Analysis Overview
SHA256
4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03
Threat Level: Known bad
The file 4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03 was found to be: Known bad.
Malicious Activity Summary
Imminent RAT
Drops startup file
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
Drops file in Windows directory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-07-12 02:45
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-12 02:45
Reported
2022-07-12 03:10
Platform
win7-20220414-en
Max time kernel
151s
Max time network
155s
Command Line
Signatures
Imminent RAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0DB82ByQ0pziwKZX.url | C:\Users\Admin\AppData\Local\Temp\4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1984 set thread context of 1076 | N/A | C:\Users\Admin\AppData\Local\Temp\4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: 33 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe
"C:\Users\Admin\AppData\Local\Temp\4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tzkowv1f\tzkowv1f.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES742.tmp" "c:\Users\Admin\AppData\Local\Temp\tzkowv1f\CSCDE2B2B7C0004B6CAD404ABCF1B62220.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp |
Files
memory/1984-54-0x0000000001330000-0x00000000013C8000-memory.dmp
memory/1656-55-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\tzkowv1f\tzkowv1f.cmdline
| MD5 | 0fd5291a9dde47988a867fcde2348d30 |
| SHA1 | 9353392d949a060563dc65294d560e9a91ed9473 |
| SHA256 | 0698668d90bb9e559b1d23f0b83f75fcf9430c1f55809fc91e4883dec7b2d50d |
| SHA512 | 52c62f0df81079125d973c7f13add04acd1ef439bbaf92fa23556880e5c72a61f37d5eeed36d5da6e46eb196b3f04195f47fb929fb746e6e85c0d29fc586e1b1 |
\??\c:\Users\Admin\AppData\Local\Temp\tzkowv1f\tzkowv1f.0.cs
| MD5 | 71289ce85c9cfbc682ad511b3157cec9 |
| SHA1 | 95d05e2e86a8ced7499cddeed3cffbe37d33984f |
| SHA256 | 4f3ff6432aca7a4756312fe5f83d764901ccfac75efa56164f8152e22fb84f03 |
| SHA512 | 9d427d2d34f54cdd30537e170444fa3883b56a4cf396716bd000a24fa4737be5945f646d78cd450336a9ed8c0cdb44a105814c46fc0f9886c675dcc244a2a79a |
memory/1992-58-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\tzkowv1f\CSCDE2B2B7C0004B6CAD404ABCF1B62220.TMP
| MD5 | 119971468fe9cd06134d515e6b90765b |
| SHA1 | 039b9a7ebc9ab2b753aca2db4efa6d52a36da751 |
| SHA256 | 985aa8a1294e911cd348e314e35047f3fe9564eca0604cc6a5e164c9bdd48af4 |
| SHA512 | e3f224cc59f8736c865eb7ec9e98cc9c666253a7ad8c53d715b816db753ef5afa8f5ba04d1ce6bf159555cc6efd5794fcc7c99650f56ce391521c75193524e5d |
C:\Users\Admin\AppData\Local\Temp\RES742.tmp
| MD5 | a6af4e9a031bafda292420009402c39e |
| SHA1 | 74987a0c431f9fb8df42e8819602be6b1c60230e |
| SHA256 | d938d638deb8d9787dc208771ae497aa94f771b75e4655bbc9229c3dae096e68 |
| SHA512 | 0bb3d78505fbdeb75dc0cf209ca448d0deaeda4ed6b70bb828c468da3d150e573c81023b6e390b17421a9e9ad404a42ede7790b1944732cb214791eb69f8997a |
C:\Users\Admin\AppData\Local\Temp\tzkowv1f\tzkowv1f.dll
| MD5 | 44e03ce028184f9ba401c8c41476b0b7 |
| SHA1 | 108ffb4a5a642207ca55972d175b8fc3098aff26 |
| SHA256 | 7b9b1cf4a1628f585ef9b44c095dcbde755d20adf0b4515552f79cc56f084bf6 |
| SHA512 | 9c57526bf61255df84a105022022190e719d69d032f3949b9f2a9803ef681bdc14b20dd5b9430bccaa16008947865b9ccae8b9bafa287d736d31a01417f114a8 |
C:\Users\Admin\AppData\Local\Temp\tzkowv1f\tzkowv1f.pdb
| MD5 | b89b4b064b9704e75c4e431cba392992 |
| SHA1 | fae04ba057bcf974a3052af22114e7f7cec7dc41 |
| SHA256 | 6d734a4a0586c8e2faf84703575b9d73b7a5f87194a5f5561335151b2a85b330 |
| SHA512 | b0a0dda064fda369a597cb2c2b2bbe9e022fe493ab7ba536d6d88f1e2553614e726f4972510ff6525c2cc9fcc822246ec87070b69ec8a8f0856fa5f3276cd827 |
memory/1984-63-0x0000000000210000-0x000000000021C000-memory.dmp
memory/1984-64-0x0000000004CA0000-0x0000000004D00000-memory.dmp
memory/1984-65-0x00000000002B0000-0x00000000002BC000-memory.dmp
memory/1984-66-0x0000000004F00000-0x0000000004F56000-memory.dmp
memory/1076-68-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1076-70-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1076-71-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1076-67-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1076-72-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1076-73-0x0000000000451A0E-mapping.dmp
