Malware Analysis Report

2024-11-15 08:09

Sample ID 221019-s75rkaefej
Target 56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea
SHA256 56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea
Tags
persistence imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea

Threat Level: Known bad

The file 56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea was found to be: Known bad.

Malicious Activity Summary

persistence imminent spyware trojan

Imminent RAT

Executes dropped EXE

Uses the VBS compiler for execution

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

AutoIT Executable

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

NTFS ADS

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-19 15:47

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-19 15:46

Reported

2022-10-19 17:37

Platform

win10v2004-20220812-en

Max time kernel

144s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\98925.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\98925.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WerFault = "C:\\Users\\Admin\\AppData\\Roaming\\98925.exe" C:\Users\Admin\AppData\Roaming\98925.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3396 set thread context of 908 N/A C:\Users\Admin\AppData\Roaming\98925.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea.exe:Zone.Identifier:$DATA C:\Users\Admin\AppData\Local\Temp\56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea.exe N/A
File created C:\Users\Admin\AppData\Roaming\98925.exe\:Zone.Identifier:$DATA C:\Users\Admin\AppData\Local\Temp\56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\98925.exe:Zone.Identifier:$DATA C:\Users\Admin\AppData\Roaming\98925.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea.exe

"C:\Users\Admin\AppData\Local\Temp\56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea.exe"

C:\Users\Admin\AppData\Roaming\98925.exe

"C:\Users\Admin\AppData\Roaming\98925.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 908 -ip 908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 80

Network

Country Destination Domain Proto
US 20.189.173.10:443 tcp
US 52.242.97.97:443 tcp
US 8.253.208.113:80 tcp
US 8.253.208.113:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 15.89.54.20.in-addr.arpa udp

Files

memory/3396-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\98925.exe

MD5 a18dcc398139154de6b694db84b46a20
SHA1 c75bea6cad85a87e42c2b4e6e3e756bdc78e15b5
SHA256 56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea
SHA512 a3617cdfc1573addecd06628ba210265203aa6213565cc6dc7b655fc186b9a24bffb20c9b600c5db5701375aaa7f1c6e67659c3f33e28ec837a0c10a6dab1fdf

C:\Users\Admin\AppData\Roaming\98925.exe

MD5 a18dcc398139154de6b694db84b46a20
SHA1 c75bea6cad85a87e42c2b4e6e3e756bdc78e15b5
SHA256 56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea
SHA512 a3617cdfc1573addecd06628ba210265203aa6213565cc6dc7b655fc186b9a24bffb20c9b600c5db5701375aaa7f1c6e67659c3f33e28ec837a0c10a6dab1fdf

C:\Users\Admin\AppData\Local\Temp\xd

MD5 78ba668db1856f03ec5ad0390fc9a37f
SHA1 d6ca40967c71c602827cb58fe07e2598280be564
SHA256 e18bb1fb9dd27e14a6f672b5ce3c891b3a0ae50deb7b2a751c83817f6c1e6d4b
SHA512 f25d8585680592aba09c9d878da1cde29a5119e769ddf782f943ecd26ce9732a031314ee7c1708b072a84c8e2c5b0ee6f4e94f9c4a9b9feda00a50be44bfaa3b

memory/908-136-0x0000000000000000-mapping.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-19 15:46

Reported

2022-10-19 17:37

Platform

win7-20220812-en

Max time kernel

186s

Max time network

191s

Command Line

"C:\Users\Admin\AppData\Local\Temp\56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea.exe"

Signatures

Imminent RAT

trojan spyware imminent

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\67779.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\67779.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\WerFault = "C:\\Users\\Admin\\AppData\\Roaming\\67779.exe" C:\Users\Admin\AppData\Roaming\67779.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 936 set thread context of 1104 N/A C:\Users\Admin\AppData\Roaming\67779.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\67779.exe:Zone.Identifier:$DATA C:\Users\Admin\AppData\Roaming\67779.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea.exe:Zone.Identifier:$DATA C:\Users\Admin\AppData\Local\Temp\56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea.exe N/A
File created C:\Users\Admin\AppData\Roaming\67779.exe\:Zone.Identifier:$DATA C:\Users\Admin\AppData\Local\Temp\56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 944 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea.exe C:\Users\Admin\AppData\Roaming\67779.exe
PID 944 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea.exe C:\Users\Admin\AppData\Roaming\67779.exe
PID 944 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea.exe C:\Users\Admin\AppData\Roaming\67779.exe
PID 944 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea.exe C:\Users\Admin\AppData\Roaming\67779.exe
PID 936 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Roaming\67779.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 936 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Roaming\67779.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 936 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Roaming\67779.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 936 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Roaming\67779.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 936 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Roaming\67779.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 936 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Roaming\67779.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 936 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Roaming\67779.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 936 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Roaming\67779.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 936 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Roaming\67779.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea.exe

