Analysis Overview
SHA256
fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166
Threat Level: Known bad
The file fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166 was found to be: Known bad.
Malicious Activity Summary
Imminent RAT
Drops startup file
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
Drops file in Windows directory
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-07-24 21:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-24 21:24
Reported
2022-07-24 21:27
Platform
win7-20220715-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Imminent RAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AmngKW.url | C:\Users\Admin\AppData\Local\Temp\fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 900 set thread context of 1988 | N/A | C:\Users\Admin\AppData\Local\Temp\fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: 33 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe
"C:\Users\Admin\AppData\Local\Temp\fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\413kvgzq\413kvgzq.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF651.tmp" "c:\Users\Admin\AppData\Local\Temp\413kvgzq\CSC471E65CC69604E858F2FD6E97C96CB1.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp |
Files
memory/900-54-0x0000000000B10000-0x0000000000BA8000-memory.dmp
memory/1088-55-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\413kvgzq\413kvgzq.cmdline
| MD5 | e13913f1d8440bf700466c932d078648 |
| SHA1 | 8fd723573053b0bddc7cf2e3cbfc32556f12b996 |
| SHA256 | b392032c4c45691b306d701030455314937183fdc61375fbd7980c7ca3051d60 |
| SHA512 | 8c3e6dc20e046fc80fcb02f3e0e9134f59c38d6f83e1e4ff5d7d89bf8f8a7ec6f9cf235e1e0a14abe3bc5c52873e26d94ca8b7564740251b22d07562afda77f7 |
\??\c:\Users\Admin\AppData\Local\Temp\413kvgzq\413kvgzq.0.cs
| MD5 | 32b3f85274e58a135f05ad9e7a5d1b12 |
| SHA1 | 0f02c0515184c5c36cfbb7e774e292694be65ca6 |
| SHA256 | 1d9dbef86bdf14eca6deba25603e64b211596a97cb3597968a0b21ffebb4cea7 |
| SHA512 | 4eefbbf2ce9563b50eafef878c155546b572578ef85f3bd7fc419b4553d84f407879e52876deef4f5b7e8390fffc514594a31d481e5ea2352c0c3c3784ee36ff |
memory/1168-58-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\413kvgzq\CSC471E65CC69604E858F2FD6E97C96CB1.TMP
| MD5 | fe7d3838b29b4122d69db1fc3b4654a6 |
| SHA1 | 618f12469bf29808bfb6e15d537ad49d0e9b64b8 |
| SHA256 | 449e56025ad0250e1617e1f004a2abdd96c4c07c608908c3560748a2c8922d5e |
| SHA512 | 64312f8a2f1b0730376964ea1e14276c80ec12fd22d1334e9ba6781c085a2a36d84bb68138f2d41bb86974957a3aa7d594137795d6dcc144f16decd2b96f25f0 |
C:\Users\Admin\AppData\Local\Temp\RESF651.tmp
| MD5 | 1b251f786fa4591b36b76fa2f0ec2c33 |
| SHA1 | cda6ada0102b336e002da34466116cbc00708be9 |
| SHA256 | 164eb71a3434180eab490b2c109c02fd1fae795264ef37954768ab3afd17c76d |
| SHA512 | b73c6ad7ea5022d979840ed5d64f2dad39fd0d3441e455b8f546bc7607effd9dd36abccffc01a363dcbf226851c80351a403ed1a75a171a6a0d34cef06af3dab |
C:\Users\Admin\AppData\Local\Temp\413kvgzq\413kvgzq.dll
| MD5 | 805efbc16049ec5d68605054b13826cb |
| SHA1 | 9301f24fa5f98ab20091b9ec903416c6d651c9c1 |
| SHA256 | c640abebcd15f01fa4c16dec14c437d330cb8a7e1fa1ab731c498f759701f88b |
| SHA512 | 4a808c45865672aae8f5351847dd4e78940fc558d3f33b52022d6ba57ace6017f2c25bdd7d66a9a6f680095f3b92209c6fc76cefb2b09ee4b4fbff4728febc64 |
C:\Users\Admin\AppData\Local\Temp\413kvgzq\413kvgzq.pdb
| MD5 | 9f44fb71e5ac93dbf5ca113147ceab67 |
| SHA1 | 177a68ec092f6d81f4b04b62857089f22dfc6cc0 |
| SHA256 | 64708b6ea425691a26868deb50b2ab5329fcb7b52a5837c33b2510a993b7ef4b |
| SHA512 | c6f12275de7664e6bf48a6631291f191c95830a053ca77bebf03141eed410b753daa92dbe6fabda7c546e93168d9a2cf8e5432e5cf055f63fa8638106001399a |
memory/900-63-0x0000000000310000-0x0000000000318000-memory.dmp
memory/900-64-0x0000000004620000-0x0000000004680000-memory.dmp
memory/900-66-0x00000000754C1000-0x00000000754C3000-memory.dmp
memory/900-65-0x00000000003B0000-0x00000000003BC000-memory.dmp
memory/900-67-0x0000000004A60000-0x0000000004AB6000-memory.dmp
memory/1988-68-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1988-69-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1988-72-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1988-71-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1988-73-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1988-74-0x0000000000451DFE-mapping.dmp
