Analysis Overview
SHA256
f24dfe0c5a0829dded789ceff7d8c11827d563a0bea36c7643659a001cec04c2
Threat Level: Known bad
The file f24dfe0c5a0829dded789ceff7d8c11827d563a0bea36c7643659a001cec04c2 was found to be: Known bad.
Malicious Activity Summary
Imminent RAT
Drops startup file
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
Drops file in Windows directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-07-25 03:08
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-25 03:08
Reported
2022-07-25 03:11
Platform
win7-20220718-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Imminent RAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BwXSaz.url | C:\Users\Admin\AppData\Local\Temp\f24dfe0c5a0829dded789ceff7d8c11827d563a0bea36c7643659a001cec04c2.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2040 set thread context of 1556 | N/A | C:\Users\Admin\AppData\Local\Temp\f24dfe0c5a0829dded789ceff7d8c11827d563a0bea36c7643659a001cec04c2.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f24dfe0c5a0829dded789ceff7d8c11827d563a0bea36c7643659a001cec04c2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f24dfe0c5a0829dded789ceff7d8c11827d563a0bea36c7643659a001cec04c2.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f24dfe0c5a0829dded789ceff7d8c11827d563a0bea36c7643659a001cec04c2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: 33 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f24dfe0c5a0829dded789ceff7d8c11827d563a0bea36c7643659a001cec04c2.exe
"C:\Users\Admin\AppData\Local\Temp\f24dfe0c5a0829dded789ceff7d8c11827d563a0bea36c7643659a001cec04c2.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xl20jpjg\xl20jpjg.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF799.tmp" "c:\Users\Admin\AppData\Local\Temp\xl20jpjg\CSC39DBA16DAF44AB951367BF6F593F1.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp |
Files
memory/2040-54-0x0000000000D90000-0x0000000000E1A000-memory.dmp
memory/1048-55-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\xl20jpjg\xl20jpjg.cmdline
| MD5 | c8ca98eeef363deb921795f83cc126a2 |
| SHA1 | d65e1125586b91bc569702132f5965c58aee2206 |
| SHA256 | 003375581459d0607ba219d3ecfeaa3cb3103ea1daee0376d46f55302e236b45 |
| SHA512 | a48664974e60730f1add1bdfbc79a205ce4fae321dcdaf631acec25129d36093fb974fb646a31da41004c9015880ca35974a90cc1434ae5e0e9cef665829f9e0 |
\??\c:\Users\Admin\AppData\Local\Temp\xl20jpjg\xl20jpjg.0.cs
| MD5 | aeecd98b7d51a1971e2eca13e6a7f0a6 |
| SHA1 | e501da4d745dda2a52783b303481b4c704573b74 |
| SHA256 | 94d19ec9a346bdd466a9907e796c5f357e4bbb38925429fe22308a3d62f345cb |
| SHA512 | dcd83733cfa1971eec0ca3f2773eff94d0232ecb5138fe0243d584ce172404f7cc0d8605b46705c69b9d15740bb50fd04454dd996bf93b8ccc60f3cb8798c3fb |
memory/1004-58-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\xl20jpjg\CSC39DBA16DAF44AB951367BF6F593F1.TMP
| MD5 | 0c413969de490bc4885cd1a9871d9249 |
| SHA1 | 6d7b68e1cbc7b5962cfef413671b633632fe51ab |
| SHA256 | 7d401583e5d3a71358e4c3d62d42e5ccd3f45c3805287c6b021598c19d1685e2 |
| SHA512 | e62c5aee32172b29393932dc7e2c973aaf4ec1dcfd71cd85602fa95256794535b08a68bf5d4708ef4618785e2fba566e6d08d082c24cb5063196429491133cfe |
