Analysis Overview
SHA256
2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0
Threat Level: Known bad
The file 2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0 was found to be: Known bad.
Malicious Activity Summary
Imminent RAT
Drops startup file
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-06-15 04:48
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-15 04:48
Reported
2022-06-15 09:51
Platform
win7-20220414-en
Max time kernel
151s
Max time network
155s
Command Line
Signatures
Imminent RAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url | C:\Users\Admin\AppData\Local\Temp\2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1260 set thread context of 1984 | N/A | C:\Users\Admin\AppData\Local\Temp\2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: 33 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe
"C:\Users\Admin\AppData\Local\Temp\2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hn3shhpe\hn3shhpe.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA59.tmp" "c:\Users\Admin\AppData\Local\Temp\hn3shhpe\CSCCC78FC098BE4763AD1BB9A020874148.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | syscore567678.duckdns.org | udp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 8.8.8.8:53 | syscore567678.duckdns.org | udp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
Files
memory/1260-54-0x0000000000CB0000-0x0000000000D40000-memory.dmp
memory/1940-55-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\hn3shhpe\hn3shhpe.cmdline
| MD5 | 36273623e68826696cb5157c0974b52d |
| SHA1 | e6afa46d01e8aa0dbc7930fe0bf107dac85f37f2 |
| SHA256 | 782cf5dbadfb34e2302ca7c6d90b30d0352fdd1afe0feb0415d1e4d52b8133d3 |
| SHA512 | 52187b532aa2996f5fd590c7b84b97bda9ceda1293284ac4b267412fc933d3a5e8ed844be582ec084c1dce353e59efd6744ba9b04c666d0ffea6cd10367414ae |
\??\c:\Users\Admin\AppData\Local\Temp\hn3shhpe\hn3shhpe.0.cs
| MD5 | 90151e8f2b4ed32beed1f203aefc46b4 |
| SHA1 | b25bc7d8ef0e79fa32170f0f9f353f1681b6783f |
| SHA256 | a95c551c89a9622b77946098efbf24107e41025cd17634999a2989a7c782c4c9 |
| SHA512 | 40843600d7a00ba6d80d16d059660ab3cf42f066b5f6973deeeba4940670be70157e27988c1b269bb4f5ef945dff14017057d13de909d854087d00d806614f3f |
memory/1912-58-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\hn3shhpe\CSCCC78FC098BE4763AD1BB9A020874148.TMP
| MD5 | ad53f6e5c476ca0446ccfa0e8db268f9 |
| SHA1 | 2d49ed8ad19b293bb0264e30203c893622330ad2 |
| SHA256 | 5b29f843e5cd133a346681ced91a8baa38158a5ba9ff0f5a1049e070997ad48e |
| SHA512 | fb679f303366930ce4b06bfe15d1335279b6da3e9702d70e4de62beed5a11d5547ea59f1d2edefc849cdd0819dd8be4ee2581146117a26526a81a0d97b217884 |
C:\Users\Admin\AppData\Local\Temp\RESDA59.tmp
| MD5 | ad3ee5524f154dc3624f749c95a1a78e |
| SHA1 | 6f65ced390922010c13ac3ac652717baa506bc05 |
| SHA256 | f989213977f15e5bb0b0611cdcc52a0c46ee5cb38ee6037cc7047bed1e3c8cf5 |
| SHA512 | 02377ef37c0d666873da077ee34bfb0ebbce7d2f91a800d05aa649128dabfc6e220cdb304631f33c88b0343f09fdeacfc04e8e15ae8cdf9d01c05d0541f27334 |
C:\Users\Admin\AppData\Local\Temp\hn3shhpe\hn3shhpe.dll
| MD5 | ebad19ea0c16974fd008526b530ce044 |
| SHA1 | e9328dad083bee063407c47e037723433b428041 |
| SHA256 | 1c263f2d803887d6ddab2260a79b69460166159f3902f58b4670281c58f0fb7e |
| SHA512 | f809c92061bb5eb3868da35a924aec5a9677d06d7b614e4299ff8d6483211e4d871351267b4cf76c8020c7303aa4d9184844df329d121486d5e13262ed614685 |
C:\Users\Admin\AppData\Local\Temp\hn3shhpe\hn3shhpe.pdb
| MD5 | 6d103d0c7b5c864dd16f77c5a7b683ec |
| SHA1 | e172ac71ddac5f6ed8cc14a4171baf2e14ccd5a9 |
| SHA256 | 16e6f8f447e1042eb2f58249e97da82f54cf3198caaf0c085af095385a12057f |
| SHA512 | 19fa284c7cd616459462f471c24040f09a7ee2a3c5c40d67eb15bf22d9aff60595336c530ff003375879cf9279e7e5ee13fd44938bb2d2e5e782dfcfe2c3a2a5 |
memory/1260-63-0x0000000000300000-0x0000000000308000-memory.dmp
memory/1260-64-0x0000000000AB0000-0x0000000000B10000-memory.dmp
memory/1260-65-0x00000000003F0000-0x00000000003FC000-memory.dmp
memory/1260-66-0x0000000075CE1000-0x0000000075CE3000-memory.dmp
memory/1260-67-0x00000000049A0000-0x00000000049F6000-memory.dmp
memory/1984-68-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1984-69-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1984-72-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1984-71-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1984-73-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1984-74-0x0000000000451C8E-mapping.dmp
memory/1984-76-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1984-78-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1984-80-0x0000000000350000-0x0000000000360000-memory.dmp