memory/1988-76-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1988-78-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1988-80-0x0000000074200000-0x00000000747AB000-memory.dmp
memory/1988-81-0x0000000074200000-0x00000000747AB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-24 21:24
Reported
2022-07-24 21:27
Platform
win10v2004-20220721-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Imminent RAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AmngKW.url | C:\Users\Admin\AppData\Local\Temp\fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4748 set thread context of 4344 | N/A | C:\Users\Admin\AppData\Local\Temp\fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: 33 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe
"C:\Users\Admin\AppData\Local\Temp\fe9892b91bdf2ae52753dc299bd2f7075edf4cc71a5390ec0520e193c685a166.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x4oqqd4b\x4oqqd4b.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA899.tmp" "c:\Users\Admin\AppData\Local\Temp\x4oqqd4b\CSCBD9CAE4EF6974FF995B73BED73503DE1.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 131.253.33.200:443 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 20.42.65.85:443 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 67.26.209.254:80 | tcp | |
| US | 67.26.209.254:80 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp | |
| US | 191.101.22.236:1718 | tcp |
Files
memory/4748-130-0x0000000000DF0000-0x0000000000E88000-memory.dmp
memory/2792-131-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\x4oqqd4b\x4oqqd4b.cmdline
| MD5 | 8c92ced3c1eae4c3c083e9cd29dade68 |
| SHA1 | 559bce0823362565e9f3b308752b2932d130e39f |
| SHA256 | 84b30407b2f03559384ad2db7502edd8f7ea28ad95e2ecad064e1c85d27347b2 |
| SHA512 | 5644813126bd3ca32d4a9db8447fcf7007fe22c843384b668526c15bd2b8605295212f3567c50e4a0a35928a025def14944a203463a8a8605ad1e37e811fa943 |
\??\c:\Users\Admin\AppData\Local\Temp\x4oqqd4b\x4oqqd4b.0.cs
| MD5 | 32b3f85274e58a135f05ad9e7a5d1b12 |
| SHA1 | 0f02c0515184c5c36cfbb7e774e292694be65ca6 |
| SHA256 | 1d9dbef86bdf14eca6deba25603e64b211596a97cb3597968a0b21ffebb4cea7 |
| SHA512 | 4eefbbf2ce9563b50eafef878c155546b572578ef85f3bd7fc419b4553d84f407879e52876deef4f5b7e8390fffc514594a31d481e5ea2352c0c3c3784ee36ff |
memory/8-134-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\x4oqqd4b\CSCBD9CAE4EF6974FF995B73BED73503DE1.TMP
| MD5 | b14d667d2d299d1deb387e01c9debebe |
| SHA1 | 0346633a3c303f5c9d363020ea9f74a3d59cfeaf |
| SHA256 | 9e138652790477a014bdd38ff01f4a7564a59882a44c2e2ca4d21fcbad7b464e |
| SHA512 | 8f1d2c60cc32c48067e457440f3bedcd59b2aa640c2c1df265fdd46c21181ccb82439b345de082868c96b17d8404f88a6a0c6234210e6d36432d5ed37e007f29 |
C:\Users\Admin\AppData\Local\Temp\RESA899.tmp
| MD5 | 58c5cd3c025efb963296aa6da575c406 |
| SHA1 | 9bd5413e4083b685da2aace4f562ef54f962b704 |
| SHA256 | 027ba769f9534e33163fa7caf9d2f99e1f05232d393f30d52faa97537a261b6b |
| SHA512 | 0a48613aa55447b2695e076e2ea839c3c8b58e15dc709995d4b18fa9eb2b7749c623193a0b85bdbdc776fe907959e90fc9e1c65b845ed7faeca72d8a90c92832 |
C:\Users\Admin\AppData\Local\Temp\x4oqqd4b\x4oqqd4b.pdb
| MD5 | b0c73dca6da5a99867abf6cf6279d7af |
| SHA1 | cbc0849c5ac69f2cb7148ea70fb6671449bf04f1 |
| SHA256 | 721d9bb7329a250fbda7ddbe3e29ec152a072d2b4b7bb2c15aad67d130839953 |
| SHA512 | e849a298d3b821de7e8a04fc742cf2b791031635ba543b8637ef4c237a495283cb6e9dae7a919a923158da2e0b0f25415378cc545f37562c6061801a63802ca6 |
C:\Users\Admin\AppData\Local\Temp\x4oqqd4b\x4oqqd4b.dll
| MD5 | 5121a927bdd7857c784e9320f48e1b76 |
| SHA1 | 989747fd05cf258e6dc5f94c8de9096bdfe2f7ac |
| SHA256 | 4504ff9fff39c38fa932942178c53dd2993ac07909610f524d5825d1c4319fc8 |
| SHA512 | acd54585d32e2ccba3778ba868febb36bc0bad7e678f6025ff0f066f6715054d2fbd94993fece04ae62f544cf8923f1c16c25af6396687a714e3925f0f6c0ee7 |
memory/4748-139-0x0000000005790000-0x0000000005822000-memory.dmp
memory/4748-140-0x0000000005DE0000-0x0000000005E7C000-memory.dmp
memory/4344-141-0x0000000000000000-mapping.dmp
memory/4344-142-0x0000000000400000-0x0000000000456000-memory.dmp
memory/4344-143-0x0000000074E20000-0x00000000753D1000-memory.dmp
memory/4344-144-0x0000000074E20000-0x00000000753D1000-memory.dmp