Analysis Overview
SHA256
2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25
Threat Level: Known bad
The file 2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25 was found to be: Known bad.
Malicious Activity Summary
Imminent RAT
Drops startup file
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
Drops file in Windows directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-06-15 01:13
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-15 01:13
Reported
2022-06-15 06:03
Platform
win7-20220414-en
Max time kernel
150s
Max time network
47s
Command Line
Signatures
Imminent RAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MALJuv.url | C:\Users\Admin\AppData\Local\Temp\2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1180 set thread context of 1248 | N/A | C:\Users\Admin\AppData\Local\Temp\2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: 33 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe
"C:\Users\Admin\AppData\Local\Temp\2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g0jza0mz\g0jza0mz.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF7B8.tmp" "c:\Users\Admin\AppData\Local\Temp\g0jza0mz\CSCEF8830EFB02F43AA87C7606F54B15EC.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
Files
memory/1180-54-0x0000000000E70000-0x0000000000F7E000-memory.dmp
memory/2032-55-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\g0jza0mz\g0jza0mz.cmdline
| MD5 | 8966c6bda0651e5267aebfadf26e2daf |
| SHA1 | 37b60a2c79e8d2587271972cb0e0dbbd15b822a0 |
| SHA256 | 38aac28786f4fa18fc72301eac3c61075096e2d060ced8d0d674d7a078e39ef6 |
| SHA512 | cffa108babd8e92cb7ae70d078f5aa07fd0d1b4384e03482d3dff9af29913b4e4ac497c81daa0c7149594cd627a320ee557ce62a2a2455da24f5fa80d708ad71 |
\??\c:\Users\Admin\AppData\Local\Temp\g0jza0mz\g0jza0mz.0.cs
| MD5 | e5dd8220d0289c5c42153bb8a88f21b5 |
| SHA1 | 0a370af3c4ddc1b4be1d5e0b748850b82dfd0c6c |
| SHA256 | f4ef08fc01a3936434d6e4475f40f2e81b168e26827117da560e6f169e5754fc |
| SHA512 | 630d78780ef789d587a91d98c081dc257efe9dd1514d905f9fae5cff2c0e59fa5227d15567088ae41c5f4ac7f06bb61c899f9eeac4085926e619a97ce3adb956 |
memory/2012-58-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\g0jza0mz\CSCEF8830EFB02F43AA87C7606F54B15EC.TMP
| MD5 | ef4096a4b9ff1c84d13da35bdc764942 |
| SHA1 | 6a0f81d4ce1ee8bd65e3656a28328369809b227d |
| SHA256 | d71a0b63fe6dda03cac74e6caa08c2b115a0273be5a9b8df2f55a9e432cc744c |
| SHA512 | 5190157b5037615ef51ab1485ea4915ac14ad231156e457bfce1994dc00d145611eecd1dc08e3e7b0377d2a9fa5a13faedfa40d272ebc17ca563bdcceb97ae68 |
C:\Users\Admin\AppData\Local\Temp\RESF7B8.tmp
| MD5 | e280916bea8d37a5f5651e9e060ff6a2 |
| SHA1 | edfc1f3048d4cf54961a4ba1928044eb5c56e813 |
| SHA256 | 7ec95722bd36f25b5abccf9aa11b8200d8840ccb99e37b994c65354a62019faa |
| SHA512 | 489de9ca4a1ff75701f39433f8763247739151b7fc3fb3701d236c7df94cfaf72411ec2213c3ac9ab288f000141bc9af069b12ecdc177ab3669eb476ad4dda39 |
C:\Users\Admin\AppData\Local\Temp\g0jza0mz\g0jza0mz.pdb
| MD5 | c3647f38c0edc13a26638432a878c41e |
| SHA1 | 017f17c8cb1f671df9526550deac42362f48a0dc |
| SHA256 | cb2fcd78711c00ed64519e44d7c0d1b06625976e4e31018b714b6dc0751167de |
| SHA512 | 858783b6b1bcde62a398ce0a0b278d9eda6c439779557eadb65d6ad5eb7c368106124ae8c859a5705271011346b8c26e94cb272bb8af0f680d1d0a5e74d3b387 |
C:\Users\Admin\AppData\Local\Temp\g0jza0mz\g0jza0mz.dll
| MD5 | 9ce98bb5e2fff8edb92c45a189fcc4a4 |
| SHA1 | aa8296aa7930bf80ff5c1e6f265d91f4635a5628 |
| SHA256 | 1f2f8d9dab92d2facc26f82cf4358d5bc918153a997c1ac3b5551b933b4c9e1c |
| SHA512 | 9c3deac32442b49739214c23de2a86d1261198ad2616a03eeb2faf3dc52edc31bcae9699e9e1cd24ac26aaf803e0adf2311c2ab0ea44bce6bfb39d220cdbe682 |
memory/1180-63-0x0000000000350000-0x000000000035C000-memory.dmp
memory/1180-64-0x0000000004B10000-0x0000000004B70000-memory.dmp
memory/1180-65-0x0000000000460000-0x000000000046C000-memory.dmp
memory/1180-66-0x0000000076C81000-0x0000000076C83000-memory.dmp
memory/1180-67-0x0000000004B70000-0x0000000004BC6000-memory.dmp
memory/1248-68-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1248-69-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1248-71-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1248-72-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1248-73-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1248-74-0x0000000000451E5E-mapping.dmp