C:\Users\Admin\AppData\Local\Temp\RESF799.tmp
| MD5 | b753890f7850d6d80eb93fdd825e4071 |
| SHA1 | a0406d962a9d519df9062298b582314e747f2340 |
| SHA256 | 97f027e96c05f5fa8ce172c7f5dc54aa7f12788e9bff2cd0f9410e3afbae894b |
| SHA512 | 3152bbb5702a42aff26715d02c4e7f4e7a581c4e6a476a065dfb8494506244a1d1ff93e6b9d73969033aedf8e3fc0d0eb3268bd4f032d2a9ebc84f959980c995 |
C:\Users\Admin\AppData\Local\Temp\xl20jpjg\xl20jpjg.dll
| MD5 | 842f1d0149f1183ced1219d94b324f8d |
| SHA1 | 12478d1474601abbf5f70f6036213c056fa44f09 |
| SHA256 | 84156a0fbc3b39f5c1cd1b32c163e045180c327fd69b0bc9edcef2e3dfec525f |
| SHA512 | ed27b0c582052ddd67fb900fe5fb0ef48299ab42b2efc444fa1f3dbb23abaadc8e0109174ccff4f561330cb0e0b2e4c3c1ce666c8d736a326b13e35bb6bb1ba3 |
C:\Users\Admin\AppData\Local\Temp\xl20jpjg\xl20jpjg.pdb
| MD5 | 2fb6008b4e766090aa0007ca3ce5d7c4 |
| SHA1 | a871a4f9586305215cc6899dfa9d02e64d5d4e42 |
| SHA256 | a88eaa3c369895af16aa74451bc2d3d27b10015ec01dd1340229444524a434cb |
| SHA512 | b1feb800040fdd388774a1ccaec6591b19c970c7b7fea6ac9fa0056c0d2fbc2923e014548c7b2211b8981981321c844fbf442b9d22e6222874657c560a9ff59b |
memory/2040-63-0x00000000003C0000-0x00000000003C8000-memory.dmp
memory/2040-64-0x0000000002260000-0x00000000022C0000-memory.dmp
memory/2040-65-0x0000000000620000-0x000000000062C000-memory.dmp
memory/2040-66-0x0000000075A81000-0x0000000075A83000-memory.dmp
memory/2040-67-0x0000000002350000-0x00000000023A6000-memory.dmp
memory/1556-68-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1556-69-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1556-71-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1556-72-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1556-73-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1556-74-0x0000000000451B2E-mapping.dmp
memory/1556-76-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1556-78-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1556-80-0x0000000074F10000-0x00000000754BB000-memory.dmp
memory/1556-81-0x0000000074F10000-0x00000000754BB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-25 03:08
Reported
2022-07-25 03:11
Platform
win10v2004-20220721-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Imminent RAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BwXSaz.url | C:\Users\Admin\AppData\Local\Temp\f24dfe0c5a0829dded789ceff7d8c11827d563a0bea36c7643659a001cec04c2.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3768 set thread context of 1488 | N/A | C:\Users\Admin\AppData\Local\Temp\f24dfe0c5a0829dded789ceff7d8c11827d563a0bea36c7643659a001cec04c2.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f24dfe0c5a0829dded789ceff7d8c11827d563a0bea36c7643659a001cec04c2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f24dfe0c5a0829dded789ceff7d8c11827d563a0bea36c7643659a001cec04c2.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f24dfe0c5a0829dded789ceff7d8c11827d563a0bea36c7643659a001cec04c2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: 33 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f24dfe0c5a0829dded789ceff7d8c11827d563a0bea36c7643659a001cec04c2.exe
