Analysis Overview
SHA256
571d1286aa8bfe4bcc65da6d1fba71a7c48261b14142233f187dd2ff628544f2
Threat Level: Known bad
The file 571d1286aa8bfe4bcc65da6d1fba71a7c48261b14142233f187dd2ff628544f2 was found to be: Known bad.
Malicious Activity Summary
Imminent RAT
Drops startup file
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
Drops file in Windows directory
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-07-25 00:42
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-25 00:42
Reported
2022-07-25 00:44
Platform
win7-20220718-en
Max time kernel
149s
Max time network
46s
Command Line
Signatures
Imminent RAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EHPUMm.url | C:\Users\Admin\AppData\Local\Temp\571d1286aa8bfe4bcc65da6d1fba71a7c48261b14142233f187dd2ff628544f2.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1176 set thread context of 1644 | N/A | C:\Users\Admin\AppData\Local\Temp\571d1286aa8bfe4bcc65da6d1fba71a7c48261b14142233f187dd2ff628544f2.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\571d1286aa8bfe4bcc65da6d1fba71a7c48261b14142233f187dd2ff628544f2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\571d1286aa8bfe4bcc65da6d1fba71a7c48261b14142233f187dd2ff628544f2.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\571d1286aa8bfe4bcc65da6d1fba71a7c48261b14142233f187dd2ff628544f2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: 33 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\571d1286aa8bfe4bcc65da6d1fba71a7c48261b14142233f187dd2ff628544f2.exe
"C:\Users\Admin\AppData\Local\Temp\571d1286aa8bfe4bcc65da6d1fba71a7c48261b14142233f187dd2ff628544f2.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\im0sgrk3\im0sgrk3.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4AC.tmp" "c:\Users\Admin\AppData\Local\Temp\im0sgrk3\CSC45FD005269004DD49590C87A7DA3691A.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
Files
memory/1176-54-0x00000000010A0000-0x000000000112C000-memory.dmp
memory/1996-55-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\im0sgrk3\im0sgrk3.cmdline
| MD5 | 451a49a0e275b3f3fe0b7eb049813065 |
| SHA1 | e5358b2d3f49509b68bfec15880b5bfd3e9ca2c7 |
| SHA256 | 4e5ac89ca8433055111183f14566fe91953ef3fd403e3a1923a7556857b1f8b3 |
| SHA512 | 55955e2924f996071db2de0dba6aaa805fab05beea9d82b34ccfece0bb9d5763e0a3866b84ec1c903cd6952543c61ade6b5af92812d7e2bd66a3dd5e4ac52413 |
\??\c:\Users\Admin\AppData\Local\Temp\im0sgrk3\im0sgrk3.0.cs
| MD5 | c4bd1e2f14a267499aabd2bc0ceb26c3 |
| SHA1 | 9b405d02d970b588700bd6a65e5515ef43bc1c29 |
| SHA256 | 95db4c6e10ce5e1f2422f0ff92d8a5e2fa8b2365bcb5304e593c4b732108d176 |
| SHA512 | 6a3b29be5b45cf7ace6a65be259c890fe536614d434a330750d9ac91987fc8c9dfefa283473319b24cfdd31e7d430d1ea1b0a4f33b9bd80b47cfc6308a6d5cde |
memory/956-58-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\im0sgrk3\CSC45FD005269004DD49590C87A7DA3691A.TMP
| MD5 | 74f9f531f801fb35f3cedb282f10afb1 |
| SHA1 | ad41bf3960321b50fe66e3a03cafe98475923c3e |
| SHA256 | b192d9a9e89b6dbf0df12aa9419b872b74b7314abe1b1872707efba3122e33e8 |
| SHA512 | 7174bd232acb212ad27921df1b2e131fcd91cd565ecf4a9f1269d997a3a4ec83f27ac4c846020db11ce841d4844de5eb8d9150af72b29e77d26f22813b47df9a |
C:\Users\Admin\AppData\Local\Temp\RESF4AC.tmp
