Analysis Overview
SHA256
2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf
Threat Level: Known bad
The file 2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf was found to be: Known bad.
Malicious Activity Summary
Imminent RAT
Drops startup file
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
Drops file in Windows directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-06-15 03:14
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-15 03:14
Reported
2022-06-15 07:10
Platform
win7-20220414-en
Max time kernel
150s
Max time network
157s
Command Line
Signatures
Imminent RAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dNJoej.url | C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1824 set thread context of 1800 | N/A | C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: 33 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe
"C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vvva0ea1\vvva0ea1.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B8E.tmp" "c:\Users\Admin\AppData\Local\Temp\vvva0ea1\CSC9F5718CA42034171B9F4D49D7895F38.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp |
Files
memory/1824-54-0x0000000000B70000-0x0000000000BE0000-memory.dmp
memory/240-55-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\vvva0ea1\vvva0ea1.cmdline
| MD5 | aa158ce0a397868f1ac2743fa3a4684f |
| SHA1 | 58494a8a44eebe51d8eaf7e8bbe3a383c7730c56 |
| SHA256 | c6e9692ff0324746ff2773311ff85bd8e63eadbd7bf47f591c26f1ebb1e3b4f9 |
| SHA512 | bd81b744313e7c1053c2e2e68424227cddd486e2a19ecea80101cdaeaffc3d74b3bb72e9c1f7334ee94125c02fb036958d0ff2bc509b5653f2a31c1892f27131 |
\??\c:\Users\Admin\AppData\Local\Temp\vvva0ea1\vvva0ea1.0.cs
| MD5 | 69dd8526926b988e8767808fc897b5ad |
| SHA1 | cb336d7210fa47e4fa87f304c6148474aecbf8c1 |
| SHA256 | 9e8ed9bb70322a0c886abf87320a9a2fb1c460d94b8a97983ddfe55ba79e5e67 |
| SHA512 | 53bdcffe1e934189842d1c02238e115cfff5e090306a0f65f8c0b3cd593323f68bb990c2710cf8b23db91d47591da09887c0287212a3f29261d992ed80c0ee12 |
memory/1448-58-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\vvva0ea1\CSC9F5718CA42034171B9F4D49D7895F38.TMP
| MD5 | 2718c1067c3d9d3528faecb9c875f444 |
| SHA1 | ec9d3e5dc5c221980a16da4e2481dc55a0a5159a |
| SHA256 | e1455997bf636f2f30149d9636dad9c70a940816366cacea0d138a8bf42624ab |
| SHA512 | e12b8499af77490d5305b74d16d14b968d4dddf9e9738d3e59d2f2efbbef7cc23a6fe1b4bf2e7911a0ebf74d6266623dc62bc872ecdb38c5e73fb23dbb87fabd |
C:\Users\Admin\AppData\Local\Temp\RES8B8E.tmp
| MD5 | 55147fb7a02b13b50a7e2142c20c9617 |
| SHA1 | 75d0e2d02c1760ec634204f3f209f8d343d12c11 |
| SHA256 | 71582d70c2e49ad51324db2e6b20c17fde2cd0eb55748f1595736c640244f5f5 |
| SHA512 | 5c48514296e71176b5bfa0df31579d4a2162bc258434dfda73992261f23bc52522349a1a355978ebb847cc70685637ab18be051282204048f075c74fc6ebecac |
C:\Users\Admin\AppData\Local\Temp\vvva0ea1\vvva0ea1.dll
| MD5 | 71742fe1bdae7ee1f7fea0c4f72b347d |
| SHA1 | 54586f8e61112cc377e58747c6e589e52be2fa26 |
| SHA256 | 45f9efce9e6473d3d0314ba423e1b3ed1d605aac6625362d7eb60d4b164dcd23 |
| SHA512 | c89b3eacd86f25089151bfb2926c92e046478e020b8fdef0665c4d263de2d949bad2ab3fde74811a87b1a1797338011d3c602123568a531b6012c4653bb2d0f6 |
C:\Users\Admin\AppData\Local\Temp\vvva0ea1\vvva0ea1.pdb
| MD5 | cd666f98f05f6097d4f229f6b14aa248 |
| SHA1 | 5ba6f88795a8f7b625343663e847c045c0b1cdd0 |
| SHA256 | 67c4484b242b3c2862f2bf93d7df99eb6ac5644c7a991333451bde96f53f077b |
| SHA512 | 60ab6b8cf04937828ced6c80a7c2dbfdd492cda4aae0217a347ddcce5325bca716390efd5cc780076e3f1acf6ac34637c63d39522d706fa4166cdfd2d1ecad03 |
memory/1824-63-0x0000000000430000-0x000000000043A000-memory.dmp
memory/1824-64-0x00000000041C0000-0x0000000004220000-memory.dmp
memory/1824-65-0x0000000000460000-0x000000000046C000-memory.dmp
memory/1824-66-0x0000000075E41000-0x0000000075E43000-memory.dmp
memory/1824-67-0x0000000004EA0000-0x0000000004EF6000-memory.dmp
memory/1800-68-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1800-69-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1800-71-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1800-73-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1800-72-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1800-74-0x0000000000451CAE-mapping.dmp