"C:\Users\Admin\AppData\Local\Temp\f24dfe0c5a0829dded789ceff7d8c11827d563a0bea36c7643659a001cec04c2.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u4wtpg4c\u4wtpg4c.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD68E.tmp" "c:\Users\Admin\AppData\Local\Temp\u4wtpg4c\CSCF8FC73EBDCC948779F88C225271EE84.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| NL | 52.178.17.2:443 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp | |
| TR | 185.148.241.50:1716 | tcp |
Files
memory/3768-130-0x00000000009D0000-0x0000000000A5A000-memory.dmp
memory/948-131-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\u4wtpg4c\u4wtpg4c.cmdline
| MD5 | cb808ef70d2a0ff1d883a9ecedb13d4d |
| SHA1 | 51a1243611586ba8037df5a5a2db590abdc3224b |
| SHA256 | 13568b620a7f02d108f9f98587651b65e832bbafd28220e078ee0e064c782eda |
| SHA512 | 71d614cda999df39d532f63e58d10f2d79768de12553267d03f29a75795f20ddb4104763d0af82e37b6957dc4153f223e6aeda98a436977590c5a860a15e9923 |
\??\c:\Users\Admin\AppData\Local\Temp\u4wtpg4c\u4wtpg4c.0.cs
| MD5 | aeecd98b7d51a1971e2eca13e6a7f0a6 |
| SHA1 | e501da4d745dda2a52783b303481b4c704573b74 |
| SHA256 | 94d19ec9a346bdd466a9907e796c5f357e4bbb38925429fe22308a3d62f345cb |
| SHA512 | dcd83733cfa1971eec0ca3f2773eff94d0232ecb5138fe0243d584ce172404f7cc0d8605b46705c69b9d15740bb50fd04454dd996bf93b8ccc60f3cb8798c3fb |
memory/4344-134-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\u4wtpg4c\CSCF8FC73EBDCC948779F88C225271EE84.TMP
| MD5 | e189a3991ac242467a83c6216578e919 |
| SHA1 | 3adc42ee11172243f19e869900a886d810231910 |
| SHA256 | 8a6941149fba780e76ea0e3cf1d4c7dc11e7cb85247928b75272ba3d2ea814a3 |
| SHA512 | a42734f340b78c17db68dd744b265cc8929cb12e59a2ec5644ae2338debc2341aa3ff5af414f1a143fdb8232265b40b506fa5ae9020a3a6acb9f8c687bf12f94 |
C:\Users\Admin\AppData\Local\Temp\RESD68E.tmp
| MD5 | b2c5c340f432a00e108104f1a3e6e801 |
| SHA1 | 8d3a59875d8f56e02c6d7d32a21f98aff5aea8ca |
| SHA256 | 3e3ffffd0148f18bb76e3bb92de332ef57ea947e95030bbb1874213023057f68 |
| SHA512 | 3b043ac5f6cd5bb4f592551f19bfb7378d72ad25777ab1cb61c04fdc48fce49dd3e32179ae5b9b561c5649c0d3d08dfa3c6396f0f1ba8e3163f085544a1f9c54 |
C:\Users\Admin\AppData\Local\Temp\u4wtpg4c\u4wtpg4c.dll
| MD5 | 4aee13635b7a6af9dd2d2d5ee0af1e4b |
| SHA1 | 40585e2323bcf12179df8eb045d4545ba29578d0 |
| SHA256 | c6c2b796581b59074ad965fcf95cda7e2727f9c389f15be47d5e55fd137ebe1c |
| SHA512 | 03229f220d886619afc7d334c6d4776d59e2f01c1dd13c492e1233008bbe181298d0374895e8fdf506909258afe0cfbd0a8fbe2764b065ff8bce4f6a9eb4a1aa |
C:\Users\Admin\AppData\Local\Temp\u4wtpg4c\u4wtpg4c.pdb
| MD5 | c4f1a9bb372bef16256978326b43521a |
| SHA1 | ca98bcbd09a2bc6efc878c749e2abaac3c9aca9f |
| SHA256 | 03039d92c31b9ddb3270950f9412b3c8207b3a2d9fbcee424a12b4e9b40d7417 |
| SHA512 | 808ae0d52b812375cc2bffe9886d5a5d2a7262407f224bc0d307d98d5129928b4cf4ee355313ba4c2946e344dc305ea859f3cade3c9b5edc96dc0b4b7210785f |
memory/3768-139-0x0000000005430000-0x00000000054C2000-memory.dmp
memory/3768-140-0x0000000005AE0000-0x0000000005B7C000-memory.dmp
memory/1488-141-0x0000000000000000-mapping.dmp
memory/1488-142-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1488-143-0x0000000074EE0000-0x0000000075491000-memory.dmp
memory/1488-144-0x0000000074EE0000-0x0000000075491000-memory.dmp