Malware Analysis Report

2024-11-13 15:44

Sample ID 221029-g3pzrsdhg6
Target 747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f
SHA256 747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f
Tags
imminent persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f

Threat Level: Known bad

The file 747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f was found to be: Known bad.

Malicious Activity Summary

imminent persistence spyware trojan

Imminent RAT

Uses the VBS compiler for execution

Checks computer location settings

Adds Run key to start application

AutoIT Executable

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-29 06:20

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-29 06:19

Reported

2022-10-29 10:07

Platform

win7-20220812-en

Max time kernel

3s

Max time network

21s

Command Line

"C:\Users\Admin\AppData\Local\Temp\747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f.exe

"C:\Users\Admin\AppData\Local\Temp\747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f.exe"

C:\Users\Admin\AppData\Local\Temp\747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f.exe

"C:\Users\Admin\AppData\Local\Temp\747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\471612" "C:\Users\Admin\AppData\Local\Temp\747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 mrsrizap.myftp.info udp
US 192.161.50.186:9003 mrsrizap.myftp.info tcp

Files

memory/880-54-0x0000000075071000-0x0000000075073000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\incl1

MD5 f1aea9efe24e452d8a9eb0a4842544f7
SHA1 164b9432f979a9cb4d0201e5e0a81b3d495227fe
SHA256 5da7e85eb26c186bfb9c958d7ba60927505d10b98a0085a0ea40ee2bfe4c2805
SHA512 6e6ff192b325ab4504f3048720d612050f9787bc2ed481bdc8440213e68fd1e5b7b2743a216bb46a4e6041d12dca94c439459f6ac5123738e194c59eabbc4c58

C:\Users\Admin\AppData\Local\Temp\incl2

MD5 da762791bd50ce2e673922065e4079c3
SHA1 8978934f2085e927a4a795fc661dc0240293ec08
SHA256 b977088533acc2d4abef9d42b7f0457d146b8c0a5614162c63775736930ab821
SHA512 f27c0104c6736ef6cc3ba996db92757f6d68efde9f913215425c167b17a93aa11e4dc92b1f6624b8a8cf01415f4a958453fbabe723592fe87cb330ed9bb6e76a

C:\Users\Admin\AppData\Local\Temp\471612

MD5 4f05ae9813ba8650fb68dfa80fd648c8
SHA1 91d715de6f2a937c810497acf8a647815c7d40ca
SHA256 1ed1cd3d17b48dd1549d7441575eddffbfddb2a0a72894fda9330edae155b216
SHA512 978b5b587cdb9cefb154c8a4c3cd16b40d7cc01d0a33060982ffdf452f2b94f5a0ee880818b0855bec7e926e5a96753db5fe46fe85e1e6d7774dd6f9144c4ff3

memory/1052-55-0x0000000000000000-mapping.dmp

memory/1284-60-0x0000000000080000-0x00000000000E0000-memory.dmp

memory/1284-63-0x00000000000DA3DE-mapping.dmp

memory/1284-62-0x0000000000080000-0x00000000000E0000-memory.dmp

memory/1284-67-0x0000000000080000-0x00000000000E0000-memory.dmp

memory/1284-65-0x0000000000080000-0x00000000000E0000-memory.dmp

memory/1284-68-0x0000000000500000-0x0000000000528000-memory.dmp

memory/1284-72-0x0000000000080000-0x00000000000E0000-memory.dmp

memory/1284-81-0x0000000000080000-0x00000000000E0000-memory.dmp

memory/1284-89-0x0000000000080000-0x00000000000E0000-memory.dmp

memory/1284-87-0x0000000000080000-0x00000000000E0000-memory.dmp

memory/1284-86-0x0000000000080000-0x00000000000E0000-memory.dmp

memory/1284-84-0x0000000000080000-0x00000000000E0000-memory.dmp

memory/1284-80-0x0000000000080000-0x00000000000E0000-memory.dmp

memory/1284-78-0x0000000000080000-0x00000000000E0000-memory.dmp

memory/1284-76-0x0000000000080000-0x00000000000E0000-memory.dmp

memory/1284-75-0x0000000000080000-0x00000000000E0000-memory.dmp

memory/1284-74-0x0000000000080000-0x00000000000E0000-memory.dmp

memory/1284-73-0x0000000000080000-0x00000000000E0000-memory.dmp

memory/1284-71-0x0000000000080000-0x00000000000E0000-memory.dmp

memory/1284-70-0x0000000000080000-0x00000000000E0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-29 06:19

Reported

2022-10-29 10:07

Platform

win10v2004-20220901-en

Max time kernel

144s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f.exe"