memory/1800-76-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1800-78-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1800-80-0x00000000742F0000-0x000000007489B000-memory.dmp
memory/1800-81-0x00000000742F0000-0x000000007489B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-15 03:14
Reported
2022-06-15 07:10
Platform
win10v2004-20220414-en
Max time kernel
151s
Max time network
154s
Command Line
Signatures
Imminent RAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dNJoej.url | C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4596 set thread context of 4092 | N/A | C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: 33 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe
"C:\Users\Admin\AppData\Local\Temp\2b2457c37c5051b7b044da928264ab242b34f37bdebf924a5e563a9f82c3e7bf.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pbfnjv5r\pbfnjv5r.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6556.tmp" "c:\Users\Admin\AppData\Local\Temp\pbfnjv5r\CSCDD4ED26E253E4288A6FCDC2D874C429.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 13.107.21.200:443 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| FR | 2.16.119.157:443 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| FR | 2.16.119.157:443 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| US | 8.8.8.8:53 | 14.110.152.52.in-addr.arpa | udp |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| US | 67.24.169.254:80 | tcp | |
| CH | 91.192.100.13:1716 | tcp | |
| CH | 91.192.100.13:1716 | tcp |
Files
memory/4596-130-0x0000000000860000-0x00000000008D0000-memory.dmp
memory/4520-131-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\pbfnjv5r\pbfnjv5r.cmdline
| MD5 | cca11bad5e20d0f747e16a7acbbf9a1d |
| SHA1 | 344a4d56af2078bcf1c8b5dfe7142ce9eda37f33 |
| SHA256 | b516688ed08911187be55a0658bd79a5976e4fb71b96683d827655196c8134f9 |
| SHA512 | 9ec56170be571df70fbd9b9a109555b87de8c112d2151b07c419a32dfa65f28d391b087fca3417b60c0cb0da056bd202a8d485e86c8eabc442c38142f239f9cd |
\??\c:\Users\Admin\AppData\Local\Temp\pbfnjv5r\pbfnjv5r.0.cs
| MD5 | 69dd8526926b988e8767808fc897b5ad |
| SHA1 | cb336d7210fa47e4fa87f304c6148474aecbf8c1 |
| SHA256 | 9e8ed9bb70322a0c886abf87320a9a2fb1c460d94b8a97983ddfe55ba79e5e67 |
| SHA512 | 53bdcffe1e934189842d1c02238e115cfff5e090306a0f65f8c0b3cd593323f68bb990c2710cf8b23db91d47591da09887c0287212a3f29261d992ed80c0ee12 |
memory/3412-134-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\pbfnjv5r\CSCDD4ED26E253E4288A6FCDC2D874C429.TMP
| MD5 | 22905d3b248cce6603ce0e27330ec7bb |
| SHA1 | 345f43b9164e1f104c0c1e06ccd65c9242c46872 |
| SHA256 | 8942d9317f4c45401215e1c848c8832b5ca02b5e35b34f67eb53e9e34761c04f |
| SHA512 | 0e09936185fa45f14ed9f4f70a56b8854c62dbf68f9ff10476af846a5cffc90abcc84e7c4e3b7e9bef91455bfb19cbc255f57b16741db9ef6a2b077293decdda |
C:\Users\Admin\AppData\Local\Temp\RES6556.tmp
| MD5 | 6de5ff8cfe90ef8e9b3fe404450e6157 |
| SHA1 | 2be191d869cb778c69ecdf97193ef186912d4571 |
| SHA256 | ec45a392a42de4edd87c664368eb50ff916249c9495565d6df2e8b504aaa7f10 |
| SHA512 | ee00452a5823308b634a2b02144f47ee96bd1dd7a75829ee1617db0ba5aec9db6efadc9afb53ff6f4dc583cd376c427d39f5dd4f7a1a8b1eaab499e7b8b62d2b |
C:\Users\Admin\AppData\Local\Temp\pbfnjv5r\pbfnjv5r.dll
| MD5 | 4b87584cc52bb8d9ee7323aefcef5568 |
| SHA1 | 5ae7112e89093b96e4e69682411d4ce0e079c399 |
| SHA256 | d2caf200696a99f5870248c4d331d4106d86e7a87def9d71cd7dfaa02c859252 |
| SHA512 | ea4d5c043922adea28d4cc9178fabec2f438245555db02858475dd726ea0d9de3a8c617750899a2f76cbf721b5f6e36770bda9f8309396f37f0a8c00da4f46bd |
C:\Users\Admin\AppData\Local\Temp\pbfnjv5r\pbfnjv5r.pdb
| MD5 | 69f8be3a4fb01a7db00a5a03eb8d0326 |
| SHA1 | e9383224ddd3e920935e81a7dfc55adb893b698a |
| SHA256 | 1c853c29f74827098b61e498b8acbfebe61dec52d95b80429d1401b5256aa6cc |
| SHA512 | 2cd04c785f482ede1ccb585a49b1aeaed794b729220b9210d1167bb5ef65b6121f277027cc15bfefe1befd91088cb8a775cedde5b7be449a59c9e83220c096e0 |
memory/4596-139-0x0000000005240000-0x00000000052D2000-memory.dmp
memory/4596-140-0x0000000005920000-0x00000000059BC000-memory.dmp
memory/2252-141-0x0000000000000000-mapping.dmp
memory/4092-142-0x0000000000000000-mapping.dmp
memory/4092-143-0x0000000000400000-0x0000000000456000-memory.dmp
memory/4092-144-0x0000000074AE0000-0x0000000075091000-memory.dmp
memory/4092-145-0x0000000074AE0000-0x0000000075091000-memory.dmp