Malware Analysis Report

2024-11-30 15:59

Sample ID 220625-wjgxdaecgq
Target 391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7
SHA256 391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7
Tags
imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7

Threat Level: Known bad

The file 391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7 was found to be: Known bad.

Malicious Activity Summary

imminent spyware trojan

Imminent RAT

Executes dropped EXE

Checks computer location settings

Drops desktop.ini file(s)

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-25 17:56

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-25 17:56

Reported

2022-06-25 18:11

Platform

win7-20220414-en

Max time kernel

152s

Max time network

187s

Command Line

"C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe"

Signatures

Imminent RAT

trojan spyware imminent

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1712 set thread context of 1936 N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1712 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1712 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1712 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1712 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1712 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1712 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1712 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1712 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1712 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe C:\Windows\SysWOW64\schtasks.exe
PID 692 wrote to memory of 468 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\hznmfkfyjpbc\iqjsjzvckmye.exe
PID 692 wrote to memory of 468 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\hznmfkfyjpbc\iqjsjzvckmye.exe
PID 692 wrote to memory of 468 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\hznmfkfyjpbc\iqjsjzvckmye.exe
PID 692 wrote to memory of 468 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\hznmfkfyjpbc\iqjsjzvckmye.exe
PID 692 wrote to memory of 1036 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\hznmfkfyjpbc\iqjsjzvckmye.exe
PID 692 wrote to memory of 1036 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\hznmfkfyjpbc\iqjsjzvckmye.exe
PID 692 wrote to memory of 1036 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\hznmfkfyjpbc\iqjsjzvckmye.exe
PID 692 wrote to memory of 1036 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\hznmfkfyjpbc\iqjsjzvckmye.exe

Processes

C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe

"C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn 6874746268786F7677796467 /tr "C:\Users\Admin\AppData\Local\Temp\hznmfkfyjpbc\iqjsjzvckmye.exe" /sc minute /mo 1 /F

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {CD778C71-0536-4D81-AFB6-A8113C340B86} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\hznmfkfyjpbc\iqjsjzvckmye.exe

C:\Users\Admin\AppData\Local\Temp\hznmfkfyjpbc\iqjsjzvckmye.exe

C:\Users\Admin\AppData\Local\Temp\hznmfkfyjpbc\iqjsjzvckmye.exe

C:\Users\Admin\AppData\Local\Temp\hznmfkfyjpbc\iqjsjzvckmye.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13344.duckdns.org udp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 8.8.8.8:53 13344.duckdns.org udp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp

Files

memory/1712-54-0x00000000763E1000-0x00000000763E3000-memory.dmp

memory/1936-55-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1936-57-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1936-63-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1936-62-0x0000000000451D6E-mapping.dmp

memory/1936-64-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2028-66-0x0000000000000000-mapping.dmp

memory/1936-67-0x0000000074250000-0x00000000747FB000-memory.dmp

memory/1936-68-0x0000000074250000-0x00000000747FB000-memory.dmp

memory/468-70-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\hznmfkfyjpbc\iqjsjzvckmye.exe

MD5 b56c15d84914a2f6531fa7644f0843a4
SHA1 a293b6868a0b82621e94be1266d09c49f1ff7e0b
SHA256 391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7
SHA512 0a97f8db4c61312def019c51605f330c027df1a100c09e16c668e5a3bc4bca82dfbf080e6509a284bebcdb1a6cfc20c7bd7315eb44a66af90bc7028c6f9137b7

C:\Users\Admin\AppData\Local\Temp\hznmfkfyjpbc\iqjsjzvckmye.exe

MD5 b56c15d84914a2f6531fa7644f0843a4
SHA1 a293b6868a0b82621e94be1266d09c49f1ff7e0b
SHA256 391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7
SHA512 0a97f8db4c61312def019c51605f330c027df1a100c09e16c668e5a3bc4bca82dfbf080e6509a284bebcdb1a6cfc20c7bd7315eb44a66af90bc7028c6f9137b7

memory/1036-73-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\hznmfkfyjpbc\iqjsjzvckmye.exe

MD5 b56c15d84914a2f6531fa7644f0843a4
SHA1 a293b6868a0b82621e94be1266d09c49f1ff7e0b
SHA256 391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7
SHA512 0a97f8db4c61312def019c51605f330c027df1a100c09e16c668e5a3bc4bca82dfbf080e6509a284bebcdb1a6cfc20c7bd7315eb44a66af90bc7028c6f9137b7