memory/1076-75-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1076-77-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1076-78-0x00000000753C1000-0x00000000753C3000-memory.dmp
memory/1076-79-0x0000000074A50000-0x0000000074FFB000-memory.dmp
memory/1076-80-0x0000000074A50000-0x0000000074FFB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-12 02:45
Reported
2022-07-12 03:10
Platform
win10v2004-20220414-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Imminent RAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0DB82ByQ0pziwKZX.url | C:\Users\Admin\AppData\Local\Temp\4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3048 set thread context of 4204 | N/A | C:\Users\Admin\AppData\Local\Temp\4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: 33 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe
"C:\Users\Admin\AppData\Local\Temp\4d850bb0ebc7ebf2a6d0431b5e0f455b0e6e9c0507f0c0fcf392d786d4affc03.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tnrtt0po\tnrtt0po.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES64AA.tmp" "c:\Users\Admin\AppData\Local\Temp\tnrtt0po\CSC3C4D3891B664E4481C1DC2D706ABCB.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| NL | 13.69.109.130:443 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| IE | 20.190.159.75:443 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp | |
| FR | 151.80.8.17:1714 | tcp |
Files
memory/3048-130-0x0000000000C00000-0x0000000000C98000-memory.dmp
memory/2944-131-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\tnrtt0po\tnrtt0po.cmdline
| MD5 | 83b45dcc48e6c090572c8394e0be24a4 |
| SHA1 | 23b917666aa15274b63b3dcfea85f773a0945cc8 |
| SHA256 | 9849b4f2e687b058e0582344b08d8175c27fc33531f657c2ccfeae3e7dbfb669 |
| SHA512 | 7884e5387ed38b7c4523dc3631e160ee830557b6e49804f9540afa95546d246da1e749a9ef635b4af7e96b0641017bb84e92111d67bda01104ba05d5aee3479b |
\??\c:\Users\Admin\AppData\Local\Temp\tnrtt0po\tnrtt0po.0.cs
| MD5 | 71289ce85c9cfbc682ad511b3157cec9 |
| SHA1 | 95d05e2e86a8ced7499cddeed3cffbe37d33984f |
| SHA256 | 4f3ff6432aca7a4756312fe5f83d764901ccfac75efa56164f8152e22fb84f03 |
| SHA512 | 9d427d2d34f54cdd30537e170444fa3883b56a4cf396716bd000a24fa4737be5945f646d78cd450336a9ed8c0cdb44a105814c46fc0f9886c675dcc244a2a79a |
memory/4568-134-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\tnrtt0po\CSC3C4D3891B664E4481C1DC2D706ABCB.TMP
| MD5 | e7f0d59fcf0ce19b386382604f9178b8 |
| SHA1 | eddfc8d74051fefd1a4041fab3ee11158bb4b6f6 |
| SHA256 | 6e87fc421362e06d77bd1bc89f73e4391eb4d73b213e194dfcc80efdfeb754a9 |
| SHA512 | 0df170437309179ee776cf88a04ae119b32c6062618fa2ed46f6bf42b9506522566aa8f20b370b4f7f2f0b118b51ea92fb16c8a715aa87199e789399df7e25ab |
C:\Users\Admin\AppData\Local\Temp\RES64AA.tmp
| MD5 | 6307414571ca10d3489f2c5194c5ba0f |
| SHA1 | 8fe94dde93ef6e95dcc2e37124230c70ac906c89 |
| SHA256 | c92e55625a5c723e38b7f2fdf612d1eeeb56605af32619769b9f5ab18b5d4954 |
| SHA512 | 23ab45f17583b8e105a6ca711f345e2f7bd761524a40d00b7c5a798e25ba9dbe669bb0cc4c35bd558f417eee2f2f9d2ac9315e49feafff91b2c029b1eb0055c3 |
C:\Users\Admin\AppData\Local\Temp\tnrtt0po\tnrtt0po.pdb
| MD5 | 97938fbd4887c976a8c5969fc92f3e77 |
| SHA1 | 79962173ade5844e8de1aa36633133776feb5c30 |
| SHA256 | f80a81a1a921cefa4c8d7b37e28e263fe03c37488221ba84f24d78810cb93bc1 |
| SHA512 | 499e12a61561be439b5d5da9244b63adf8978991a582a79dd9e88c858c5107b6c5d9093a8676dc3c6712c0cd3a5d85ecda0828aa3c3526b7fe448ed81e954934 |
C:\Users\Admin\AppData\Local\Temp\tnrtt0po\tnrtt0po.dll
| MD5 | d2d1ac002d19e79d2a10f7cd20376d14 |
| SHA1 | afbc5bd15731cef27ff24a7ddc22b73751e8ca8a |
| SHA256 | ce44f7c09d43d12be76eaf19208506fc125296909cace9e2acdf546072c7ad13 |
| SHA512 | 1834af3792df1bd8ae50e485694b12ad15810fc3ddb5ada7a05684aec414b64b61cc847e862f5d34b2795e81e23c23b866373295d70cd8883d653be7ae693922 |
memory/3048-139-0x0000000005680000-0x0000000005712000-memory.dmp
memory/3048-140-0x0000000005D00000-0x0000000005D9C000-memory.dmp
memory/2336-141-0x0000000000000000-mapping.dmp
memory/4204-142-0x0000000000000000-mapping.dmp
memory/4204-143-0x0000000000400000-0x0000000000456000-memory.dmp
memory/4204-144-0x0000000074C20000-0x00000000751D1000-memory.dmp
memory/4204-145-0x0000000074C20000-0x00000000751D1000-memory.dmp