Analysis Overview
SHA256
40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960
Threat Level: Known bad
The file 40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960 was found to be: Known bad.
Malicious Activity Summary
Imminent RAT
Drops startup file
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
Drops file in Windows directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-07-08 08:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-08 08:02
Reported
2022-07-08 14:45
Platform
win7-20220414-en
Max time kernel
151s
Max time network
84s
Command Line
Signatures
Imminent RAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dNkTXF.url | C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1708 set thread context of 1924 | N/A | C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: 33 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe
"C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fsxqjvni\fsxqjvni.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8E4.tmp" "c:\Users\Admin\AppData\Local\Temp\fsxqjvni\CSCF43CB66A34C4D9C9827ED30FADABE8D.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
Files
memory/1708-54-0x0000000000820000-0x0000000000888000-memory.dmp
memory/1944-55-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\fsxqjvni\fsxqjvni.cmdline
| MD5 | 4e5ece883d7a401d2aeda43bfc3b54cf |
| SHA1 | 2ce66223a7c30ebdfaa119b72c1567ab87b48d3a |
| SHA256 | 192f57ed3da1f0e409af451c8a51b6985bbde23bf48ab28fb8dd671485e1c527 |
| SHA512 | 03d4a1374e6dba27f104d260485bcd71e135c58ca2dfcfaf398a56e881610f08ee2c7f545d9cec3cc3bc543cecc9dc211abc32737bbea99290ecd93b5b188ef7 |
\??\c:\Users\Admin\AppData\Local\Temp\fsxqjvni\fsxqjvni.0.cs
| MD5 | e33624188c3ee62dcff268d6a4da727a |
| SHA1 | b4852044413774311dd91df1b3477b054ca18403 |
| SHA256 | ef0fb70ee3f15f43a0a8bbc4cdf8d0fccf944cb0f98287d03b163a18e591fd64 |
| SHA512 | 643b3ab3fdb29f61bfe53ccc68511af33cf624d4cc32b9db39fce39e990d299f36c9b27d35fa73bc39c4285605aec09c0a71432293b4dfcc5779a729f9d0dea2 |
memory/1988-58-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\fsxqjvni\CSCF43CB66A34C4D9C9827ED30FADABE8D.TMP
| MD5 | ea22c22f879c0a7672d0f24938415299 |
| SHA1 | 9f0dcd36c04648885973e79af8af96f2b0a6cfbf |
| SHA256 | 527d1bfdd68a4533d586d3423095a7c7e657750ac65921ae6770fdbdec692174 |
| SHA512 | 67efe2d5f33885483195032df4713d7da7668c500bc52c63a8d211b977a5c1472a34a578fec89c09786106b2dd99ad484c541dbc7d87f6027415602e7cb5b5e0 |
C:\Users\Admin\AppData\Local\Temp\RESB8E4.tmp
| MD5 | ce1c4967ae1c5f6a94e620825bc33fd9 |
| SHA1 | 8da1b196dd05e12ff5fc8dd09a402943d54e1b15 |
| SHA256 | b141821eb39896f75d89b890778ec40421bfe71304a6856e781d6774657f8363 |
| SHA512 | 154edf07fec7194a3d7d9819391d05b4111e41e646bb8dc5a9cb53f48123e1f25b415d7d7fba6fa1c2677e1b140ceae4862f76976b7a523d53695d8d46900b53 |
C:\Users\Admin\AppData\Local\Temp\fsxqjvni\fsxqjvni.pdb
| MD5 | c8f8328153415684b50aec382f3c2d44 |
| SHA1 | f125470d93db051d97a4ebbf98e29ecb64a5fa8e |
| SHA256 | a80ef6546f4a1c3ed9a74d2447d0df40eebed16a3ef6e41be0a158cd8d848099 |
| SHA512 | 7cc6af844dfb0d03b9d61ab79fe5c895f9d3aaea7b74e7895ad8c97d2e72118329c35724dd1b3854b16e9ff9d2fbc8c09254a1af2912c05ea1cc25960e6bf462 |
C:\Users\Admin\AppData\Local\Temp\fsxqjvni\fsxqjvni.dll
| MD5 | 61a22089f6df03381dd0e3ae2e85cce5 |
| SHA1 | 6892ac31ac3f2c4e89a5b48b53cd20d1b597ee09 |
| SHA256 | d78ea872fad0ebeff7bfbe74799a9f24d162bc252936c60212e3bb72ec581cc2 |
| SHA512 | 2af32eead40f67b82c29c424cd32ed75e859cf1c1ade431d2cdb9533c95bcfb5b59fbfe6d14f71cda684ceb702f3b2c7d5485da9bf8a195ce4abedab4862292f |
memory/1708-63-0x0000000000210000-0x0000000000218000-memory.dmp
memory/1708-64-0x0000000000770000-0x00000000007D0000-memory.dmp
memory/1708-65-0x00000000003A0000-0x00000000003AC000-memory.dmp
memory/1708-66-0x00000000758D1000-0x00000000758D3000-memory.dmp
memory/1708-67-0x0000000004FA0000-0x0000000004FF6000-memory.dmp
memory/1924-68-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1924-69-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1924-71-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1924-72-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1924-73-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1924-74-0x0000000000451E5E-mapping.dmp
