Malware Analysis Report

2024-11-15 08:10

Sample ID 221030-n9zk4saac8
Target c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a
SHA256 c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a
Tags
imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a

Threat Level: Known bad

The file c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a was found to be: Known bad.

Malicious Activity Summary

imminent spyware trojan

Imminent RAT

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-30 12:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-30 12:06

Reported

2022-10-31 02:25

Platform

win7-20220812-en

Max time kernel

55s

Max time network

42s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe

"C:\Users\Admin\AppData\Local\Temp\c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe"

C:\Windows\temp\notepad.exe

C:\Windows\temp\notepad.exe

Network

N/A

Files

memory/900-54-0x0000000076071000-0x0000000076073000-memory.dmp

memory/900-55-0x0000000074790000-0x0000000074D3B000-memory.dmp

\Windows\Temp\notepad.exe

MD5 278edbd499374bf73621f8c1f969d894
SHA1 a81170af14747781c5f5f51bb1215893136f0bc0
SHA256 c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA512 93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

memory/900-57-0x0000000074790000-0x0000000074D3B000-memory.dmp

memory/900-58-0x0000000074790000-0x0000000074D3B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-30 12:06

Reported

2022-10-31 02:25

Platform

win10v2004-20220901-en

Max time kernel

151s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe"

Signatures

Imminent RAT

trojan spyware imminent

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\temp\notepad.exe N/A
N/A N/A C:\Users\Admin\AppData\RoamingRealmPlayer.exe N/A
N/A N/A C:\Windows\temp\notepad.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\temp\notepad.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Windows\temp\notepad.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Windows\temp\notepad.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4880 set thread context of 3264 N/A C:\Users\Admin\AppData\Local\Temp\c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe C:\Windows\temp\notepad.exe
PID 3264 set thread context of 1548 N/A C:\Windows\temp\notepad.exe C:\Windows\temp\notepad.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Windows\temp\notepad.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Windows\temp\notepad.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Windows\temp\notepad.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\temp\notepad.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\temp\notepad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\temp\notepad.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\temp\notepad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4880 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe C:\Windows\temp\notepad.exe
PID 4880 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe C:\Windows\temp\notepad.exe
PID 4880 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe C:\Windows\temp\notepad.exe
PID 4880 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe C:\Windows\temp\notepad.exe
PID 4880 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe C:\Windows\temp\notepad.exe
PID 4880 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe C:\Windows\temp\notepad.exe
PID 4880 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe C:\Windows\temp\notepad.exe
PID 4880 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe C:\Windows\temp\notepad.exe
PID 3264 wrote to memory of 2184 N/A C:\Windows\temp\notepad.exe C:\Users\Admin\AppData\RoamingRealmPlayer.exe
PID 3264 wrote to memory of 2184 N/A C:\Windows\temp\notepad.exe C:\Users\Admin\AppData\RoamingRealmPlayer.exe
PID 3264 wrote to memory of 1548 N/A C:\Windows\temp\notepad.exe C:\Windows\temp\notepad.exe
PID 3264 wrote to memory of 1548 N/A C:\Windows\temp\notepad.exe C:\Windows\temp\notepad.exe
PID 3264 wrote to memory of 1548 N/A C:\Windows\temp\notepad.exe C:\Windows\temp\notepad.exe
PID 3264 wrote to memory of 1548 N/A C:\Windows\temp\notepad.exe C:\Windows\temp\notepad.exe
PID 3264 wrote to memory of 1548 N/A C:\Windows\temp\notepad.exe C:\Windows\temp\notepad.exe
PID 3264 wrote to memory of 1548 N/A C:\Windows\temp\notepad.exe C:\Windows\temp\notepad.exe
PID 3264 wrote to memory of 1548 N/A C:\Windows\temp\notepad.exe C:\Windows\temp\notepad.exe
PID 3264 wrote to memory of 1548 N/A C:\Windows\temp\notepad.exe C:\Windows\temp\notepad.exe
PID 2184 wrote to memory of 312 N/A C:\Users\Admin\AppData\RoamingRealmPlayer.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
PID 2184 wrote to memory of 312 N/A C:\Users\Admin\AppData\RoamingRealmPlayer.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe

"C:\Users\Admin\AppData\Local\Temp\c4ee35c5a13033a9adc0da1c99c9b4bbc9a7572ca4e697fa6868a8b44ff1987a.exe"

C:\Windows\temp\notepad.exe

C:\Windows\temp\notepad.exe

C:\Users\Admin\AppData\RoamingRealmPlayer.exe

"C:\Users\Admin\AppData\RoamingRealmPlayer.exe"

