Analysis Overview
SHA256
5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638
Threat Level: Known bad
The file 5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638 was found to be: Known bad.
Malicious Activity Summary
Imminent RAT
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Runs ping.exe
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-31 23:57
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-31 23:57
Reported
2022-08-01 03:51
Platform
win7-20220718-en
Max time kernel
152s
Max time network
191s
Command Line
Signatures
Imminent RAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe
"C:\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe"
C:\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe
"C:\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe"
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | solarintel.linkpc.net | udp |
| US | 8.8.8.8:53 | solarintel.linkpc.net | udp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
| US | 192.254.74.210:9009 | solarintel.linkpc.net | tcp |
Files
memory/1540-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmp
memory/1540-55-0x0000000074C30000-0x00000000751DB000-memory.dmp
memory/1540-56-0x0000000074C30000-0x00000000751DB000-memory.dmp
\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe
| MD5 | 4766270285f7bb69b2a93214c650f152 |
| SHA1 | 8a9ddce8c3ca9674adb69af3930a7424cfde9553 |
| SHA256 | 5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638 |
| SHA512 | 80b4d81c45c07b96226109a52c476ba4370377dc20609a274baae75659f72fc962df0b451d1e838a0b13df34a32c62f051225e77a79695055831a0e02148900d |
\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe
| MD5 | 4766270285f7bb69b2a93214c650f152 |
| SHA1 | 8a9ddce8c3ca9674adb69af3930a7424cfde9553 |
| SHA256 | 5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638 |
| SHA512 | 80b4d81c45c07b96226109a52c476ba4370377dc20609a274baae75659f72fc962df0b451d1e838a0b13df34a32c62f051225e77a79695055831a0e02148900d |
memory/1228-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe
| MD5 | 4766270285f7bb69b2a93214c650f152 |
| SHA1 | 8a9ddce8c3ca9674adb69af3930a7424cfde9553 |
| SHA256 | 5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638 |
| SHA512 | 80b4d81c45c07b96226109a52c476ba4370377dc20609a274baae75659f72fc962df0b451d1e838a0b13df34a32c62f051225e77a79695055831a0e02148900d |
C:\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe
| MD5 | 4766270285f7bb69b2a93214c650f152 |
| SHA1 | 8a9ddce8c3ca9674adb69af3930a7424cfde9553 |
| SHA256 | 5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638 |
| SHA512 | 80b4d81c45c07b96226109a52c476ba4370377dc20609a274baae75659f72fc962df0b451d1e838a0b13df34a32c62f051225e77a79695055831a0e02148900d |
memory/548-63-0x0000000000000000-mapping.dmp
memory/1660-64-0x0000000000000000-mapping.dmp
memory/1540-65-0x0000000074C30000-0x00000000751DB000-memory.dmp
memory/1228-66-0x0000000074C30000-0x00000000751DB000-memory.dmp
memory/1228-67-0x0000000074C30000-0x00000000751DB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-31 23:57
Reported
2022-08-01 03:50
Platform
win10v2004-20220722-en
Max time kernel
144s
Max time network
160s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe
"C:\Users\Admin\AppData\Local\Temp\5d4d3f7daf91ec1aa660497ee91bbd5a2c363f613b7d965189dace271a244638.exe"
Network
| Country | Destination | Domain | Proto |
| US | 104.208.16.90:443 | tcp | |
| US | 8.253.225.254:80 | tcp | |
| US | 8.253.225.254:80 | tcp | |
| US | 8.253.225.254:80 | tcp | |
| US | 8.253.225.254:80 | tcp |
Files
memory/4668-135-0x0000000074B50000-0x0000000075101000-memory.dmp
memory/4668-136-0x0000000074B50000-0x0000000075101000-memory.dmp