Malware Analysis Report

2024-11-30 16:03

Sample ID 220712-fp9ataege7
Target 8abebde631005ae15aba91eb8f36fbe7.exe
SHA256 2e66e23d1ae80b56efc2c38bf5adbb31dab91b811eaadce68f544e06323d52ef
Tags
imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2e66e23d1ae80b56efc2c38bf5adbb31dab91b811eaadce68f544e06323d52ef

Threat Level: Known bad

The file 8abebde631005ae15aba91eb8f36fbe7.exe was found to be: Known bad.

Malicious Activity Summary

imminent spyware trojan

Imminent RAT

Checks computer location settings

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-12 05:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-12 05:04

Reported

2022-07-12 05:06

Platform

win7-20220414-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe"

Signatures

Imminent RAT

trojan spyware imminent

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1336 set thread context of 1884 N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1336 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1336 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1336 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1336 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1336 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe C:\Windows\SysWOW64\schtasks.exe
PID 1336 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe C:\Windows\SysWOW64\schtasks.exe
PID 1336 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe C:\Windows\SysWOW64\schtasks.exe
PID 1336 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe C:\Windows\SysWOW64\schtasks.exe
PID 1336 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe
PID 1336 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe
PID 1336 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe
PID 1336 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe
PID 1336 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe
PID 1336 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe
PID 1336 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe
PID 1336 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe
PID 1336 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe
PID 1336 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe C:\Windows\SysWOW64\WerFault.exe
PID 1336 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe C:\Windows\SysWOW64\WerFault.exe
PID 1336 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe C:\Windows\SysWOW64\WerFault.exe
PID 1336 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe C:\Windows\SysWOW64\WerFault.exe
PID 1884 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe C:\Windows\SysWOW64\taskmgr.exe
PID 1884 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe C:\Windows\SysWOW64\taskmgr.exe
PID 1884 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe C:\Windows\SysWOW64\taskmgr.exe
PID 1884 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe C:\Windows\SysWOW64\taskmgr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe

"C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uppEqmN.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uppEqmN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE54.tmp"

C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe

"C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 1048

C:\Windows\SysWOW64\taskmgr.exe

"C:\Windows\System32\taskmgr.exe"

Network

Country Destination Domain Proto
US 172.245.163.161:9003 tcp
US 8.8.8.8:53 www.iptrackeronline.com udp
US 172.67.74.63:80 www.iptrackeronline.com tcp
US 172.67.74.63:443 www.iptrackeronline.com tcp

Files

memory/1336-54-0x0000000000A90000-0x0000000000B8C000-memory.dmp

memory/1336-55-0x0000000074B51000-0x0000000074B53000-memory.dmp

memory/1336-56-0x0000000000640000-0x000000000065A000-memory.dmp

memory/1336-57-0x0000000000520000-0x000000000052E000-memory.dmp

memory/1336-58-0x0000000005D00000-0x0000000005DA4000-memory.dmp

memory/2020-59-0x0000000000000000-mapping.dmp

memory/1748-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE54.tmp

MD5 e27009e4a24f3da1c24d9c9fed7e7ce4
SHA1 0dba03cc6aef994d9587c920137036f6ee792250
SHA256 8d2c071fc60b1259b56a93f94b183012375f35cc4e9c22afc55916d24f8f4052
SHA512 3ed2cac34323d9eaf88bd17bf125488f44b8d3787201ae152545e53f2b18b6ee03dd960678b852656d18d21e8c2b0a8f7fa5d4e2a17f3c8f26029a1b743f3f76

memory/1336-63-0x000000000A250000-0x000000000A2B0000-memory.dmp

memory/1884-64-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1884-65-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1884-67-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1884-68-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1884-69-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1884-70-0x000000000045A3CE-mapping.dmp

memory/1884-72-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1884-74-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1884-75-0x00000000003C0000-0x00000000003E8000-memory.dmp

memory/1884-77-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1884-78-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1884-79-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1884-80-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1884-81-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1884-82-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1884-83-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1884-85-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1884-87-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1884-88-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1884-91-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1800-92-0x0000000000000000-mapping.dmp

memory/1884-95-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1884-96-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1884-98-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1336-93-0x0000000004ED5000-0x0000000004EE6000-memory.dmp

memory/2020-99-0x000000006E070000-0x000000006E61B000-memory.dmp

memory/396-102-0x0000000000000000-mapping.dmp

memory/1884-101-0x0000000002240000-0x000000000224E000-memory.dmp

memory/2020-104-0x000000006E070000-0x000000006E61B000-memory.dmp

memory/1884-105-0x0000000002270000-0x0000000002286000-memory.dmp

memory/1884-106-0x0000000004A65000-0x0000000004A76000-memory.dmp

memory/1884-107-0x00000000023E0000-0x00000000023EC000-memory.dmp

memory/1884-108-0x0000000004D50000-0x0000000004D5A000-memory.dmp

memory/1884-109-0x0000000004FD0000-0x0000000004FDE000-memory.dmp

memory/1884-110-0x0000000004FE0000-0x0000000004FEC000-memory.dmp

memory/1884-111-0x0000000004A65000-0x0000000004A76000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-12 05:04

Reported

2022-07-12 05:07

Platform

win10v2004-20220414-en

Max time kernel

148s

Max time network

173s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe

"C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uppEqmN.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uppEqmN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE903.tmp"

C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe

"C:\Users\Admin\AppData\Local\Temp\8abebde631005ae15aba91eb8f36fbe7.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1816 -ip 1816

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 1740

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 52.167.17.97:443 tcp
US 93.184.221.240:80 tcp
US 20.189.173.7:443 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 106.89.54.20.in-addr.arpa udp
US 8.8.8.8:53 6.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa udp
US 172.245.163.161:9003 tcp

Files

memory/1816-130-0x00000000008A0000-0x000000000099C000-memory.dmp

memory/1816-131-0x0000000005870000-0x0000000005E14000-memory.dmp

memory/1816-132-0x0000000005360000-0x00000000053F2000-memory.dmp

memory/1816-133-0x0000000005400000-0x000000000540A000-memory.dmp

memory/1816-134-0x0000000008FE0000-0x000000000907C000-memory.dmp

memory/1816-135-0x000000000B7A0000-0x000000000B806000-memory.dmp

memory/228-136-0x0000000000000000-mapping.dmp

memory/920-137-0x0000000000000000-mapping.dmp

memory/228-138-0x0000000002B10000-0x0000000002B46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE903.tmp

MD5 70bf25bd1e9619c382b410c940934c05
SHA1 dcd8d134d78824d738a4981d45cd47a02a930097
SHA256 749fc55fd8c71b514d713c2e54781d3339add65a485d647bdedb0af1d51fce98
SHA512 48e6b7c964570831998ff9c5adeec0f8d5036e77fa4f4f4b941d27438936c5935f4e3f387771a51597b6c020b80b451a835285a38d043012a62c1764ab005b89

memory/3088-141-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3088-140-0x0000000000000000-mapping.dmp

memory/228-142-0x00000000056F0000-0x0000000005D18000-memory.dmp

memory/3088-145-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3088-144-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3088-147-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3088-146-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3088-150-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3088-152-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3088-149-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3088-148-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3088-154-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3088-155-0x0000000000400000-0x0000000000460000-memory.dmp

memory/228-157-0x0000000005480000-0x00000000054A2000-memory.dmp

memory/228-160-0x0000000005620000-0x0000000005686000-memory.dmp

memory/3088-159-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3088-163-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3088-165-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3088-162-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4540-166-0x0000000000000000-mapping.dmp

memory/228-167-0x0000000006450000-0x000000000646E000-memory.dmp