Analysis Overview
SHA256
2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d
Threat Level: Known bad
The file 2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d was found to be: Known bad.
Malicious Activity Summary
Imminent RAT
Drops startup file
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
Drops file in Windows directory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-06-22 13:48
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-22 13:42
Reported
2022-06-22 14:59
Platform
win7-20220414-en
Max time kernel
172s
Max time network
82s
Command Line
Signatures
Imminent RAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xKbNsQ.url | C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1928 set thread context of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: 33 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe
"C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cya2eudo\cya2eudo.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC0B1.tmp" "c:\Users\Admin\AppData\Local\Temp\cya2eudo\CSC404ED137746641D9915847C364134152.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
Files
memory/1928-54-0x0000000000A90000-0x0000000000B1A000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\cya2eudo\cya2eudo.cmdline
| MD5 | 4fda3185044ecda2bd9c252c041020fa |
| SHA1 | f145dd37007d49f121cf1362fe629cff14e05cc0 |
| SHA256 | dd114f06dfb2289e743b4343a09fa8b88dd881e0ad59d96e12cf97f55d464f38 |
| SHA512 | 6fc414f1adfa16811cca6522658907f583af45847846b9b2afa8bcc1e14ff7a2cf008e2f881d7e289f43076b3c2ddc7eed38fe7f9464dd3571660e14eee428f1 |
memory/936-55-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\cya2eudo\cya2eudo.0.cs
| MD5 | f76e24b577ae3ca4ef100472dee389a2 |
| SHA1 | 5c340ef70538d5c6806e2922a03dc5ee8498f0a6 |
| SHA256 | 5631be274722ef2bd02138122f9037e4f1d47f91f2e09bcba3f4587e4d46e378 |
| SHA512 | e73185008beb0dcce849615cf127575a05aece9cd904adfbb08baca5eb6f4c2037e5b24aa1cef8e0e82b4e0313f3de960515a6dc9c019cdc5fd809508efea7f6 |
memory/1720-58-0x0000000000000000-mapping.dmp
memory/1928-63-0x0000000000220000-0x0000000000228000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cya2eudo\cya2eudo.dll
| MD5 | 4f0e59c96f9d2e425856b97f5d2a50a6 |
| SHA1 | b94bae30b46d8ce96d99bede98da5bcd19f5271a |
| SHA256 | 91d99cf33a6a2777b82f4d30e8f4f7a45431c6a5ab0707e9d8b91fa94de0d23e |
| SHA512 | 3f59507a568bc72af5b7211385996017493b2250d550dfec45f2a027a783fd1546f5352f33d1d5ae1e4ae31c1685f41e6c38a063cb98e3d34f67982a89b61065 |
C:\Users\Admin\AppData\Local\Temp\cya2eudo\cya2eudo.pdb
| MD5 | 34d04d0b62114b754cc220468c34f567 |
| SHA1 | 7b255222c002d931889789892d6f3c16c4350be9 |
| SHA256 | 829e2fdcccd5314bf631bfac52dfc6d68591da57f545e2918d16c4545d455efd |
| SHA512 | 3e7cb9b6a50a86c0d427ebf22fc5f7f11becb1870a0fab0b1c54d6b0d10f2a15ebf80da877b1a84c71009d819a580f36b7e2eeb33400999f6d37c9772292bcca |
C:\Users\Admin\AppData\Local\Temp\RESC0B1.tmp
| MD5 | e46a5c02d80e01aeb577f1dd8691fd9f |
| SHA1 | 6919a11f0eb06d99654004998eb1035d31cc5395 |
| SHA256 | 0947bbdb2c144d74ccef8a8f31b05c6af3b3dd6ac69e2480a9afec5ff65d2857 |
| SHA512 | ce30044e3a2a9921dce3739e68b6b8cce13ad767dcac7cf60d967a673030278fceeac9a58cd343eb32835b4dc23c1ec524d920cb42c69886eac15f3070e0569a |
memory/1928-64-0x0000000004740000-0x00000000047A0000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\cya2eudo\CSC404ED137746641D9915847C364134152.TMP
| MD5 | ad095ddb24bbfa1c730f343bf6e38580 |
| SHA1 | 52ff1f420103eaf6b8b3ed944d59f64c67d82e5b |
| SHA256 | 53ab93098c10428c6fac89949a86e683d97fe576c2fb04febb8f7c0f56870f9e |
| SHA512 | 29adb0f7c2538e4bc54827f9f430ce5719cec4c07076bce316e035e84db4144d1b1989fca3471e13441e7c1e859ad4811d062191b0be03c0ef9de91ce9cd88b7 |
memory/1928-65-0x00000000003E0000-0x00000000003EC000-memory.dmp
memory/1928-66-0x0000000075941000-0x0000000075943000-memory.dmp
memory/1928-67-0x0000000004BA0000-0x0000000004BF6000-memory.dmp
memory/2012-76-0x0000000000400000-0x0000000000456000-memory.dmp
memory/2012-78-0x0000000000400000-0x0000000000456000-memory.dmp
memory/2012-74-0x0000000000451E5E-mapping.dmp
memory/2012-73-0x0000000000400000-0x0000000000456000-memory.dmp
