Analysis Overview
SHA256
3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b
Threat Level: Known bad
The file 3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b was found to be: Known bad.
Malicious Activity Summary
Imminent RAT
Checks computer location settings
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-21 17:34
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-21 17:34
Reported
2022-06-21 17:39
Platform
win10v2004-20220414-en
Max time kernel
163s
Max time network
166s
Command Line
Signatures
Imminent RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 392 set thread context of 3544 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe | N/A |
| Token: 33 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe
"C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe" /logtoconsole=false /logfile= /u "C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzXipsZcwgn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp87CD.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| US | 20.189.173.11:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
| BE | 8.238.110.126:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| US | 8.8.8.8:53 | deoffice2018.ddns.net | udp |
Files
memory/1296-130-0x0000000074FE0000-0x0000000075591000-memory.dmp
memory/1296-131-0x0000000074FE0000-0x0000000075591000-memory.dmp
memory/392-132-0x0000000000000000-mapping.dmp
memory/1296-133-0x0000000074FE0000-0x0000000075591000-memory.dmp
memory/392-134-0x0000000074FE0000-0x0000000075591000-memory.dmp
memory/392-135-0x0000000074FE0000-0x0000000075591000-memory.dmp
memory/2532-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp87CD.tmp
| MD5 | fd6326c611061193c278fbdb5f9efa80 |
| SHA1 | 818c2e7be48d422683b7795e8f1c9b6d6b2ee591 |
| SHA256 | 3b8c26207c73de67d4d7f2b39618ec6fc02be9750290f5d581db08d276b05d2f |
| SHA512 | 0f11e1c883215fdd28e049a538df40c34dd258f12175553b12251dd05f44c0411cd91eb0d88d3572ace805fe12cc40ca4aa57ac371ac716326e233b67f7ab8a6 |
memory/3544-138-0x0000000000000000-mapping.dmp
memory/3544-139-0x0000000000400000-0x0000000000456000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\installutil.exe.log
| MD5 | 7a4a84f4d2df1fe011638038702dad89 |
| SHA1 | 64e9856d95b2064ff51e1c77819c818e6e5b3291 |
| SHA256 | cfd5734d90e6889355768ae5a723076000d88af2e5b6b435d55fa5bfa3e29590 |
| SHA512 | cbe9f7724806d161e70a161525c89199e10e6f38ad425533defaa1e02a12bf2cf28cba6788ed68e446cbd4286541e341b55c40133c134f9fcf94cae79b34092d |
memory/392-141-0x0000000074FE0000-0x0000000075591000-memory.dmp
memory/3544-142-0x0000000074FE0000-0x0000000075591000-memory.dmp
memory/3544-143-0x0000000074FE0000-0x0000000075591000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-21 17:34
Reported
2022-06-21 17:40
Platform
win7-20220414-en
Max time kernel
169s
Max time network
116s
Command Line
Signatures
Imminent RAT
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 632 set thread context of 932 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\debug\WIA\SzXipsZcwgn.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe | N/A |
| File opened for modification | C:\Windows\debug\WIA\SzXipsZcwgn.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe | N/A |
| Token: 33 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe
"C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe" /logtoconsole=false /logfile= /u "C:\Users\Admin\AppData\Local\Temp\3009ba30b32ee1b30b5c1ff5545da20237bacb418b74578ae6cfaffaa786522b.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzXipsZcwgn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8AA4.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | deoffice2018.ddns.net | udp |
Files
memory/1832-54-0x0000000074F91000-0x0000000074F93000-memory.dmp
memory/1832-55-0x0000000073FB0000-0x000000007455B000-memory.dmp
memory/632-56-0x0000000000000000-mapping.dmp
memory/1832-58-0x0000000073FB0000-0x000000007455B000-memory.dmp
memory/632-59-0x0000000073FB0000-0x000000007455B000-memory.dmp
memory/632-60-0x0000000073FB0000-0x000000007455B000-memory.dmp
memory/1792-61-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8AA4.tmp
| MD5 | a9338171b45140f38858428d30278082 |
| SHA1 | 1f33a6dbeb2cb60a1d47f116492e890ec366ca36 |
| SHA256 | 016876ac4eda3813361eb2808cabc5119cbfb93fb55766c064f24820f80456d3 |
| SHA512 | ea19b4b01d6b6d5fb2a162fc00521dfbd0585393f24117d3d361a38cc5e0c815a49b877d11624a65cc03f87522f7209d4544f0aab69fd22061bd9bafa6f54a4c |
memory/932-63-0x0000000000400000-0x0000000000456000-memory.dmp
memory/932-66-0x0000000000400000-0x0000000000456000-memory.dmp
memory/932-68-0x0000000000400000-0x0000000000456000-memory.dmp
memory/932-67-0x0000000000400000-0x0000000000456000-memory.dmp
memory/932-69-0x0000000000451E9E-mapping.dmp
memory/632-71-0x0000000073FB0000-0x000000007455B000-memory.dmp
memory/932-72-0x0000000000400000-0x0000000000456000-memory.dmp
memory/932-64-0x0000000000400000-0x0000000000456000-memory.dmp
memory/932-74-0x0000000000400000-0x0000000000456000-memory.dmp
memory/932-76-0x0000000073A00000-0x0000000073FAB000-memory.dmp
memory/932-77-0x0000000073A00000-0x0000000073FAB000-memory.dmp