memory/1924-76-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1924-78-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1924-80-0x0000000074760000-0x0000000074D0B000-memory.dmp
memory/1924-81-0x0000000074760000-0x0000000074D0B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-08 08:02
Reported
2022-07-08 14:45
Platform
win10v2004-20220414-en
Max time kernel
152s
Max time network
157s
Command Line
Signatures
Imminent RAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dNkTXF.url | C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1272 set thread context of 4388 | N/A | C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: 33 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe
"C:\Users\Admin\AppData\Local\Temp\40f4abd6538f6bb6bea75ce34dfd087614bc33bf33e1bc6fd31fe8a2bba4f960.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j2gpao2o\j2gpao2o.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES76D6.tmp" "c:\Users\Admin\AppData\Local\Temp\j2gpao2o\CSC738E3168490D4CBF8A67465E693F2E2.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 52.182.141.63:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
Files
memory/1272-130-0x0000000000C70000-0x0000000000CD8000-memory.dmp
memory/2172-131-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\j2gpao2o\j2gpao2o.cmdline
| MD5 | d59465ad12157f44fff9ce8d9f61c8c3 |
| SHA1 | 101bbac90b8edc268e71eaf2ae6bbe250da16abc |
| SHA256 | 19220ab762d7271e19192bbc385aed1b848cbe7d74d6a0ddd3b9b01ef059c6b4 |
| SHA512 | b9ea4f8d7ea5ae982c163345ee9c803391a9c565e99cf2bc91acaac7a3a550b8cc05d457985d69e537be5a25e6a6bd2f2a2bd522672844367afe117b6c1e2149 |
\??\c:\Users\Admin\AppData\Local\Temp\j2gpao2o\j2gpao2o.0.cs
| MD5 | e33624188c3ee62dcff268d6a4da727a |
| SHA1 | b4852044413774311dd91df1b3477b054ca18403 |
| SHA256 | ef0fb70ee3f15f43a0a8bbc4cdf8d0fccf944cb0f98287d03b163a18e591fd64 |
| SHA512 | 643b3ab3fdb29f61bfe53ccc68511af33cf624d4cc32b9db39fce39e990d299f36c9b27d35fa73bc39c4285605aec09c0a71432293b4dfcc5779a729f9d0dea2 |
memory/2600-134-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\j2gpao2o\CSC738E3168490D4CBF8A67465E693F2E2.TMP
| MD5 | e2e0dcb03a7a70ead5b0445b17758de5 |
| SHA1 | b15a6ea45fab58ade725c69cf60f4d3ad80f2595 |
| SHA256 | dc2a0fa158f0eb10b831be34537cc98fcb0969c9e2e18ca65e391367b331e261 |
| SHA512 | 9cace4381ac90daf0647aaece7125c2db70660b2f3463437c516ffad8d640bc582df8afc1fbfe98b5aa254e3e71a199b81a92caff3fd2987206323493c762925 |
C:\Users\Admin\AppData\Local\Temp\RES76D6.tmp
| MD5 | 707e74575731c8e99181d3b0757906ed |
| SHA1 | 3b7392a69d6c2332985ff2f24ce3485646566ab7 |
| SHA256 | b9c0560a84fc73da6ef4f6c7310b61b610550a9f45077672b0710e07e89f3a01 |
| SHA512 | 761943e9dbe63ac98ce2d96da9725295e7e4e2487df36d1a278cb2a333a7b1c08f33b4e52443372d61c9901b07125471dff58f31128f0f9847c4749c9645ea58 |
C:\Users\Admin\AppData\Local\Temp\j2gpao2o\j2gpao2o.dll
| MD5 | b07cbed381421051e55ad3c0bd69b00c |
| SHA1 | 872ff262f3804918c5c112c5b7c092d1646410b6 |
| SHA256 | 175dc95340e01ffd45e144513371919967c38ba5754cd17be5566dff628be3ab |
| SHA512 | b0460052015df2309f828e895654747ab98de8ee7ea9ed514fbf65e7737fdec4c905043b6fc20e057b85712ef6a004f772129eff3a0e9e57541880d5ae413ad2 |
C:\Users\Admin\AppData\Local\Temp\j2gpao2o\j2gpao2o.pdb
| MD5 | 5b00a4913e9597a0bc4a8487188f489f |
| SHA1 | 2db83388f23d26c863c8173b2534ca4fadc50205 |
| SHA256 | 4ac253952526cd8306bad2ca373f5956e3e2abd9164c453497cb008b85944a90 |
| SHA512 | ed91f3df8edb7cac8feaff0aec3ac7afe8393c8b85881cb87efc94ba27e353ab67c9733f57ea2d29a1565030d2199e2125e56d0e10482a5b6212098b59ea49f3 |
memory/1272-139-0x0000000005650000-0x00000000056E2000-memory.dmp
memory/1272-140-0x0000000005D90000-0x0000000005E2C000-memory.dmp
memory/4388-141-0x0000000000000000-mapping.dmp
memory/4388-142-0x0000000000400000-0x0000000000456000-memory.dmp
memory/4388-143-0x0000000074C60000-0x0000000075211000-memory.dmp
memory/4388-144-0x0000000074C60000-0x0000000075211000-memory.dmp