Analysis Overview
SHA256
450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6
Threat Level: Known bad
The file 450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6 was found to be: Known bad.
Malicious Activity Summary
Imminent RAT
Drops startup file
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-07 17:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-07 17:21
Reported
2022-07-07 17:48
Platform
win7-20220414-en
Max time kernel
150s
Max time network
49s
Command Line
Signatures
Imminent RAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskbars.url | C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Users\\Admin\\AppData\\Roaming\\test\\test.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1684 set thread context of 860 | N/A | C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe
"C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q1xxjoxh\q1xxjoxh.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1008.tmp" "c:\Users\Admin\AppData\Local\Temp\q1xxjoxh\CSC7B58E4C29DC94A0B9D4414596C95D252.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
Network
Files
memory/1684-54-0x00000000010C0000-0x0000000001142000-memory.dmp
memory/2000-55-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\q1xxjoxh\q1xxjoxh.cmdline
| MD5 | 184b64553d952c7ffe8ea8e93a091b50 |
| SHA1 | eea3d4caf945d2e7007d3edc654cd7308ae1bd0d |
| SHA256 | 5f8a47d0b6179c2091ce883b4fd73e29437e4a62c06a2e730890d97bcae7a12c |
| SHA512 | 953e075b1ca39cf27657d53bc6dec4ef4370611bc5af930999ad0b4b20bc68380931fc2e426dea19eeb1a96e5bb1b34a96abe25a33165eef997ee4145b88d6e4 |
\??\c:\Users\Admin\AppData\Local\Temp\q1xxjoxh\q1xxjoxh.0.cs
| MD5 | 63c88284f9f853ad7f35d419efd6f5ce |
| SHA1 | e372ea3471ee9db9ad16e8ab7c1498e3f5d4cbca |
| SHA256 | 27b7d30958b1ebd854e7dcc56dae436ef01a2f7fc21ad4391014397d13fb4456 |
| SHA512 | 2ce08e330a6b15629811011684da414671bb917eca188960c25b68a255de8895083e39c3cdee351948e895630bb5234e66445240b0f2817d6b70d007eaa075d8 |
\??\c:\Users\Admin\AppData\Local\Temp\q1xxjoxh\CSC7B58E4C29DC94A0B9D4414596C95D252.TMP
| MD5 | c57463fb9b914cc7898c4ac67f11ee9a |
| SHA1 | 6bbeb5551992bb50c8d9af175abe70466023a385 |
| SHA256 | eced3d5e513afe9c18ab9e8ec1eb961faff40f545bbf01e1c1cffba6f68a6e8a |
| SHA512 | 31dae4e4f0b13c8c59f8a8098fd35a0083071114fe754f6e9e0103ef98e857696a2e09d5225f924ddbd520334c4c196c592a9282777abaa5a9a9433fb4873604 |
memory/960-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RES1008.tmp
| MD5 | e413f9dbd9e9f65734f9c7d9daade83b |
| SHA1 | 67c8efe7729e4a9443157e1f14116be8a469a86b |
| SHA256 | 70ce6bc52eb9ddf5b8c004b08b075d3b8299883751c1d2f2805bcd1a2d469489 |
| SHA512 | 84de44fe5769a3867dbd2d09d904bb21adfb8621bb670de8261a8975c588eb686b5641ce4aa07215c9432604b423b83e8fab629a8a81694d15f80e8894af41c0 |
C:\Users\Admin\AppData\Local\Temp\q1xxjoxh\q1xxjoxh.pdb
| MD5 | 90765020fd71735ec2ece93397b99350 |
| SHA1 | 961ed5a1d5f30dd8d6a2c96360ffb6e1c89f9ae1 |
| SHA256 | 747bba9e7500c79915cb3b93f5489e5b34b5adeb03ce337b224a1d20e859fdaa |
| SHA512 | 245e12fa14d6105e4ef961045a355e204f882d5e4f2205ffd1ca52bacf5557e0288ee2fb35f6841b21c8b5cd91f6a3874a5dfe26b0688f80054a0a5eb1bfb53c |
C:\Users\Admin\AppData\Local\Temp\q1xxjoxh\q1xxjoxh.dll
| MD5 | 9159490f77162b32d93a3b7dd87398e9 |
| SHA1 | 896155c6ed96abd01dc1e6aacd93e3133e38a4f8 |
| SHA256 | e362ba6fd7b4cbce399ee10d39a3ad4b61f35a83c68b4abdf4a06ee7a445abd8 |
| SHA512 | 00e62f7673075b9c6dc9fdee5dff48ce844813ac84893a2e4be17dafca221c918fc148218c898364de6dd91eaf0d82e2424c9a7be7e6e700b12e806031e7333d |
memory/1684-63-0x0000000000420000-0x0000000000428000-memory.dmp
memory/1684-64-0x0000000000EB0000-0x0000000000F10000-memory.dmp
memory/1684-65-0x0000000000470000-0x000000000047C000-memory.dmp
memory/1684-66-0x00000000752D1000-0x00000000752D3000-memory.dmp
memory/1684-67-0x00000000050E0000-0x0000000005136000-memory.dmp
memory/860-68-0x0000000000400000-0x0000000000456000-memory.dmp
memory/860-69-0x0000000000400000-0x0000000000456000-memory.dmp
memory/860-71-0x0000000000400000-0x0000000000456000-memory.dmp
memory/860-72-0x0000000000400000-0x0000000000456000-memory.dmp
memory/860-73-0x0000000000400000-0x0000000000456000-memory.dmp