"C:\Users\Admin\AppData\Local\Temp\56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea.exe"

C:\Users\Admin\AppData\Roaming\67779.exe

"C:\Users\Admin\AppData\Roaming\67779.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

Network

Country Destination Domain Proto
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp
FR 92.222.205.129:1337 tcp

Files

memory/944-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

\Users\Admin\AppData\Roaming\67779.exe

MD5 a18dcc398139154de6b694db84b46a20
SHA1 c75bea6cad85a87e42c2b4e6e3e756bdc78e15b5
SHA256 56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea
SHA512 a3617cdfc1573addecd06628ba210265203aa6213565cc6dc7b655fc186b9a24bffb20c9b600c5db5701375aaa7f1c6e67659c3f33e28ec837a0c10a6dab1fdf

\Users\Admin\AppData\Roaming\67779.exe

MD5 a18dcc398139154de6b694db84b46a20
SHA1 c75bea6cad85a87e42c2b4e6e3e756bdc78e15b5
SHA256 56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea
SHA512 a3617cdfc1573addecd06628ba210265203aa6213565cc6dc7b655fc186b9a24bffb20c9b600c5db5701375aaa7f1c6e67659c3f33e28ec837a0c10a6dab1fdf

\Users\Admin\AppData\Roaming\67779.exe

MD5 a18dcc398139154de6b694db84b46a20
SHA1 c75bea6cad85a87e42c2b4e6e3e756bdc78e15b5
SHA256 56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea
SHA512 a3617cdfc1573addecd06628ba210265203aa6213565cc6dc7b655fc186b9a24bffb20c9b600c5db5701375aaa7f1c6e67659c3f33e28ec837a0c10a6dab1fdf

\Users\Admin\AppData\Roaming\67779.exe

MD5 a18dcc398139154de6b694db84b46a20
SHA1 c75bea6cad85a87e42c2b4e6e3e756bdc78e15b5
SHA256 56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea
SHA512 a3617cdfc1573addecd06628ba210265203aa6213565cc6dc7b655fc186b9a24bffb20c9b600c5db5701375aaa7f1c6e67659c3f33e28ec837a0c10a6dab1fdf

C:\Users\Admin\AppData\Roaming\67779.exe

MD5 a18dcc398139154de6b694db84b46a20
SHA1 c75bea6cad85a87e42c2b4e6e3e756bdc78e15b5
SHA256 56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea
SHA512 a3617cdfc1573addecd06628ba210265203aa6213565cc6dc7b655fc186b9a24bffb20c9b600c5db5701375aaa7f1c6e67659c3f33e28ec837a0c10a6dab1fdf

memory/936-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\67779.exe

MD5 a18dcc398139154de6b694db84b46a20
SHA1 c75bea6cad85a87e42c2b4e6e3e756bdc78e15b5
SHA256 56a811fd6dffbdc6ea4fd497fbb2d3db0d47045deba2d235d6fe13c3cd73faea
SHA512 a3617cdfc1573addecd06628ba210265203aa6213565cc6dc7b655fc186b9a24bffb20c9b600c5db5701375aaa7f1c6e67659c3f33e28ec837a0c10a6dab1fdf

C:\Users\Admin\AppData\Local\Temp\xd

MD5 78ba668db1856f03ec5ad0390fc9a37f
SHA1 d6ca40967c71c602827cb58fe07e2598280be564
SHA256 e18bb1fb9dd27e14a6f672b5ce3c891b3a0ae50deb7b2a751c83817f6c1e6d4b
SHA512 f25d8585680592aba09c9d878da1cde29a5119e769ddf782f943ecd26ce9732a031314ee7c1708b072a84c8e2c5b0ee6f4e94f9c4a9b9feda00a50be44bfaa3b

memory/1104-64-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-65-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-67-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-68-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-69-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-70-0x000000000045A3CE-mapping.dmp

memory/1104-72-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-74-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-75-0x0000000000350000-0x0000000000378000-memory.dmp

memory/1104-78-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-77-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-81-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-83-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-82-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-80-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-79-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-85-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-88-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-87-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-91-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-93-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-94-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-96-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1104-97-0x0000000000380000-0x000000000038E000-memory.dmp

memory/1104-99-0x00000000003B0000-0x00000000003C6000-memory.dmp