| MD5 | 158f8b29d7a8f0747294c660193fd4f0 |
| SHA1 | c4650335b96de264e62a9fd13364c978d3a71c55 |
| SHA256 | ddaed8924145aa70fb4d3a27023c58051d1df86150e9019fe5bf05c857e1e823 |
| SHA512 | 53d7b43b5d6392f5e15a60bf176ae47ba2fbcf6c64aff1b318964849b95346a6866262b622d897bb5f885f9f9f501865012e27c51c839ab6af5a9c6e4f035213 |
C:\Users\Admin\AppData\Local\Temp\im0sgrk3\im0sgrk3.dll
| MD5 | 95b7b825287a001118899f9ad56ac0b0 |
| SHA1 | 8904fd59a6acc4e7e987660e89fe0b35e65da258 |
| SHA256 | e9266bd0f8c16cbe2013f9d82c5090f38958f971d00b60aa4efc66c6f4fec362 |
| SHA512 | 87cb65fe8ce57e8cc68472a31b062d804693f28e476a60f4d250018ee109b8c89afa9d236a64e05f518f7d840bce2de70baddf80867ce968f63b98e88da7bb04 |
C:\Users\Admin\AppData\Local\Temp\im0sgrk3\im0sgrk3.pdb
| MD5 | ae89da1b67be019c4ca435e63fef9b4e |
| SHA1 | 56be56901960d72b4303e30546069a4a9038bbbe |
| SHA256 | 34c4bc83f17258537e823003ac8c1784ca599688eddb2597f20a563c6546acf8 |
| SHA512 | 380b79e267f34e68279a8c43c060be73f45f360ac2a0a0051f905cd4fd7b0127c84b1605c7a5140f6e814b669c4a2d0131d18e9670a0d6403666c99c35c9e1f8 |
memory/1176-63-0x00000000003D0000-0x00000000003DA000-memory.dmp
memory/1176-64-0x0000000004C90000-0x0000000004CF0000-memory.dmp
memory/1176-65-0x00000000004A0000-0x00000000004AC000-memory.dmp
memory/1176-66-0x0000000075B61000-0x0000000075B63000-memory.dmp
memory/1176-67-0x0000000004F40000-0x0000000004F96000-memory.dmp
memory/1644-69-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1644-68-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1644-71-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1644-73-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1644-72-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1644-74-0x0000000000451E5E-mapping.dmp
memory/1644-76-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1644-78-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1644-80-0x0000000074270000-0x000000007481B000-memory.dmp
memory/1644-81-0x0000000074270000-0x000000007481B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-25 00:42
Reported
2022-07-25 00:44
Platform
win10v2004-20220721-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Imminent RAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EHPUMm.url | C:\Users\Admin\AppData\Local\Temp\571d1286aa8bfe4bcc65da6d1fba71a7c48261b14142233f187dd2ff628544f2.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4176 set thread context of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\571d1286aa8bfe4bcc65da6d1fba71a7c48261b14142233f187dd2ff628544f2.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\571d1286aa8bfe4bcc65da6d1fba71a7c48261b14142233f187dd2ff628544f2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\571d1286aa8bfe4bcc65da6d1fba71a7c48261b14142233f187dd2ff628544f2.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\571d1286aa8bfe4bcc65da6d1fba71a7c48261b14142233f187dd2ff628544f2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: 33 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\571d1286aa8bfe4bcc65da6d1fba71a7c48261b14142233f187dd2ff628544f2.exe
