Analysis Overview
SHA256
270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba
Threat Level: Known bad
The file 270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba was found to be: Known bad.
Malicious Activity Summary
Imminent RAT
Drops startup file
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
Drops file in Windows directory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-06-16 06:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-16 06:26
Reported
2022-06-16 07:55
Platform
win7-20220414-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Imminent RAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url | C:\Users\Admin\AppData\Local\Temp\270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1672 set thread context of 1060 | N/A | C:\Users\Admin\AppData\Local\Temp\270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: 33 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe
"C:\Users\Admin\AppData\Local\Temp\270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gsyaih2n\gsyaih2n.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF6CE.tmp" "c:\Users\Admin\AppData\Local\Temp\gsyaih2n\CSC1FD0533EB005447F8D6E83A32BE1B089.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp |
Files
memory/1672-54-0x0000000000180000-0x00000000001EA000-memory.dmp
memory/1036-55-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\gsyaih2n\gsyaih2n.cmdline
| MD5 | c460a3516d238357137b8d48ab65c12b |
| SHA1 | 32a92b68812bea66243ed7aa492ad2dc6cbd4d8e |
| SHA256 | 657ae81381a2f27b24ab0ea7b1c1802056bb94ead408bcdd251802c98de0ba7f |
| SHA512 | 8574292ac479a8159aa93f4f81b0095d67479bff5eb1379f698ea4fe4786944a5d135baef69ec1877d68df40d317371715ef7dd2f67b0a51bb08a70ae0c0cb52 |
\??\c:\Users\Admin\AppData\Local\Temp\gsyaih2n\gsyaih2n.0.cs
| MD5 | 2ce6b0712b18eade5ac3a9fd3cdced80 |
| SHA1 | 89762aafc9d4de9cc19138daa335ccd3a3f10fa8 |
| SHA256 | 3dab14b8f11229fb2726bbb02500fbbe37326b97a4865e333f349178924a7c8c |
| SHA512 | 35cb4d1c478871c1868f5438ed8ea0a0df2838e81e3e0161d4d21677aa48f9b98de0a7b6143b552ee920990495b5f10d74c33afce8db98de8241156d6a975ba4 |
memory/1828-58-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\gsyaih2n\CSC1FD0533EB005447F8D6E83A32BE1B089.TMP
| MD5 | c77817f595493681a1c11ed7b0d103aa |
| SHA1 | 1cee93c4d5dd7666491109a8e2d9a87f9b373d9b |
| SHA256 | b042b26cd8e61a4e05b151391b4147662490705c8220eb4554c42cc76ae70d07 |
| SHA512 | 26e34a0c84b26c6ee210dc8301ccbf0f1d2f6558e33ce522bb8ab570009c64c6c1cf53a485bd8729608a9066c306a5a26a717078c6257862e65dd177abb15f1f |
C:\Users\Admin\AppData\Local\Temp\RESF6CE.tmp
| MD5 | ee21c6595b15fc5840e258b768badade |
| SHA1 | f2dd04f2f05e350adee38040c17e64daa0f40cad |
| SHA256 | c5ca0ed99d42e4f008fefdc2509948a4ac011b5ada7ac048a8ee94b51fe6df38 |
| SHA512 | 4ff5fadd2d2d035544391b919de770ac2dd1cc9672227bb02d06bed8032117e5048925ee03a7b6c4dbc11e04da6765560e41145ae0115a6b7e8ab4fe264a8130 |
C:\Users\Admin\AppData\Local\Temp\gsyaih2n\gsyaih2n.pdb
| MD5 | 3185869f58e72cf0c523331d649d73b4 |
| SHA1 | 334a533bc4ab327f65476ac04580e70ecfe72ec1 |
| SHA256 | 444c335d9dd2d1acc212f4a81d6d476ffe1901840fb83adc58e5cfa4558d5287 |
| SHA512 | b63e1421c603ff2641868f16d8e2eec0c14b595d8980d2620d7bee96d73433f6f66ca12f80265219f6c6205025a6a453fb9461f833b3a2d19bcefc7b062da629 |
C:\Users\Admin\AppData\Local\Temp\gsyaih2n\gsyaih2n.dll
| MD5 | dbc225d2b404853907e3af80b9e8e6ca |
| SHA1 | f8eb069c6967b9f75cf132c5eeece29b73d1c3d3 |
| SHA256 | 5e4369e377852e88420b9b6e605e2ee77e79ccd3fd78fe854c604d7e585e3efa |
| SHA512 | 54741c0228ebfbc433d304e9e21af696625a438050afc9a2523f1e16045b1a637ff037b5ad58cc9120e00584db936668750e258401a46097a1b2d1c2b95d73cb |
memory/1672-63-0x0000000000350000-0x0000000000358000-memory.dmp
memory/1672-64-0x0000000004550000-0x00000000045B0000-memory.dmp
memory/1672-65-0x00000000003B0000-0x00000000003BC000-memory.dmp
memory/1672-66-0x0000000004F40000-0x0000000004F96000-memory.dmp
memory/1060-67-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1060-68-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1060-70-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1060-71-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1060-75-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1060-73-0x0000000000451A0E-mapping.dmp
