Analysis Overview
SHA256
39a8e99be721b0cf5e73c955f8ae71ed0f8695be2f56c46e0f33c6ffca9d3e81
Threat Level: Known bad
The file 39a8e99be721b0cf5e73c955f8ae71ed0f8695be2f56c46e0f33c6ffca9d3e81 was found to be: Known bad.
Malicious Activity Summary
Imminent RAT
Suspicious use of SetThreadContext
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-06-25 09:00
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-25 09:00
Reported
2022-06-25 10:47
Platform
win10v2004-20220414-en
Max time kernel
91s
Max time network
104s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 444 wrote to memory of 4872 | N/A | C:\Users\Admin\AppData\Local\Temp\39a8e99be721b0cf5e73c955f8ae71ed0f8695be2f56c46e0f33c6ffca9d3e81.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
| PID 444 wrote to memory of 4872 | N/A | C:\Users\Admin\AppData\Local\Temp\39a8e99be721b0cf5e73c955f8ae71ed0f8695be2f56c46e0f33c6ffca9d3e81.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
| PID 444 wrote to memory of 4872 | N/A | C:\Users\Admin\AppData\Local\Temp\39a8e99be721b0cf5e73c955f8ae71ed0f8695be2f56c46e0f33c6ffca9d3e81.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\39a8e99be721b0cf5e73c955f8ae71ed0f8695be2f56c46e0f33c6ffca9d3e81.exe
"C:\Users\Admin\AppData\Local\Temp\39a8e99be721b0cf5e73c955f8ae71ed0f8695be2f56c46e0f33c6ffca9d3e81.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| NL | 178.79.208.1:80 | tcp | |
| US | 52.182.143.208:443 | tcp | |
| US | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
| NL | 178.79.208.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp |
Files
memory/444-130-0x00000000749E0000-0x0000000074F91000-memory.dmp
memory/4872-131-0x0000000000000000-mapping.dmp
memory/444-132-0x00000000749E0000-0x0000000074F91000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-25 09:00
Reported
2022-06-25 10:47
Platform
win7-20220414-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Imminent RAT
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1932 set thread context of 1576 | N/A | C:\Users\Admin\AppData\Local\Temp\39a8e99be721b0cf5e73c955f8ae71ed0f8695be2f56c46e0f33c6ffca9d3e81.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: 33 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\39a8e99be721b0cf5e73c955f8ae71ed0f8695be2f56c46e0f33c6ffca9d3e81.exe
"C:\Users\Admin\AppData\Local\Temp\39a8e99be721b0cf5e73c955f8ae71ed0f8695be2f56c46e0f33c6ffca9d3e81.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 191.101.22.148:9003 | tcp | |
| US | 191.101.22.148:9003 | tcp | |
| US | 191.101.22.148:9003 | tcp | |
| US | 191.101.22.148:9003 | tcp | |
| US | 191.101.22.148:9003 | tcp | |
| US | 191.101.22.148:9003 | tcp | |
| US | 191.101.22.148:9003 | tcp | |
| US | 191.101.22.148:9003 | tcp | |
| US | 191.101.22.148:9003 | tcp | |
| US | 191.101.22.148:9003 | tcp | |
| US | 191.101.22.148:9003 | tcp | |
| US | 191.101.22.148:9003 | tcp | |
| US | 191.101.22.148:9003 | tcp | |
| US | 191.101.22.148:9003 | tcp | |
| US | 191.101.22.148:9003 | tcp | |
| US | 191.101.22.148:9003 | tcp | |
| US | 191.101.22.148:9003 | tcp | |
| US | 191.101.22.148:9003 | tcp | |
| US | 191.101.22.148:9003 | tcp | |
| US | 191.101.22.148:9003 | tcp | |
| US | 191.101.22.148:9003 | tcp | |
| US | 191.101.22.148:9003 | tcp | |
| US | 191.101.22.148:9003 | tcp | |
| US | 191.101.22.148:9003 | tcp |
Files
memory/1932-54-0x00000000757C1000-0x00000000757C3000-memory.dmp
memory/1576-55-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1576-56-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1576-58-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1576-61-0x0000000000451BCE-mapping.dmp
memory/1576-59-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1576-60-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1576-63-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1576-65-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1932-67-0x00000000740E0000-0x000000007468B000-memory.dmp
memory/1576-68-0x0000000074060000-0x000000007460B000-memory.dmp
memory/1576-69-0x0000000074060000-0x000000007460B000-memory.dmp