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-25 17:56

Reported

2022-06-25 18:10

Platform

win10v2004-20220414-en

Max time kernel

152s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe"

Signatures

Imminent RAT

trojan spyware imminent

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4264 set thread context of 4608 N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4264 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4264 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4264 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4264 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4264 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4264 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe C:\Windows\SysWOW64\schtasks.exe
PID 4264 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe C:\Windows\SysWOW64\schtasks.exe
PID 4264 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe

"C:\Users\Admin\AppData\Local\Temp\391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn 6874746268786F7677796467 /tr "C:\Users\Admin\AppData\Local\Temp\hznmfkfyjpbc\iqjsjzvckmye.exe" /sc minute /mo 1 /F

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Users\Admin\AppData\Local\Temp\hznmfkfyjpbc\iqjsjzvckmye.exe

C:\Users\Admin\AppData\Local\Temp\hznmfkfyjpbc\iqjsjzvckmye.exe

C:\Users\Admin\AppData\Local\Temp\hznmfkfyjpbc\iqjsjzvckmye.exe

C:\Users\Admin\AppData\Local\Temp\hznmfkfyjpbc\iqjsjzvckmye.exe

C:\Users\Admin\AppData\Local\Temp\hznmfkfyjpbc\iqjsjzvckmye.exe

C:\Users\Admin\AppData\Local\Temp\hznmfkfyjpbc\iqjsjzvckmye.exe

Network

Country Destination Domain Proto
NL 178.79.208.1:80 tcp
US 8.8.8.8:53 13344.duckdns.org udp
US 192.169.69.26:3434 13344.duckdns.org tcp
NL 104.110.191.133:80 tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 20.189.173.2:443 tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 8.8.8.8:53 13344.duckdns.org udp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
NL 104.110.191.140:80 tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 8.8.8.8:53 13344.duckdns.org udp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
US 192.169.69.26:3434 13344.duckdns.org tcp
NL 104.110.191.165:80 tcp
US 192.169.69.26:3434 13344.duckdns.org tcp

Files

memory/4608-134-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4608-133-0x0000000000000000-mapping.dmp

memory/4980-139-0x0000000000000000-mapping.dmp

memory/4608-140-0x00000000734B0000-0x0000000073A61000-memory.dmp

memory/4608-141-0x00000000734B0000-0x0000000073A61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hznmfkfyjpbc\iqjsjzvckmye.exe

MD5 b56c15d84914a2f6531fa7644f0843a4
SHA1 a293b6868a0b82621e94be1266d09c49f1ff7e0b
SHA256 391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7
SHA512 0a97f8db4c61312def019c51605f330c027df1a100c09e16c668e5a3bc4bca82dfbf080e6509a284bebcdb1a6cfc20c7bd7315eb44a66af90bc7028c6f9137b7

C:\Users\Admin\AppData\Local\Temp\hznmfkfyjpbc\iqjsjzvckmye.exe

MD5 b56c15d84914a2f6531fa7644f0843a4
SHA1 a293b6868a0b82621e94be1266d09c49f1ff7e0b
SHA256 391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7
SHA512 0a97f8db4c61312def019c51605f330c027df1a100c09e16c668e5a3bc4bca82dfbf080e6509a284bebcdb1a6cfc20c7bd7315eb44a66af90bc7028c6f9137b7

C:\Users\Admin\AppData\Local\Temp\hznmfkfyjpbc\iqjsjzvckmye.exe

MD5 b56c15d84914a2f6531fa7644f0843a4
SHA1 a293b6868a0b82621e94be1266d09c49f1ff7e0b
SHA256 391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7
SHA512 0a97f8db4c61312def019c51605f330c027df1a100c09e16c668e5a3bc4bca82dfbf080e6509a284bebcdb1a6cfc20c7bd7315eb44a66af90bc7028c6f9137b7

C:\Users\Admin\AppData\Local\Temp\hznmfkfyjpbc\iqjsjzvckmye.exe

MD5 b56c15d84914a2f6531fa7644f0843a4
SHA1 a293b6868a0b82621e94be1266d09c49f1ff7e0b
SHA256 391239c70724940871a1257de67bdd596f62457a0059395198dda22f6da542a7
SHA512 0a97f8db4c61312def019c51605f330c027df1a100c09e16c668e5a3bc4bca82dfbf080e6509a284bebcdb1a6cfc20c7bd7315eb44a66af90bc7028c6f9137b7