012 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe C:\Windows\temp\notepad.exe
PID 1012 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe C:\Windows\temp\notepad.exe
PID 1388 wrote to memory of 1588 N/A C:\Windows\temp\notepad.exe C:\Users\Admin\AppData\RoamingRealmPlayer.exe
PID 1388 wrote to memory of 1588 N/A C:\Windows\temp\notepad.exe C:\Users\Admin\AppData\RoamingRealmPlayer.exe
PID 1388 wrote to memory of 1588 N/A C:\Windows\temp\notepad.exe C:\Users\Admin\AppData\RoamingRealmPlayer.exe
PID 1388 wrote to memory of 1588 N/A C:\Windows\temp\notepad.exe C:\Users\Admin\AppData\RoamingRealmPlayer.exe
PID 1388 wrote to memory of 1032 N/A C:\Windows\temp\notepad.exe C:\Windows\temp\notepad.exe
PID 1388 wrote to memory of 1032 N/A C:\Windows\temp\notepad.exe C:\Windows\temp\notepad.exe
PID 1388 wrote to memory of 1032 N/A C:\Windows\temp\notepad.exe C:\Windows\temp\notepad.exe
PID 1388 wrote to memory of 1032 N/A C:\Windows\temp\notepad.exe C:\Windows\temp\notepad.exe
PID 1388 wrote to memory of 1032 N/A C:\Windows\temp\notepad.exe C:\Windows\temp\notepad.exe
PID 1388 wrote to memory of 1032 N/A C:\Windows\temp\notepad.exe C:\Windows\temp\notepad.exe
PID 1388 wrote to memory of 1032 N/A C:\Windows\temp\notepad.exe C:\Windows\temp\notepad.exe
PID 1388 wrote to memory of 1032 N/A C:\Windows\temp\notepad.exe C:\Windows\temp\notepad.exe
PID 1388 wrote to memory of 1032 N/A C:\Windows\temp\notepad.exe C:\Windows\temp\notepad.exe
PID 1588 wrote to memory of 1416 N/A C:\Users\Admin\AppData\RoamingRealmPlayer.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
PID 1588 wrote to memory of 1416 N/A C:\Users\Admin\AppData\RoamingRealmPlayer.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
PID 1588 wrote to memory of 1416 N/A C:\Users\Admin\AppData\RoamingRealmPlayer.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe

"C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe"

C:\Windows\temp\notepad.exe

C:\Windows\temp\notepad.exe

C:\Users\Admin\AppData\RoamingRealmPlayer.exe

"C:\Users\Admin\AppData\RoamingRealmPlayer.exe"

C:\Windows\temp\notepad.exe

"C:\Windows\temp\notepad.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 412

Network

Country Destination Domain Proto
US 8.8.8.8:53 jewmeister.ddns.net udp

Files

memory/1012-54-0x00000000763F1000-0x00000000763F3000-memory.dmp

\Windows\Temp\notepad.exe

MD5 278edbd499374bf73621f8c1f969d894
SHA1 a81170af14747781c5f5f51bb1215893136f0bc0
SHA256 c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA512 93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

memory/1388-56-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1388-57-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1388-59-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1388-60-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1388-61-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1388-62-0x0000000000440B8E-mapping.dmp

memory/1388-65-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1388-67-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\Temp\notepad.exe

MD5 278edbd499374bf73621f8c1f969d894
SHA1 a81170af14747781c5f5f51bb1215893136f0bc0
SHA256 c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA512 93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

C:\Windows\temp\notepad.exe

MD5 278edbd499374bf73621f8c1f969d894
SHA1 a81170af14747781c5f5f51bb1215893136f0bc0
SHA256 c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA512 93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

memory/1012-70-0x0000000074AD0000-0x000000007507B000-memory.dmp

memory/1388-71-0x0000000074AD0000-0x000000007507B000-memory.dmp

\Users\Admin\AppData\RoamingRealmPlayer.exe

MD5 7a607550e6bcafcf6024216d4a12162c
SHA1 849336bc7b847fd35311a921eaa5eb7b7e051542
SHA256 5ea1edafff5ffc11f9b8cf1cdf8a821d5e41957ce5c0aab0e4afb206b34354fb
SHA512 f4e38fb50d438bce094aec8d36c8c189b62687ac46d9b5d0d94c96658bfaa4e08a013dd0222dc63343c42fbc178ecb3705d89392f709de153c0647452baeaaf4

memory/1588-73-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\RoamingRealmPlayer.exe

MD5 7a607550e6bcafcf6024216d4a12162c
SHA1 849336bc7b847fd35311a921eaa5eb7b7e051542
SHA256 5ea1edafff5ffc11f9b8cf1cdf8a821d5e41957ce5c0aab0e4afb206b34354fb
SHA512 f4e38fb50d438bce094aec8d36c8c189b62687ac46d9b5d0d94c96658bfaa4e08a013dd0222dc63343c42fbc178ecb3705d89392f709de153c0647452baeaaf4

C:\Users\Admin\AppData\RoamingRealmPlayer.exe

MD5 7a607550e6bcafcf6024216d4a12162c
SHA1 849336bc7b847fd35311a921eaa5eb7b7e051542
SHA256 5ea1edafff5ffc11f9b8cf1cdf8a821d5e41957ce5c0aab0e4afb206b34354fb
SHA512 f4e38fb50d438bce094aec8d36c8c189b62687ac46d9b5d0d94c96658bfaa4e08a013dd0222dc63343c42fbc178ecb3705d89392f709de153c0647452baeaaf4

memory/1032-76-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1032-77-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1032-79-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1032-80-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1032-82-0x000000000045A3DE-mapping.dmp

memory/1032-81-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Windows\Temp\notepad.exe

MD5 278edbd499374bf73621f8c1f969d894
SHA1 a81170af14747781c5f5f51bb1215893136f0bc0
SHA256 c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA512 93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

memory/1032-85-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1032-87-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1032-90-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1032-92-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1032-91-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1032-93-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1032-96-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1032-95-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1032-94-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1032-98-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1032-100-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1032-101-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1032-104-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1032-106-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1032-107-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1032-109-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1012-110-0x0000000074AD0000-0x000000007507B000-memory.dmp

memory/1388-111-0x0000000074AD0000-0x000000007507B000-memory.dmp

memory/1032-112-0x0000000074AD0000-0x000000007507B000-memory.dmp

memory/1588-113-0x000007FEF3E90000-0x000007FEF48B3000-memory.dmp

memory/1588-114-0x000007FEF2DF0000-0x000007FEF3E86000-memory.dmp

memory/1416-115-0x0000000000000000-mapping.dmp

memory/1416-116-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp

memory/1032-117-0x0000000074AD0000-0x000000007507B000-memory.dmp

memory/1012-118-0x0000000074AD0000-0x000000007507B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-04 01:34

Reported

2022-10-04 04:28

Platform

win10v2004-20220812-en

Max time kernel

120s

Max time network

175s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe"

Signatures

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe

"C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe"

C:\Windows\temp\notepad.exe

C:\Windows\temp\notepad.exe

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 52.168.112.66:443 tcp
US 8.252.51.254:80 tcp
NL 104.80.225.205:443 tcp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
US 93.184.220.29:80 tcp

Files

memory/1216-132-0x0000000074EC0000-0x0000000075471000-memory.dmp

memory/4944-133-0x0000000000000000-mapping.dmp

memory/1216-134-0x0000000074EC0000-0x0000000075471000-memory.dmp

memory/1216-135-0x0000000074EC0000-0x0000000075471000-memory.dmp