Analysis Overview
SHA256
1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab
Threat Level: Known bad
The file 1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab was found to be: Known bad.
Malicious Activity Summary
Imminent RAT
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-12 22:07
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-12 22:07
Reported
2022-06-13 03:35
Platform
win7-20220414-en
Max time kernel
151s
Max time network
153s
Command Line
Signatures
Imminent RAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe
"C:\Users\Admin\AppData\Local\Temp\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe"
C:\Users\Admin\AppData\Local\Temp\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe
"C:\Users\Admin\AppData\Local\Temp\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe"
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | solarintel.linkpc.net | udp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | tcp |
Files
memory/2024-54-0x0000000076011000-0x0000000076013000-memory.dmp
memory/2024-55-0x0000000074B90000-0x000000007513B000-memory.dmp
\Users\Admin\AppData\Local\Temp\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe
| MD5 | bcfb9b84aba103a8b57e20b3cb9559ba |
| SHA1 | a114b061796f259e86601ec82fe453d280036f36 |
| SHA256 | 1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab |
| SHA512 | e852ec7807fa061a9fbb8abb9033e4521e0c130a6de4953d0b6673fd6d420fa7102a51c18892c19b898abd38a78cf394a54a09a6030d37594f7a3088eed4bec0 |
\Users\Admin\AppData\Local\Temp\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe
| MD5 | bcfb9b84aba103a8b57e20b3cb9559ba |
| SHA1 | a114b061796f259e86601ec82fe453d280036f36 |
| SHA256 | 1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab |
| SHA512 | e852ec7807fa061a9fbb8abb9033e4521e0c130a6de4953d0b6673fd6d420fa7102a51c18892c19b898abd38a78cf394a54a09a6030d37594f7a3088eed4bec0 |
C:\Users\Admin\AppData\Local\Temp\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe
| MD5 | bcfb9b84aba103a8b57e20b3cb9559ba |
| SHA1 | a114b061796f259e86601ec82fe453d280036f36 |
| SHA256 | 1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab |
| SHA512 | e852ec7807fa061a9fbb8abb9033e4521e0c130a6de4953d0b6673fd6d420fa7102a51c18892c19b898abd38a78cf394a54a09a6030d37594f7a3088eed4bec0 |
memory/580-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe
| MD5 | bcfb9b84aba103a8b57e20b3cb9559ba |
| SHA1 | a114b061796f259e86601ec82fe453d280036f36 |
| SHA256 | 1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab |
| SHA512 | e852ec7807fa061a9fbb8abb9033e4521e0c130a6de4953d0b6673fd6d420fa7102a51c18892c19b898abd38a78cf394a54a09a6030d37594f7a3088eed4bec0 |
memory/588-62-0x0000000000000000-mapping.dmp
memory/580-63-0x0000000074B90000-0x000000007513B000-memory.dmp
memory/892-64-0x0000000000000000-mapping.dmp
memory/2024-65-0x0000000074B90000-0x000000007513B000-memory.dmp
memory/580-66-0x0000000074B90000-0x000000007513B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-12 22:07
Reported
2022-06-13 03:35
Platform
win10v2004-20220414-en
Max time kernel
91s
Max time network
139s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe
"C:\Users\Admin\AppData\Local\Temp\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe"
C:\Users\Admin\AppData\Local\Temp\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe
"C:\Users\Admin\AppData\Local\Temp\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe"
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
Network
| Country | Destination | Domain | Proto |
| NL | 88.221.144.192:80 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| US | 104.18.25.243:80 | tcp | |
| NL | 13.69.109.131:443 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| NL | 8.248.3.254:80 | tcp | |
| NL | 8.248.3.254:80 | tcp | |
| US | 8.251.167.126:80 | tcp |
Files
memory/3568-130-0x0000000074CF0000-0x00000000752A1000-memory.dmp
memory/2040-131-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe
| MD5 | bcfb9b84aba103a8b57e20b3cb9559ba |
| SHA1 | a114b061796f259e86601ec82fe453d280036f36 |
| SHA256 | 1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab |
| SHA512 | e852ec7807fa061a9fbb8abb9033e4521e0c130a6de4953d0b6673fd6d420fa7102a51c18892c19b898abd38a78cf394a54a09a6030d37594f7a3088eed4bec0 |
C:\Users\Admin\AppData\Local\Temp\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe
| MD5 | bcfb9b84aba103a8b57e20b3cb9559ba |
| SHA1 | a114b061796f259e86601ec82fe453d280036f36 |
| SHA256 | 1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab |
| SHA512 | e852ec7807fa061a9fbb8abb9033e4521e0c130a6de4953d0b6673fd6d420fa7102a51c18892c19b898abd38a78cf394a54a09a6030d37594f7a3088eed4bec0 |
memory/1180-134-0x0000000000000000-mapping.dmp
memory/2040-135-0x0000000074CF0000-0x00000000752A1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\1e23bbbc5a3883083984f90130b842709bbdda27370f33190c7637373eab94ab.exe.log
| MD5 | 36c85b51fe803ac6009874a8f4a4879a |
| SHA1 | b33dfa5c3cb416db33a167edad92d1e678fd6c5f |
| SHA256 | b3d71b4a609a9b0e117b5b2acdfbb9b59d71aae2f27b5f9bc3f03796949dfb03 |
| SHA512 | e9efd16b585cbe747d46da115474a957e969b067c478628cae47bd84f13575a8d737f6256dd65907e05c3556e668a0deaf6a0393382815d799c3959233ec38eb |
memory/2040-138-0x0000000074CF0000-0x00000000752A1000-memory.dmp
memory/2700-137-0x0000000000000000-mapping.dmp
memory/3568-139-0x0000000074CF0000-0x00000000752A1000-memory.dmp