C:\Windows\temp\notepad.exe

"C:\Windows\temp\notepad.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 824

Network

Country Destination Domain Proto
US 8.8.8.8:53 jewmeister.ddns.net udp
US 8.8.8.8:53 jewmeister.ddns.net udp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 jewmeister.ddns.net udp
US 8.8.8.8:53 jewmeister.ddns.net udp
US 20.189.173.1:443 tcp
US 8.8.8.8:53 jewmeister.ddns.net udp
US 8.8.8.8:53 jewmeister.ddns.net udp
US 8.8.8.8:53 jewmeister.ddns.net udp
US 8.8.8.8:53 jewmeister.ddns.net udp
US 8.8.8.8:53 jewmeister.ddns.net udp
US 8.8.8.8:53 jewmeister.ddns.net udp
NL 87.248.202.1:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 jewmeister.ddns.net udp
US 8.8.8.8:53 jewmeister.ddns.net udp
US 8.8.8.8:53 jewmeister.ddns.net udp
US 8.8.8.8:53 jewmeister.ddns.net udp
US 8.8.8.8:53 jewmeister.ddns.net udp
US 8.8.8.8:53 jewmeister.ddns.net udp
US 8.8.8.8:53 jewmeister.ddns.net udp
US 8.8.8.8:53 jewmeister.ddns.net udp
US 8.8.8.8:53 jewmeister.ddns.net udp
US 8.8.8.8:53 jewmeister.ddns.net udp
US 8.8.8.8:53 jewmeister.ddns.net udp
US 8.8.8.8:53 jewmeister.ddns.net udp
US 8.8.8.8:53 jewmeister.ddns.net udp
US 8.8.8.8:53 jewmeister.ddns.net udp
US 8.8.8.8:53 jewmeister.ddns.net udp

Files

memory/4880-132-0x0000000074CB0000-0x0000000075261000-memory.dmp

memory/3264-133-0x0000000000000000-mapping.dmp

memory/3264-134-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\temp\notepad.exe

MD5 a64daca3cfbcd039df3ec29d3eddd001
SHA1 eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3
SHA256 403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36
SHA512 b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

C:\Windows\Temp\notepad.exe

MD5 a64daca3cfbcd039df3ec29d3eddd001
SHA1 eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3
SHA256 403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36
SHA512 b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

memory/3264-137-0x0000000074CB0000-0x0000000075261000-memory.dmp

memory/2184-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\RoamingRealmPlayer.exe

MD5 7a607550e6bcafcf6024216d4a12162c
SHA1 849336bc7b847fd35311a921eaa5eb7b7e051542
SHA256 5ea1edafff5ffc11f9b8cf1cdf8a821d5e41957ce5c0aab0e4afb206b34354fb
SHA512 f4e38fb50d438bce094aec8d36c8c189b62687ac46d9b5d0d94c96658bfaa4e08a013dd0222dc63343c42fbc178ecb3705d89392f709de153c0647452baeaaf4

C:\Users\Admin\AppData\RoamingRealmPlayer.exe

MD5 7a607550e6bcafcf6024216d4a12162c
SHA1 849336bc7b847fd35311a921eaa5eb7b7e051542
SHA256 5ea1edafff5ffc11f9b8cf1cdf8a821d5e41957ce5c0aab0e4afb206b34354fb
SHA512 f4e38fb50d438bce094aec8d36c8c189b62687ac46d9b5d0d94c96658bfaa4e08a013dd0222dc63343c42fbc178ecb3705d89392f709de153c0647452baeaaf4

memory/1548-141-0x0000000000000000-mapping.dmp

memory/1548-142-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Windows\Temp\notepad.exe

MD5 a64daca3cfbcd039df3ec29d3eddd001
SHA1 eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3
SHA256 403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36
SHA512 b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

memory/1548-145-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1548-146-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1548-147-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1548-148-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1548-149-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1548-150-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1548-152-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1548-151-0x0000000074CB0000-0x0000000075261000-memory.dmp

memory/1548-154-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1548-156-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1548-157-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1548-160-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1548-162-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1548-163-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1548-165-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2184-166-0x00007FFB83710000-0x00007FFB84146000-memory.dmp

memory/312-167-0x0000000000000000-mapping.dmp

memory/4880-168-0x0000000074CB0000-0x0000000075261000-memory.dmp

memory/3264-169-0x0000000074CB0000-0x0000000075261000-memory.dmp

memory/1548-170-0x0000000074CB0000-0x0000000075261000-memory.dmp

memory/4880-171-0x0000000074CB0000-0x0000000075261000-memory.dmp