memory/1060-72-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1060-77-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1060-78-0x0000000075AE1000-0x0000000075AE3000-memory.dmp
memory/1060-79-0x0000000074600000-0x0000000074BAB000-memory.dmp
memory/1060-80-0x0000000074600000-0x0000000074BAB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-16 06:26
Reported
2022-06-16 07:55
Platform
win10v2004-20220414-en
Max time kernel
152s
Max time network
156s
Command Line
Signatures
Imminent RAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url | C:\Users\Admin\AppData\Local\Temp\270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 688 set thread context of 3368 | N/A | C:\Users\Admin\AppData\Local\Temp\270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\assembly | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: 33 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe
"C:\Users\Admin\AppData\Local\Temp\270297e70e4cba0ce4fff361f6913efefe5ad6f114ba7b7d5044847807e036ba.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pqtuvtq0\pqtuvtq0.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8949.tmp" "c:\Users\Admin\AppData\Local\Temp\pqtuvtq0\CSC3A0C157381EE4FAF8A4433F6F519FDE.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| NL | 104.110.191.133:80 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| US | 20.189.173.1:443 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| US | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
| FR | 151.80.8.17:1714 | tcp | |
| GB | 92.123.140.25:80 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp |
Files
memory/688-130-0x0000000000430000-0x000000000049A000-memory.dmp
memory/1892-131-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\pqtuvtq0\pqtuvtq0.cmdline
| MD5 | 343ee00816dc92e16486124dbe56c2b2 |
| SHA1 | 8ee2538aec454029bfb665e17fcfc9aebd453246 |
| SHA256 | 444443e53e8e5fe0292b99d8872106113f0040ae1445b5874d17719f121e3a84 |
| SHA512 | 1893e1e83921506661d6ff6bc03754e5c5bc26b317186434c139d78c9f65bf0060a2f9f8a58b8f8db798dcf0bc2d9d08115768eff3ef687b089878ff7e7570cd |
\??\c:\Users\Admin\AppData\Local\Temp\pqtuvtq0\pqtuvtq0.0.cs
| MD5 | 2ce6b0712b18eade5ac3a9fd3cdced80 |
| SHA1 | 89762aafc9d4de9cc19138daa335ccd3a3f10fa8 |
| SHA256 | 3dab14b8f11229fb2726bbb02500fbbe37326b97a4865e333f349178924a7c8c |
| SHA512 | 35cb4d1c478871c1868f5438ed8ea0a0df2838e81e3e0161d4d21677aa48f9b98de0a7b6143b552ee920990495b5f10d74c33afce8db98de8241156d6a975ba4 |
memory/2756-134-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\pqtuvtq0\CSC3A0C157381EE4FAF8A4433F6F519FDE.TMP
| MD5 | a8513a2d93cd452a792bf879707166c4 |
| SHA1 | ad3f93d75c7a28fc222f2ea50cb21e7dcaefd9a9 |
| SHA256 | 67686b7939fe30ecda749ca360328dc48a9f0e32eff17a175fd6d2279af4d662 |
| SHA512 | 581ad4b98357dbef0ae3523e6d28b651642cdd214382049c5623a7708c692490c03e059a972fd9381419232e3c77cc4b5a7f7b9c249958288ff664bf5963bcb3 |
C:\Users\Admin\AppData\Local\Temp\RES8949.tmp
| MD5 | 53e7c0eaa7fea5a336c3cf9324a9d8a6 |
| SHA1 | 3589d359be17bed7d611e57931f8d8be59b7429f |
| SHA256 | a348fd42ea495c9eab27eceaf63c57f24b7a89fd8d37a1d23cb7e80c0fa3362f |
| SHA512 | 15b56944dbe73b998765a13f09bc10a059d32c53351ed9d38a79bfa6a2ee5e65f1dcf2268e344c38e119d72ba6308909f16dacdb3896745d6ba39d2c177b806d |
C:\Users\Admin\AppData\Local\Temp\pqtuvtq0\pqtuvtq0.dll
| MD5 | e8129f39412037a1d1fc40b470c31c62 |
| SHA1 | 74adf806e6bfa8993865ac9fecce8eb4a6dff9c9 |
| SHA256 | 64b5d1c1caeacb23534ba1d47ea5fd20e6cff1b2766126bbb5adf3ae7248df39 |
| SHA512 | 10648266b621b34be40f50925e8c873d3a7f8d05df2500b9e761408429eee2f48c6b0a24a9c44be5ddf5a9bf9765b366abee69fb436bc57ef05b1a344a7b0123 |
C:\Users\Admin\AppData\Local\Temp\pqtuvtq0\pqtuvtq0.pdb
| MD5 | a8033afafc59c56fe4ef2417b2f01783 |
| SHA1 | 6978329b69d4185e0134f4d79274e51569e1f5ad |
| SHA256 | 7444e5116be7ff423dce90d3573dfbde903180b73bd3aabbfa9ceabd713c0844 |
| SHA512 | e401e958c1d088fdeafd4605cfe733f8128866e6526d47524266b5005afeb34d95bdc9aaf34c1a478e66c6be78ccd845e0f8cb04e9942b5c871d74ac22e3a9a4 |
memory/688-139-0x0000000004DA0000-0x0000000004E32000-memory.dmp
memory/688-140-0x00000000053A0000-0x000000000543C000-memory.dmp
memory/3368-141-0x0000000000000000-mapping.dmp
memory/3368-142-0x0000000000400000-0x0000000000456000-memory.dmp
memory/3368-143-0x0000000075500000-0x0000000075AB1000-memory.dmp
memory/3368-144-0x0000000075500000-0x0000000075AB1000-memory.dmp