memory/1984-81-0x0000000004460000-0x000000000450E000-memory.dmp
memory/1984-82-0x0000000000460000-0x0000000000488000-memory.dmp
memory/1984-83-0x00000000005C0000-0x00000000005D6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-15 04:48
Reported
2022-06-15 09:51
Platform
win10v2004-20220414-en
Max time kernel
172s
Max time network
179s
Command Line
Signatures
Imminent RAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url | C:\Users\Admin\AppData\Local\Temp\2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3092 set thread context of 4300 | N/A | C:\Users\Admin\AppData\Local\Temp\2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: 33 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe
"C:\Users\Admin\AppData\Local\Temp\2aad4859e6294206f25b8bd6828422d88ef00ad40a5f02d293a8b548e31fc7a0.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ddcwaoex\ddcwaoex.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCDA.tmp" "c:\Users\Admin\AppData\Local\Temp\ddcwaoex\CSC41E329BCF8164DB09F8B98C02B605C51.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | syscore567678.duckdns.org | udp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 8.8.8.8:53 | syscore567678.duckdns.org | udp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 20.42.73.26:443 | tcp | |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| IE | 20.54.110.249:443 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 8.8.8.8:53 | 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa | udp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 8.8.8.8:53 | syscore567678.duckdns.org | udp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 8.8.8.8:53 | syscore567678.duckdns.org | udp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
| US | 107.173.62.125:1716 | syscore567678.duckdns.org | tcp |
Files
memory/3092-130-0x00000000001E0000-0x0000000000270000-memory.dmp
memory/1172-131-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\ddcwaoex\ddcwaoex.cmdline
| MD5 | 9c2881fbfc4f23d10d818bd3361cd815 |
| SHA1 | e55222701a22e7be2e852570870d594af776ec94 |
| SHA256 | 58853cc742466382f9852fb020d083de7a3a8467fc6c9cfcf7f2a2e3733a054f |
| SHA512 | 58e6c863ab66ce3daae8a421ec9cdd67979d3147cb2bffc508ddd4c028eedf02e673442f2a3f34de112535fbc1bfaf25ef5d437811a552f801ca0fcdf553b440 |
\??\c:\Users\Admin\AppData\Local\Temp\ddcwaoex\ddcwaoex.0.cs
| MD5 | 90151e8f2b4ed32beed1f203aefc46b4 |
| SHA1 | b25bc7d8ef0e79fa32170f0f9f353f1681b6783f |
| SHA256 | a95c551c89a9622b77946098efbf24107e41025cd17634999a2989a7c782c4c9 |
| SHA512 | 40843600d7a00ba6d80d16d059660ab3cf42f066b5f6973deeeba4940670be70157e27988c1b269bb4f5ef945dff14017057d13de909d854087d00d806614f3f |
memory/3120-134-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\ddcwaoex\CSC41E329BCF8164DB09F8B98C02B605C51.TMP
| MD5 | 4f434918c1fe872467996c4b0981a2f7 |
| SHA1 | 203c3313da70c80d1a43b3b0e767f20c7d35ee3e |
| SHA256 | 42c8c65164719c22a5a5fd81e295fa9719b8ef69473611f12dd602c1426b5155 |
| SHA512 | 89a99825fce64aa00a86cd2d1366de9476de8a48ecd64669dfeaeffce2d02ee1969b98d4bf5a97f2d274c510fd63663e1c6efb9690325bcdaee090e752a6a031 |
C:\Users\Admin\AppData\Local\Temp\RESCCDA.tmp
| MD5 | 5210c72865344653b4200fadfb691ab6 |
| SHA1 | ea82dd90de56b1ebb8659b46e02e43b1c3e3dea0 |
| SHA256 | 98ff2bd5fc192d87c26ce1627019d87bb5adda3ab76014af482598c2fdd5078a |
| SHA512 | e126615c6a232d744ca16e885e8cb9be42d2936cf361b7cea15cbca8ea3e9a7ef389181a2b00032527c3f49e8e792126ee54e73ea77198d0b6c6dcb015081fb9 |
C:\Users\Admin\AppData\Local\Temp\ddcwaoex\ddcwaoex.pdb
| MD5 | 02f801c0b771d282c5c82a1865ad95b7 |
| SHA1 | 0b884a783f43cd65a52842a896a2986c1cc37dbe |
| SHA256 | f2892d6e61de70b0adb76234e6174c5832ee5399cbecf9772e2cc27172be08ef |
| SHA512 | 06dbefe7cd613a88213360a212222322e4b8ba504db2cc0dce352529b9bed97717bfa6465de2ed1d70e86f000db7567017edd155c63733647f07c721a61d9f64 |
C:\Users\Admin\AppData\Local\Temp\ddcwaoex\ddcwaoex.dll
| MD5 | 9d757ee978ad784c4c0d56b84018d843 |
| SHA1 | 7b94d154cb7fb320b728c9426aec035c2403a417 |
| SHA256 | 7126b65e38486f8264b36e3b88c6e4443b8fc4c368b25c1656d32139a6d1d8b2 |
| SHA512 | 180df1bfecab95a59890362e7f52cc5c36e8f2c5484958fa08b5ae522710a4dcd4dc0321a551418ea8c8d5d5e6ff91f6c2ba265bd676fc18d0108bc8572aa742 |
memory/3092-139-0x0000000004D10000-0x0000000004DA2000-memory.dmp
memory/3092-140-0x00000000052E0000-0x000000000537C000-memory.dmp
memory/4300-141-0x0000000000000000-mapping.dmp
memory/4300-142-0x0000000000400000-0x0000000000456000-memory.dmp
memory/4300-143-0x0000000006AC0000-0x0000000007064000-memory.dmp
memory/4300-144-0x00000000070E0000-0x0000000007146000-memory.dmp
memory/4300-145-0x0000000007900000-0x000000000790A000-memory.dmp