Analysis Overview
SHA256
2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257
Threat Level: Known bad
The file 2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257 was found to be: Known bad.
Malicious Activity Summary
Imminent RAT
Obfuscated with Agile.Net obfuscator
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-22 08:10
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-22 08:10
Reported
2022-06-22 08:13
Platform
win7-20220414-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Imminent RAT
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\winzip\\Services.exe" | C:\Users\Admin\AppData\Local\Temp\2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "\\winzip\\Services.exe" | C:\Users\Admin\AppData\Local\Temp\2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1224 set thread context of 968 | N/A | C:\Users\Admin\AppData\Local\Temp\2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257.exe | C:\Users\Admin\AppData\Local\Temp\2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257.exe
"C:\Users\Admin\AppData\Local\Temp\2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257.exe"
C:\Users\Admin\AppData\Local\Temp\2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257.exe
"C:\Users\Admin\AppData\Local\Temp\2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | solarintel.linkpc.net | udp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
Files
memory/1224-54-0x00000000010F0000-0x00000000011B8000-memory.dmp
memory/1224-55-0x0000000000300000-0x0000000000320000-memory.dmp
memory/968-56-0x0000000000400000-0x0000000000456000-memory.dmp
memory/968-57-0x0000000000451BFE-mapping.dmp
memory/968-59-0x0000000000400000-0x0000000000456000-memory.dmp
memory/968-61-0x0000000000400000-0x0000000000456000-memory.dmp
memory/968-62-0x0000000000380000-0x0000000000390000-memory.dmp
memory/968-63-0x0000000004890000-0x000000000493E000-memory.dmp
memory/968-64-0x0000000000500000-0x0000000000528000-memory.dmp
memory/968-65-0x0000000076531000-0x0000000076533000-memory.dmp
memory/968-66-0x0000000000690000-0x00000000006A6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-22 08:10
Reported
2022-06-22 08:13
Platform
win10v2004-20220414-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Imminent RAT
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\winzip\\Services.exe" | C:\Users\Admin\AppData\Local\Temp\2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "\\winzip\\Services.exe" | C:\Users\Admin\AppData\Local\Temp\2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 788 set thread context of 3888 | N/A | C:\Users\Admin\AppData\Local\Temp\2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257.exe | C:\Users\Admin\AppData\Local\Temp\2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257.exe |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257.exe
"C:\Users\Admin\AppData\Local\Temp\2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257.exe"
C:\Users\Admin\AppData\Local\Temp\2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257.exe
"C:\Users\Admin\AppData\Local\Temp\2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 13.69.109.130:443 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| US | 8.8.8.8:53 | solarintel.linkpc.net | udp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| FR | 2.16.119.157:443 | tcp | |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| NL | 88.221.144.179:80 | tcp | |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
Files
memory/788-130-0x00000000002B0000-0x0000000000378000-memory.dmp
memory/788-131-0x0000000004CD0000-0x0000000004D6C000-memory.dmp
memory/788-132-0x00000000055E0000-0x0000000005B84000-memory.dmp
memory/788-133-0x0000000005120000-0x00000000051B2000-memory.dmp
memory/3888-134-0x0000000000000000-mapping.dmp
memory/3888-135-0x0000000000400000-0x0000000000456000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2e8d129e67feb877b782f5b86850221a92550542c909def363497f962c586257.exe.log
| MD5 | ee844796f619ac16a2c818f8d4efd88c |
| SHA1 | ce7e1cd02117d8f49c239daa46d340a93350894b |
| SHA256 | 09847785ef0dc53c0394ed47010cd3cac5cca271ad84f58264f1e244ee81c341 |
| SHA512 | b856874aafc68ebc9fbd8755876f53d7f4a2ea1c41322e5d1ef1e83b54b053606e3571bb434d711a6cf150b444dbf303441930e00340ea41e8e3f98fe3df77c7 |
memory/3888-137-0x00000000073F0000-0x0000000007456000-memory.dmp
memory/3888-138-0x0000000007CA0000-0x0000000007CAA000-memory.dmp