memory/860-74-0x00000000004519BE-mapping.dmp
memory/860-76-0x0000000000400000-0x0000000000456000-memory.dmp
memory/860-78-0x0000000000400000-0x0000000000456000-memory.dmp
memory/860-80-0x0000000074340000-0x00000000748EB000-memory.dmp
memory/860-81-0x00000000004C6000-0x00000000004D7000-memory.dmp
memory/860-82-0x0000000074340000-0x00000000748EB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-07 17:21
Reported
2022-07-07 17:49
Platform
win10v2004-20220414-en
Max time kernel
170s
Max time network
174s
Command Line
Signatures
Imminent RAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskbars.url | C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "\\test\\test.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Users\\Admin\\AppData\\Roaming\\test\\test.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4156 set thread context of 400 | N/A | C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe
"C:\Users\Admin\AppData\Local\Temp\450a15a04793f3af2dcc88790e3c384b784397ebdeeeb75e4ab1f696f8d54db6.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xsbyxdbf\xsbyxdbf.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFDED.tmp" "c:\Users\Admin\AppData\Local\Temp\xsbyxdbf\CSCBFFB7093E8C4438B34E803642621048.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 20.189.173.6:443 | tcp |
Files
memory/4156-130-0x00000000009B0000-0x0000000000A32000-memory.dmp
memory/3732-131-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\xsbyxdbf\xsbyxdbf.cmdline
| MD5 | 05197b725ae4a74d82f5fd5cb4a16134 |
| SHA1 | acb54c6228aa42ad1a181e9cba44f766f046a3b2 |
| SHA256 | 6cd9575f2c0146c5dd2303481de0612c8116d6262c5f656b407e80ef55108a54 |
| SHA512 | 51cad9c2d2dd57e72569db1e7087a46c6ca1495fdbfdd52c0f224e5c8be9d7c244afba8cf01a3fb9fadf013c4244157b4b649bdb0e548b10daff28b5ecf92a95 |
\??\c:\Users\Admin\AppData\Local\Temp\xsbyxdbf\xsbyxdbf.0.cs
| MD5 | 63c88284f9f853ad7f35d419efd6f5ce |
| SHA1 | e372ea3471ee9db9ad16e8ab7c1498e3f5d4cbca |
| SHA256 | 27b7d30958b1ebd854e7dcc56dae436ef01a2f7fc21ad4391014397d13fb4456 |
| SHA512 | 2ce08e330a6b15629811011684da414671bb917eca188960c25b68a255de8895083e39c3cdee351948e895630bb5234e66445240b0f2817d6b70d007eaa075d8 |
memory/1368-134-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\xsbyxdbf\CSCBFFB7093E8C4438B34E803642621048.TMP
| MD5 | 5fdc5584275f20a0044ef406185fad84 |
| SHA1 | eb06f6489b8c395832b49aaa31447ba6ba710d21 |
| SHA256 | c69a789021b165df00135ff843ba199b411f387add9d90da5f5c68e2d1c5b8ef |
| SHA512 | 8223296b21de6a941c3f80715aa20d1f1fbfa02e3b06fcc6d3f65d35df0d2f5b4c6a0e5a3599d40fa4560781dc2434bdbf76e7f052faed3f206ba0b5a4881ff9 |
C:\Users\Admin\AppData\Local\Temp\RESFDED.tmp
| MD5 | af0eb48b7b17fbdbcbeb112acd57e0c1 |
| SHA1 | ce2ec136e2cfc9b59a58683f6a6fe4898496c8c1 |
| SHA256 | 26d048fd04ceb333780c718122d8852c87f0818cd6c92eba259fc8391ee83059 |
| SHA512 | 72d4651d7fe2c706a526f1aabad69a06ca2900ac2495bfe8a5217fea9ddcb71ca72edc3f4ab408bdcf45d093e921d70562dc06f5c98a93d28b772aa63d1ff675 |
C:\Users\Admin\AppData\Local\Temp\xsbyxdbf\xsbyxdbf.dll
| MD5 | 8b62ae1853dc76f8f2594333ec3f6b87 |
| SHA1 | 0444b0fa981bf02922e0f5c49ae35c21db83d6f3 |
| SHA256 | a144ec153353c8cfc9bcf58c0f5a1c34704485a81bd3e5b9337f65270092be09 |
| SHA512 | 4f950d563d280b8015d1756098f59962957a146047dc14fb29457273c1c58deaaf8ad36611b6312efcc3eee0c86bbeb76f2043c0e204e2650fb999392ed71534 |
C:\Users\Admin\AppData\Local\Temp\xsbyxdbf\xsbyxdbf.pdb
| MD5 | a53e8cfd94ce59a7f6cf15c55375113e |
| SHA1 | b5dccadc2ea3a72b2400e30a73eb6a603039f15e |
| SHA256 | f0aabf418def0253e339bf829bb00c57731a662a7cb82421320761658ad460c1 |
| SHA512 | 95fc2e45eb8cf3cf9ef36d473205d14a06f6428c886ae4e1d004b3201faeb7da9faa86a6226b39fb710a32bc2e1902bbcbb0b7604ca5ed147e36d1c99ba950c1 |
memory/4156-139-0x00000000053D0000-0x0000000005462000-memory.dmp
memory/4156-140-0x0000000005A80000-0x0000000005B1C000-memory.dmp
memory/400-141-0x0000000000000000-mapping.dmp
memory/400-142-0x0000000000400000-0x0000000000456000-memory.dmp
memory/400-143-0x0000000074960000-0x0000000074F11000-memory.dmp
memory/400-144-0x0000000074960000-0x0000000074F11000-memory.dmp