Signatures

Imminent RAT

trojan spyware imminent

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f.exe" C:\Users\Admin\AppData\Local\Temp\747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2416 set thread context of 5108 N/A C:\Users\Admin\AppData\Local\Temp\747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4756 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f.exe C:\Users\Admin\AppData\Local\Temp\747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f.exe
PID 4756 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f.exe C:\Users\Admin\AppData\Local\Temp\747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f.exe
PID 4756 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f.exe C:\Users\Admin\AppData\Local\Temp\747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f.exe
PID 2416 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2416 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2416 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2416 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2416 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f.exe

"C:\Users\Admin\AppData\Local\Temp\747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f.exe"

C:\Users\Admin\AppData\Local\Temp\747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f.exe

"C:\Users\Admin\AppData\Local\Temp\747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\431745" "C:\Users\Admin\AppData\Local\Temp\747512167a5312b2c074ecc57b057f6c1d58f5d46bbb373687aaed016fab5f9f.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 mrsrizap.myftp.info udp
US 192.161.50.186:9003 mrsrizap.myftp.info tcp
US 93.184.220.29:80 tcp
US 20.42.73.24:443 tcp
US 192.161.50.186:9003 mrsrizap.myftp.info tcp
US 8.8.8.8:53 mrsrizap.myftp.info udp
US 192.161.50.186:9003 mrsrizap.myftp.info tcp
NL 178.79.208.1:80 tcp
US 8.8.8.8:53 mrsrizap.myftp.info udp
US 192.161.50.186:9003 mrsrizap.myftp.info tcp
NL 104.80.225.205:443 tcp
US 192.161.50.186:9003 mrsrizap.myftp.info tcp
US 8.8.8.8:53 mrsrizap.myftp.info udp
US 192.161.50.186:9003 mrsrizap.myftp.info tcp
US 192.161.50.186:9003 mrsrizap.myftp.info tcp

Files

memory/2416-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\431745

MD5 4f05ae9813ba8650fb68dfa80fd648c8
SHA1 91d715de6f2a937c810497acf8a647815c7d40ca
SHA256 1ed1cd3d17b48dd1549d7441575eddffbfddb2a0a72894fda9330edae155b216
SHA512 978b5b587cdb9cefb154c8a4c3cd16b40d7cc01d0a33060982ffdf452f2b94f5a0ee880818b0855bec7e926e5a96753db5fe46fe85e1e6d7774dd6f9144c4ff3

C:\Users\Admin\AppData\Local\Temp\incl2

MD5 46d4e1a1da425165cfc29d9524cb3b16
SHA1 e91c7c45d633355a071a09a6a6b9b03ee792653e
SHA256 1112a86e6766836537f01ee0bf64aa0856805b65eabd873805046af130dbe176
SHA512 c67069eda617221a3fc6733d61bfa54b8774b84567a5ec075042704ae08affdde39369d0287f1bba6b2b386daa3c4ca5c7319cc0d95bd4197932ec6c91bbb7b9

C:\Users\Admin\AppData\Local\Temp\incl1

MD5 f1aea9efe24e452d8a9eb0a4842544f7
SHA1 164b9432f979a9cb4d0201e5e0a81b3d495227fe
SHA256 5da7e85eb26c186bfb9c958d7ba60927505d10b98a0085a0ea40ee2bfe4c2805
SHA512 6e6ff192b325ab4504f3048720d612050f9787bc2ed481bdc8440213e68fd1e5b7b2743a216bb46a4e6041d12dca94c439459f6ac5123738e194c59eabbc4c58

memory/5108-136-0x0000000000000000-mapping.dmp

memory/5108-137-0x0000000000760000-0x00000000007C0000-memory.dmp

memory/5108-139-0x0000000000760000-0x00000000007C0000-memory.dmp

memory/5108-140-0x0000000000760000-0x00000000007C0000-memory.dmp

memory/5108-141-0x0000000000760000-0x00000000007C0000-memory.dmp

memory/5108-142-0x0000000000760000-0x00000000007C0000-memory.dmp

memory/5108-143-0x0000000000760000-0x00000000007C0000-memory.dmp

memory/5108-144-0x0000000000760000-0x00000000007C0000-memory.dmp

memory/5108-145-0x0000000000760000-0x00000000007C0000-memory.dmp

memory/5108-147-0x0000000000760000-0x00000000007C0000-memory.dmp

memory/5108-149-0x0000000000760000-0x00000000007C0000-memory.dmp

memory/5108-150-0x0000000000760000-0x00000000007C0000-memory.dmp

memory/5108-153-0x0000000000760000-0x00000000007C0000-memory.dmp

memory/5108-155-0x0000000000760000-0x00000000007C0000-memory.dmp

memory/5108-156-0x0000000000760000-0x00000000007C0000-memory.dmp

memory/5108-158-0x0000000000760000-0x00000000007C0000-memory.dmp

memory/5108-159-0x00000000094A0000-0x000000000953C000-memory.dmp

memory/5108-160-0x0000000009AF0000-0x000000000A094000-memory.dmp