"C:\Users\Admin\AppData\Local\Temp\571d1286aa8bfe4bcc65da6d1fba71a7c48261b14142233f187dd2ff628544f2.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mx03v1gq\mx03v1gq.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA741.tmp" "c:\Users\Admin\AppData\Local\Temp\mx03v1gq\CSCC148DEFEF0F4DE296D6C551C720A630.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 13.107.22.200:443 | tcp | |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| JP | 13.78.111.198:443 | tcp | |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
| US | 8.8.8.8:53 | zynovahk.duckdns.org | udp |
Files
memory/4176-130-0x0000000000520000-0x00000000005AC000-memory.dmp
memory/4852-131-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\mx03v1gq\mx03v1gq.cmdline
| MD5 | 756d2bcea7f0c766c4dd64cb9cdeb467 |
| SHA1 | 8e1b6ffcdc7c58f5dc10a6c3012dd9b162e52f40 |
| SHA256 | c0771e24ef0e0ac93994870d86c9832130cdec4966ee1380c7bf2621d8b502c6 |
| SHA512 | 61f0ae848da486ec8b32ec1da4fa70b8a41c609bd769385b43d3973fa05054a03cda1679132b8e82d4540c63c09ff37d130a15006484a2bcb14418af57d7199a |
\??\c:\Users\Admin\AppData\Local\Temp\mx03v1gq\mx03v1gq.0.cs
| MD5 | c4bd1e2f14a267499aabd2bc0ceb26c3 |
| SHA1 | 9b405d02d970b588700bd6a65e5515ef43bc1c29 |
| SHA256 | 95db4c6e10ce5e1f2422f0ff92d8a5e2fa8b2365bcb5304e593c4b732108d176 |
| SHA512 | 6a3b29be5b45cf7ace6a65be259c890fe536614d434a330750d9ac91987fc8c9dfefa283473319b24cfdd31e7d430d1ea1b0a4f33b9bd80b47cfc6308a6d5cde |
memory/3616-134-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\mx03v1gq\CSCC148DEFEF0F4DE296D6C551C720A630.TMP
| MD5 | 354550698a9cd09a14629d2be4ee0053 |
| SHA1 | fa2bbd7e3af6e7e71c53ab02c22a815e9908b275 |
| SHA256 | ddc34c2e765377cb444fb9e40360e7e8d7918d256585cf215729f83ef675f564 |
| SHA512 | a6dadc31e57f66d2f2e58478b02d7e63ef2b49f9c793814b5ebae6a9d03195b3d9f0e29a37d8fa493002da2228951e2dd40a4e650922017022683c01f3275924 |
C:\Users\Admin\AppData\Local\Temp\RESA741.tmp
| MD5 | 974a6fbf7bb2ef0f37506f1ceed0c428 |
| SHA1 | e29f3b82a566e186042eba963704685a2d7e96b8 |
| SHA256 | 5bd9750ee904db851dea0d1d6192b0e34e6d9ceee1ee5d9aecde857cc77ebaeb |
| SHA512 | 255b1428d271616ef0ff85697a6620b6d9b028d143d9949e533a23d1b6ec34a2111dd99383feaf58a096cc706b6130d8912ffa0b21e2a705b87fd719cffeaeac |
C:\Users\Admin\AppData\Local\Temp\mx03v1gq\mx03v1gq.dll
| MD5 | 2e8ef1aa8eaa6ac96e3ec8c12103274b |
| SHA1 | ceb8b0c33f124d88131718036846990feacea4d8 |
| SHA256 | f3fd140f9c8457120b7df9f4041aee0540f2c08852f1e8bdb9b521654faad13d |
| SHA512 | 0184801e9050b6fe5cb1361c66b6daa5b987015f2134ae9d8243739495d48ae89b03a49062eb25801cd6696824f9c1786f05798444291fa3feff628226300c98 |
C:\Users\Admin\AppData\Local\Temp\mx03v1gq\mx03v1gq.pdb
| MD5 | 8ad4a2730533ec2c9777e527c2703eba |
| SHA1 | b638a9fb14f5a4879894470369a9d52b2fb90696 |
| SHA256 | 1fd74c3d10346a0825954064a62a2f475dc6336d415b49fa692b9b60af8d5c9c |
| SHA512 | 47098c6b0f0460d70ed7db2863bb9ac383dd953ff7fabe533c39dbbfe800c2f4ded58024f160476ebdec1fadcb42de801f82e45eac50ad9569c2d173c66c87b8 |
memory/4176-139-0x0000000004F90000-0x0000000005022000-memory.dmp
memory/4176-140-0x0000000005630000-0x00000000056CC000-memory.dmp
memory/2340-141-0x0000000000000000-mapping.dmp
memory/2340-142-0x0000000000400000-0x0000000000456000-memory.dmp
memory/2340-143-0x0000000074EB0000-0x0000000075461000-memory.dmp
memory/2340-144-0x0000000074EB0000-0x0000000075461000-memory.dmp