Analysis Overview
SHA256
2a0c397b31f6b926f1d87ee1c6f50a7fae8a22d01ca0446add80440a0022a723
Threat Level: Known bad
The file 2a0c397b31f6b926f1d87ee1c6f50a7fae8a22d01ca0446add80440a0022a723 was found to be: Known bad.
Malicious Activity Summary
Imminent RAT
UPX packed file
Drops startup file
AutoIT Executable
Suspicious use of SetThreadContext
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-06-15 07:02
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-15 07:02
Reported
2022-06-15 13:22
Platform
win7-20220414-en
Max time kernel
37s
Max time network
43s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Processes
C:\Users\Admin\AppData\Local\Temp\2a0c397b31f6b926f1d87ee1c6f50a7fae8a22d01ca0446add80440a0022a723.exe
"C:\Users\Admin\AppData\Local\Temp\2a0c397b31f6b926f1d87ee1c6f50a7fae8a22d01ca0446add80440a0022a723.exe"
Network
Files
memory/1888-54-0x00000000759E1000-0x00000000759E3000-memory.dmp
memory/1888-55-0x0000000000250000-0x0000000000441000-memory.dmp
memory/1888-56-0x0000000000250000-0x0000000000441000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-15 07:02
Reported
2022-06-15 13:22
Platform
win10v2004-20220414-en
Max time kernel
160s
Max time network
162s
Command Line
Signatures
Imminent RAT
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMEWDBLD.url | C:\Users\Admin\AppData\Local\Temp\2a0c397b31f6b926f1d87ee1c6f50a7fae8a22d01ca0446add80440a0022a723.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3444 set thread context of 1796 | N/A | C:\Users\Admin\AppData\Local\Temp\2a0c397b31f6b926f1d87ee1c6f50a7fae8a22d01ca0446add80440a0022a723.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: 33 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2a0c397b31f6b926f1d87ee1c6f50a7fae8a22d01ca0446add80440a0022a723.exe
"C:\Users\Admin\AppData\Local\Temp\2a0c397b31f6b926f1d87ee1c6f50a7fae8a22d01ca0446add80440a0022a723.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| NL | 20.190.160.67:443 | tcp | |
| US | 52.182.143.208:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 13.107.21.200:443 | tcp | |
| NL | 20.190.160.136:443 | tcp | |
| NL | 20.190.160.71:443 | tcp | |
| US | 8.8.8.8:53 | maxibrainz.warzonedns.com | udp |
| US | 8.8.8.8:53 | maxibrainz.warzonedns.com | udp |
| US | 8.8.8.8:53 | maxibrainz.warzonedns.com | udp |
| US | 8.8.8.8:53 | maxibrainz.warzonedns.com | udp |
| US | 8.8.8.8:53 | maxibrainz.warzonedns.com | udp |
| US | 8.8.8.8:53 | maxibrainz.warzonedns.com | udp |
| US | 8.8.8.8:53 | maxibrainz.warzonedns.com | udp |
| US | 8.8.8.8:53 | maxibrainz.warzonedns.com | udp |
| US | 8.8.8.8:53 | maxibrainz.warzonedns.com | udp |
| US | 8.8.8.8:53 | maxibrainz.warzonedns.com | udp |
| US | 8.8.8.8:53 | maxibrainz.warzonedns.com | udp |
| US | 8.8.8.8:53 | maxibrainz.warzonedns.com | udp |
| US | 8.8.8.8:53 | maxibrainz.warzonedns.com | udp |
| US | 8.8.8.8:53 | maxibrainz.warzonedns.com | udp |
| US | 8.8.8.8:53 | maxibrainz.warzonedns.com | udp |
Files
memory/3444-130-0x0000000000030000-0x0000000000221000-memory.dmp
memory/3444-131-0x0000000000030000-0x0000000000221000-memory.dmp
memory/1796-132-0x0000000000000000-mapping.dmp
memory/1796-133-0x0000000000400000-0x0000000000458000-memory.dmp
memory/3444-138-0x0000000000030000-0x0000000000221000-memory.dmp
memory/1796-139-0x00000000069B0000-0x0000000006A4C000-memory.dmp
memory/1796-140-0x0000000007000000-0x00000000075A4000-memory.dmp
memory/1796-141-0x0000000006C30000-0x0000000006CC2000-memory.dmp
memory/1796-142-0x0000000007620000-0x0000000007686000-memory.dmp
memory/1796-143-0x0000000007D10000-0x0000000007D1A000-memory.dmp