memory/2012-72-0x0000000000400000-0x0000000000456000-memory.dmp
memory/2012-71-0x0000000000400000-0x0000000000456000-memory.dmp
memory/2012-69-0x0000000000400000-0x0000000000456000-memory.dmp
memory/2012-68-0x0000000000400000-0x0000000000456000-memory.dmp
memory/2012-80-0x0000000074440000-0x00000000749EB000-memory.dmp
memory/2012-81-0x0000000074440000-0x00000000749EB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-22 13:42
Reported
2022-06-22 14:59
Platform
win10v2004-20220414-en
Max time kernel
172s
Max time network
184s
Command Line
Signatures
Imminent RAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xKbNsQ.url | C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 448 set thread context of 1836 | N/A | C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: 33 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe
"C:\Users\Admin\AppData\Local\Temp\2dc8b0eba2bbe22278b3c75aa52a3a1ae29453ffd2ae76db70950cb8ddf1a65d.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rgujhwtu\rgujhwtu.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5BC.tmp" "c:\Users\Admin\AppData\Local\Temp\rgujhwtu\CSC1FF1BC66F9D44AD7955C692FBC9D867.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 20.189.173.2:443 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| US | 13.107.21.200:443 | tcp | |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
Files
memory/448-130-0x0000000000F00000-0x0000000000F8A000-memory.dmp
memory/4560-131-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\rgujhwtu\rgujhwtu.cmdline
| MD5 | b779bea2df27c24fae487044a03f345d |
| SHA1 | 809b19fb99e183a38ad63117981a12dabcabb06c |
| SHA256 | 0b0ee49dffe0415a51ea6b6d552732c15656f2f91202d6c7e629c230654b1b57 |
| SHA512 | 46fc3ed5df841cb314b8070f9ee4742d0e57d9680f2bb7e975ec96e0d819230b6c83af2e56dadaca4c337d57b08e2696376cc962c29aa9dcced5cab7032bb90d |
\??\c:\Users\Admin\AppData\Local\Temp\rgujhwtu\rgujhwtu.0.cs
| MD5 | f76e24b577ae3ca4ef100472dee389a2 |
| SHA1 | 5c340ef70538d5c6806e2922a03dc5ee8498f0a6 |
| SHA256 | 5631be274722ef2bd02138122f9037e4f1d47f91f2e09bcba3f4587e4d46e378 |
| SHA512 | e73185008beb0dcce849615cf127575a05aece9cd904adfbb08baca5eb6f4c2037e5b24aa1cef8e0e82b4e0313f3de960515a6dc9c019cdc5fd809508efea7f6 |
memory/4228-134-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\rgujhwtu\CSC1FF1BC66F9D44AD7955C692FBC9D867.TMP
| MD5 | 87160649f58a0b6bc0718f8e3cf40385 |
| SHA1 | e1197d1d40605575af04859e8b5005ef3f6f98cc |
| SHA256 | c25cc53d0ccdb7f479d21683665c96a088c3b789c54a817fb12e5f33fbbf49d6 |
| SHA512 | 32c8bf97e59837c2e35d8ab6311c372ae4b921a2bb122fe5d3fb8dd795a6f83cb5b43d027c4649b0939a34e5b36dd8c3001fd47905f597bbcacc9a1fb8348a60 |
C:\Users\Admin\AppData\Local\Temp\RESE5BC.tmp
| MD5 | 943fdd833790a8424d4fac25d15bca69 |
| SHA1 | 9b86bfc266f0bea01550af0713fbd32f352207be |
| SHA256 | 31bf84d4af34c0bb4b31370a5ca5b7d6f8da74b85e7d5be411d569da2b61a2f0 |
| SHA512 | 8f7e59e6ddaedf980876d539e70f365cc707082faf0273f660727d3192340c0efc00aaba04921b414b9e03986dcfa7e870499178b6366d67d0f3f0f54be14b80 |
C:\Users\Admin\AppData\Local\Temp\rgujhwtu\rgujhwtu.dll
| MD5 | 2350394e075b741310d87b0f12892836 |
| SHA1 | b515ab3f6cb3ba9e0e00373f297300546516ca48 |
| SHA256 | 0efaa74e6b6af3a5711db449b99d9c9f95deb93cf0f7605bf8df5dd223997618 |
| SHA512 | eba15b04047693cd8e3c8428469497482ecd1f31b032c902b120bcc60f9d3f996e0a7fbe83eb6e06b3be579138b8c1246c0be5067187718f01cf935deed3dd47 |
C:\Users\Admin\AppData\Local\Temp\rgujhwtu\rgujhwtu.pdb
| MD5 | 91104216422c851a001e0db88074918b |
| SHA1 | edeaba80667fcd335290f5737c64c1a32654349a |
| SHA256 | 39bc85e4bf9c30a822a5062cb720cd66866f7530a4d8622310786a344d14d78d |
| SHA512 | 92b58fe31d694a83c2b852583696f104da3b6224e4732b3480542ca59882366fffdd20142723ebda734f049927496c18e1fb261fa2471395ca5569561dd86684 |
memory/448-139-0x0000000005950000-0x00000000059E2000-memory.dmp
memory/448-140-0x0000000006020000-0x00000000060BC000-memory.dmp
memory/1836-141-0x0000000000000000-mapping.dmp
memory/1836-142-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1836-143-0x00000000748C0000-0x0000000074E71000-memory.dmp
memory/1836-144-0x00000000748C0000-0x0000000074E71000-memory.dmp