Analysis Overview
SHA256
2e66e23d1ae80b56efc2c38bf5adbb31dab91b811eaadce68f544e06323d52ef
Threat Level: Known bad
The file 8abebde631005ae15aba91eb8f36fbe7.exe was found to be: Known bad.
Malicious Activity Summary
Imminent RAT
Checks computer location settings
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-12 05:04
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-12 05:04
Reported
2022-07-12 05:06
Platform
win7-20220414-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Imminent RAT
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1336 set thread context of 1884 | N/A | C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe | C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe
"C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uppEqmN.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uppEqmN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE54.tmp"
C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe
"C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 1048
C:\Windows\SysWOW64\taskmgr.exe
"C:\Windows\System32\taskmgr.exe"
Network
| Country | Destination | Domain | Proto |
| US | 172.245.163.161:9003 | tcp | |
| US | 8.8.8.8:53 | www.iptrackeronline.com | udp |
| US | 172.67.74.63:80 | www.iptrackeronline.com | tcp |
| US | 172.67.74.63:443 | www.iptrackeronline.com | tcp |
Files
memory/1336-54-0x0000000000A90000-0x0000000000B8C000-memory.dmp
memory/1336-55-0x0000000074B51000-0x0000000074B53000-memory.dmp
memory/1336-56-0x0000000000640000-0x000000000065A000-memory.dmp
memory/1336-57-0x0000000000520000-0x000000000052E000-memory.dmp
memory/1336-58-0x0000000005D00000-0x0000000005DA4000-memory.dmp
memory/2020-59-0x0000000000000000-mapping.dmp
memory/1748-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE54.tmp
| MD5 | e27009e4a24f3da1c24d9c9fed7e7ce4 |
| SHA1 | 0dba03cc6aef994d9587c920137036f6ee792250 |
| SHA256 | 8d2c071fc60b1259b56a93f94b183012375f35cc4e9c22afc55916d24f8f4052 |
| SHA512 | 3ed2cac34323d9eaf88bd17bf125488f44b8d3787201ae152545e53f2b18b6ee03dd960678b852656d18d21e8c2b0a8f7fa5d4e2a17f3c8f26029a1b743f3f76 |
memory/1336-63-0x000000000A250000-0x000000000A2B0000-memory.dmp
memory/1884-64-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1884-65-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1884-67-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1884-68-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1884-69-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1884-70-0x000000000045A3CE-mapping.dmp
memory/1884-72-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1884-74-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1884-75-0x00000000003C0000-0x00000000003E8000-memory.dmp
memory/1884-77-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1884-78-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1884-79-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1884-80-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1884-81-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1884-82-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1884-83-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1884-85-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1884-87-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1884-88-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1884-91-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1800-92-0x0000000000000000-mapping.dmp
memory/1884-95-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1884-96-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1884-98-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1336-93-0x0000000004ED5000-0x0000000004EE6000-memory.dmp
memory/2020-99-0x000000006E070000-0x000000006E61B000-memory.dmp
memory/396-102-0x0000000000000000-mapping.dmp
memory/1884-101-0x0000000002240000-0x000000000224E000-memory.dmp
memory/2020-104-0x000000006E070000-0x000000006E61B000-memory.dmp
memory/1884-105-0x0000000002270000-0x0000000002286000-memory.dmp
memory/1884-106-0x0000000004A65000-0x0000000004A76000-memory.dmp
memory/1884-107-0x00000000023E0000-0x00000000023EC000-memory.dmp
memory/1884-108-0x0000000004D50000-0x0000000004D5A000-memory.dmp
memory/1884-109-0x0000000004FD0000-0x0000000004FDE000-memory.dmp
memory/1884-110-0x0000000004FE0000-0x0000000004FEC000-memory.dmp
memory/1884-111-0x0000000004A65000-0x0000000004A76000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-12 05:04
Reported
2022-07-12 05:07
Platform
win10v2004-20220414-en
Max time kernel
148s
Max time network
173s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1816 wrote to memory of 228 | N/A | C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1816 wrote to memory of 228 | N/A | C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1816 wrote to memory of 228 | N/A | C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1816 wrote to memory of 920 | N/A | C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 1816 wrote to memory of 920 | N/A | C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 1816 wrote to memory of 920 | N/A | C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe | C:\Windows\SysWOW64\schtasks.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe
"C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uppEqmN.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uppEqmN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE903.tmp"
C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe
"C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1816 -ip 1816
C:\Windows\SysWOW64\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 1740
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 52.167.17.97:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 20.189.173.7:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| US | 172.245.163.161:9003 | tcp |
Files
memory/1816-130-0x00000000008A0000-0x000000000099C000-memory.dmp
memory/1816-131-0x0000000005870000-0x0000000005E14000-memory.dmp
memory/1816-132-0x0000000005360000-0x00000000053F2000-memory.dmp
memory/1816-133-0x0000000005400000-0x000000000540A000-memory.dmp
memory/1816-134-0x0000000008FE0000-0x000000000907C000-memory.dmp
memory/1816-135-0x000000000B7A0000-0x000000000B806000-memory.dmp
memory/228-136-0x0000000000000000-mapping.dmp
memory/920-137-0x0000000000000000-mapping.dmp
memory/228-138-0x0000000002B10000-0x0000000002B46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE903.tmp
| MD5 | 70bf25bd1e9619c382b410c940934c05 |
| SHA1 | dcd8d134d78824d738a4981d45cd47a02a930097 |
| SHA256 | 749fc55fd8c71b514d713c2e54781d3339add65a485d647bdedb0af1d51fce98 |
| SHA512 | 48e6b7c964570831998ff9c5adeec0f8d5036e77fa4f4f4b941d27438936c5935f4e3f387771a51597b6c020b80b451a835285a38d043012a62c1764ab005b89 |
memory/3088-141-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3088-140-0x0000000000000000-mapping.dmp
memory/228-142-0x00000000056F0000-0x0000000005D18000-memory.dmp
memory/3088-145-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3088-144-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3088-147-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3088-146-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3088-150-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3088-152-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3088-149-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3088-148-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3088-154-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3088-155-0x0000000000400000-0x0000000000460000-memory.dmp
memory/228-157-0x0000000005480000-0x00000000054A2000-memory.dmp
memory/228-160-0x0000000005620000-0x0000000005686000-memory.dmp
memory/3088-159-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3088-163-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3088-165-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3088-162-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4540-166-0x0000000000000000-mapping.dmp
memory/228-167-0x0000000006450000-0x000000000646E000-memory.dmp