Malware Analysis Report

2024-11-13 15:44

Sample ID 221029-gmtm1sebaj
Target 7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae
SHA256 7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae
Tags
imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae

Threat Level: Known bad

The file 7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae was found to be: Known bad.

Malicious Activity Summary

imminent spyware trojan

Imminent RAT

Loads dropped DLL

Drops startup file

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-29 05:55

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-29 05:55

Reported

2022-10-29 09:59

Platform

win10v2004-20220812-en

Max time kernel

2s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe

"C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
SA 46.151.208.223:1606 tcp

Files

memory/3792-132-0x0000000075170000-0x0000000075721000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-29 05:55

Reported

2022-10-29 09:58

Platform

win7-20220901-en

Max time kernel

145s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe"

Signatures

Imminent RAT

trojan spyware imminent

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nlrznz68m.lnk C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 852 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe
PID 852 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe
PID 852 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe
PID 852 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe
PID 852 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe
PID 852 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe
PID 852 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe
PID 852 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe
PID 852 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe

"C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe"

C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe

"C:\Users\Admin\AppData\Local\Temp\7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae.exe"

Network

Country Destination Domain Proto
SA 46.151.208.223:1606 tcp
SA 46.151.208.223:1606 tcp
SA 46.151.208.223:1606 tcp
SA 46.151.208.223:1606 tcp
SA 46.151.208.223:1606 tcp
SA 46.151.208.223:1606 tcp

Files

memory/852-54-0x0000000074E41000-0x0000000074E43000-memory.dmp

memory/852-55-0x0000000074160000-0x000000007470B000-memory.dmp

memory/852-56-0x0000000074160000-0x000000007470B000-memory.dmp

memory/900-57-0x0000000000400000-0x0000000000452000-memory.dmp

memory/900-58-0x0000000000400000-0x0000000000452000-memory.dmp

memory/900-63-0x000000000044C63E-mapping.dmp

memory/900-62-0x0000000000400000-0x0000000000452000-memory.dmp

memory/900-61-0x0000000000400000-0x0000000000452000-memory.dmp

memory/900-60-0x0000000000400000-0x0000000000452000-memory.dmp

memory/900-65-0x0000000000400000-0x0000000000452000-memory.dmp

memory/900-67-0x0000000000400000-0x0000000000452000-memory.dmp

memory/900-69-0x0000000074160000-0x000000007470B000-memory.dmp

\Users\Admin\AppData\Roaming\V8hIi9FwLiiV\nlrznz68m.exe

MD5 f8dbd137df3dd83bd74648911ab229ef
SHA1 27611396d414764116f6f2ac26c6074236127dfc
SHA256 7755e60fb4b201a7aa29e57dd7f31c6ae02aa3dbae3c045d6417d80d55a88fae
SHA512 5ce8b67bed92db04cdbf1d410f4162bfbcce33f2a6f19fd9102dad1a7205078d268990812538095340b047b952e7228aae2148eac811097346250d766ab64793

memory/852-71-0x0000000074160000-0x000000007470B000-memory.dmp

memory/900-72-0x0000000074160000-0x000000007470B000-memory.dmp