memory/1248-76-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1248-78-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1248-80-0x0000000074B80000-0x000000007512B000-memory.dmp
memory/1248-81-0x0000000074B80000-0x000000007512B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-15 01:13
Reported
2022-06-15 06:03
Platform
win10v2004-20220414-en
Max time kernel
151s
Max time network
155s
Command Line
Signatures
Imminent RAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MALJuv.url | C:\Users\Admin\AppData\Local\Temp\2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4556 set thread context of 696 | N/A | C:\Users\Admin\AppData\Local\Temp\2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: 33 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe
"C:\Users\Admin\AppData\Local\Temp\2bb661414e83dc066f346fa9a3dbb1666ca7a7e200c9e80c8e3c2d15041bcc25.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0rkxrlpo\0rkxrlpo.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB088.tmp" "c:\Users\Admin\AppData\Local\Temp\0rkxrlpo\CSCC63713C99A4F4447922FAF6A92FC7E3E.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| NL | 52.109.88.36:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| FR | 2.18.109.224:443 | tcp | |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| IE | 13.69.239.73:443 | tcp | |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 104.18.25.243:80 | tcp | |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
Files
memory/4556-130-0x00000000004E0000-0x00000000005EE000-memory.dmp
memory/3768-131-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\0rkxrlpo\0rkxrlpo.cmdline
| MD5 | 70ec0cdc336ae9e0cd6e0336757ddcce |
| SHA1 | 6edf58dd732a65825b50c28ab46fa161bf33b80e |
| SHA256 | 154fb756c00ce5f61f2359412630180221f8ee404b1e612d6da70df8a8f593a8 |
| SHA512 | 4a845d1ef6fed4eeede246db743bb82e9474a82bfec1ffd50f1663a0d8a7c7cba125e3a50131151c53ae213c4e1dbe70ddd4755c3b4ba088986e056787c516a5 |
\??\c:\Users\Admin\AppData\Local\Temp\0rkxrlpo\0rkxrlpo.0.cs
| MD5 | e5dd8220d0289c5c42153bb8a88f21b5 |
| SHA1 | 0a370af3c4ddc1b4be1d5e0b748850b82dfd0c6c |
| SHA256 | f4ef08fc01a3936434d6e4475f40f2e81b168e26827117da560e6f169e5754fc |
| SHA512 | 630d78780ef789d587a91d98c081dc257efe9dd1514d905f9fae5cff2c0e59fa5227d15567088ae41c5f4ac7f06bb61c899f9eeac4085926e619a97ce3adb956 |
memory/2736-134-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\0rkxrlpo\CSCC63713C99A4F4447922FAF6A92FC7E3E.TMP
| MD5 | df86a0e9dcbb5289eb56082c6c40631a |
| SHA1 | fbf1979a0c5cea215e30903d02ef90bbccf9a46a |
| SHA256 | e96f7c57790e644c417b8d47b5e6a157e486c1dbaf57cca8231891183d403144 |
| SHA512 | ff382b1c639c604f50af9eaa07ccfa92eb2b3090755f1b28010e496a991d80da34d41318e0def0773f73afb460a8d9c3c916c4ea182e9648127437ece25e772e |
C:\Users\Admin\AppData\Local\Temp\RESB088.tmp
| MD5 | 6dfe601e918f1f1251edccb85d536f08 |
| SHA1 | bd4aceb9b57d0cf33092f2f726d7b21cd7d24f01 |
| SHA256 | 10e5cd9631a6ba1d8f24dd6ecae94d0eaac63ea91a2bac01b55cb47da1320efc |
| SHA512 | 11eb158ed3e10847b98af936b2d7bce4eca388b993261ddf3bd426947916032c66d8a2315759d850af54a3d9b626a3a94f241801a539721746b076690b31cb25 |
C:\Users\Admin\AppData\Local\Temp\0rkxrlpo\0rkxrlpo.dll
| MD5 | e5faf873eba79493d5efb9850b69dffb |
| SHA1 | 184b0e2aa7638cb3110fc23f8cbee178bf50a79f |
| SHA256 | 97dc5d80a4ebdfe1bed23135d9ffe0c90cf474640310b043dea2810f26179cdc |
| SHA512 | 264d5d2d2f25f9387071db7ed0a1a2ffeb809ba3941d3aa602a838ee7f41dab4a75634261e98493a6ac1f245e147921dcc5c8b93c33edd9f47be18ab7cb3961c |
C:\Users\Admin\AppData\Local\Temp\0rkxrlpo\0rkxrlpo.pdb
| MD5 | 764a7716cfb5194ada1150e8620e8bd8 |
| SHA1 | 39e9120e827d2efbda1df3dc49ca1cddfbcadaa7 |
| SHA256 | 8406cf6a7c368bfb39c92df618b290e669e4bce32a39b03e3bbdd9fe53a49c1e |
| SHA512 | 7b3795009e06d57e361d5bc19efc26aca1813f012b44a3bd39d87a42928c3d481be993fa078527bdf5f7cf7710c34ad521798cf607a86d2e703d2f1fda1e89a8 |
memory/4556-139-0x0000000005040000-0x00000000050D2000-memory.dmp
memory/4556-140-0x00000000056A0000-0x000000000573C000-memory.dmp
memory/696-141-0x0000000000000000-mapping.dmp
memory/696-142-0x0000000000400000-0x0000000000456000-memory.dmp
memory/696-143-0x0000000074F00000-0x00000000754B1000-memory.dmp
memory/696-144-0x0000000074F00000-0x00000000754B1000-memory.dmp