Analysis Overview
SHA256
a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527
Threat Level: Known bad
The file a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527 was found to be: Known bad.
Malicious Activity Summary
Imminent RAT
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-04 01:34
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-04 01:34
Reported
2022-10-04 04:28
Platform
win7-20220812-en
Max time kernel
153s
Max time network
50s
Command Line
Signatures
Imminent RAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\temp\notepad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\RoamingRealmPlayer.exe | N/A |
| N/A | N/A | C:\Windows\temp\notepad.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe | N/A |
| N/A | N/A | C:\Windows\temp\notepad.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1012 set thread context of 1388 | N/A | C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe | C:\Windows\temp\notepad.exe |
| PID 1388 set thread context of 1032 | N/A | C:\Windows\temp\notepad.exe | C:\Windows\temp\notepad.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\temp\notepad.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\temp\notepad.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\temp\notepad.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\temp\notepad.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe
"C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe"
C:\Windows\temp\notepad.exe
C:\Windows\temp\notepad.exe
C:\Users\Admin\AppData\RoamingRealmPlayer.exe
"C:\Users\Admin\AppData\RoamingRealmPlayer.exe"
C:\Windows\temp\notepad.exe
"C:\Windows\temp\notepad.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 412
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | jewmeister.ddns.net | udp |
Files
memory/1012-54-0x00000000763F1000-0x00000000763F3000-memory.dmp
\Windows\Temp\notepad.exe
| MD5 | 278edbd499374bf73621f8c1f969d894 |
| SHA1 | a81170af14747781c5f5f51bb1215893136f0bc0 |
| SHA256 | c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391 |
| SHA512 | 93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9 |
memory/1388-56-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1388-57-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1388-59-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1388-60-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1388-61-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1388-62-0x0000000000440B8E-mapping.dmp
memory/1388-65-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1388-67-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\Temp\notepad.exe
| MD5 | 278edbd499374bf73621f8c1f969d894 |
| SHA1 | a81170af14747781c5f5f51bb1215893136f0bc0 |
| SHA256 | c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391 |
| SHA512 | 93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9 |
C:\Windows\temp\notepad.exe
| MD5 | 278edbd499374bf73621f8c1f969d894 |
| SHA1 | a81170af14747781c5f5f51bb1215893136f0bc0 |
| SHA256 | c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391 |
| SHA512 | 93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9 |
memory/1012-70-0x0000000074AD0000-0x000000007507B000-memory.dmp
memory/1388-71-0x0000000074AD0000-0x000000007507B000-memory.dmp
\Users\Admin\AppData\RoamingRealmPlayer.exe
| MD5 | 7a607550e6bcafcf6024216d4a12162c |
| SHA1 | 849336bc7b847fd35311a921eaa5eb7b7e051542 |
| SHA256 | 5ea1edafff5ffc11f9b8cf1cdf8a821d5e41957ce5c0aab0e4afb206b34354fb |
| SHA512 | f4e38fb50d438bce094aec8d36c8c189b62687ac46d9b5d0d94c96658bfaa4e08a013dd0222dc63343c42fbc178ecb3705d89392f709de153c0647452baeaaf4 |
memory/1588-73-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\RoamingRealmPlayer.exe
| MD5 | 7a607550e6bcafcf6024216d4a12162c |
| SHA1 | 849336bc7b847fd35311a921eaa5eb7b7e051542 |
| SHA256 | 5ea1edafff5ffc11f9b8cf1cdf8a821d5e41957ce5c0aab0e4afb206b34354fb |
| SHA512 | f4e38fb50d438bce094aec8d36c8c189b62687ac46d9b5d0d94c96658bfaa4e08a013dd0222dc63343c42fbc178ecb3705d89392f709de153c0647452baeaaf4 |
C:\Users\Admin\AppData\RoamingRealmPlayer.exe
| MD5 | 7a607550e6bcafcf6024216d4a12162c |
| SHA1 | 849336bc7b847fd35311a921eaa5eb7b7e051542 |
| SHA256 | 5ea1edafff5ffc11f9b8cf1cdf8a821d5e41957ce5c0aab0e4afb206b34354fb |
| SHA512 | f4e38fb50d438bce094aec8d36c8c189b62687ac46d9b5d0d94c96658bfaa4e08a013dd0222dc63343c42fbc178ecb3705d89392f709de153c0647452baeaaf4 |
memory/1032-76-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1032-77-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1032-79-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1032-80-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1032-82-0x000000000045A3DE-mapping.dmp
memory/1032-81-0x0000000000400000-0x0000000000460000-memory.dmp
C:\Windows\Temp\notepad.exe
| MD5 | 278edbd499374bf73621f8c1f969d894 |
| SHA1 | a81170af14747781c5f5f51bb1215893136f0bc0 |
| SHA256 | c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391 |
| SHA512 | 93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9 |
memory/1032-85-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1032-87-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1032-90-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1032-92-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1032-91-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1032-93-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1032-96-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1032-95-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1032-94-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1032-98-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1032-100-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1032-101-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1032-104-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1032-106-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1032-107-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1032-109-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1012-110-0x0000000074AD0000-0x000000007507B000-memory.dmp
memory/1388-111-0x0000000074AD0000-0x000000007507B000-memory.dmp
memory/1032-112-0x0000000074AD0000-0x000000007507B000-memory.dmp
memory/1588-113-0x000007FEF3E90000-0x000007FEF48B3000-memory.dmp
memory/1588-114-0x000007FEF2DF0000-0x000007FEF3E86000-memory.dmp
memory/1416-115-0x0000000000000000-mapping.dmp
memory/1416-116-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp
memory/1032-117-0x0000000074AD0000-0x000000007507B000-memory.dmp
memory/1012-118-0x0000000074AD0000-0x000000007507B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-04 01:34
Reported
2022-10-04 04:28
Platform
win10v2004-20220812-en
Max time kernel
120s
Max time network
175s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1216 wrote to memory of 4944 | N/A | C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe | C:\Windows\temp\notepad.exe |
| PID 1216 wrote to memory of 4944 | N/A | C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe | C:\Windows\temp\notepad.exe |
| PID 1216 wrote to memory of 4944 | N/A | C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe | C:\Windows\temp\notepad.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe
"C:\Users\Admin\AppData\Local\Temp\a676679900ff963e2ded9142c0f095842c2ec11b807cce2b595af1a797cdf527.exe"
C:\Windows\temp\notepad.exe
C:\Windows\temp\notepad.exe
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 52.168.112.66:443 | tcp | |
| US | 8.252.51.254:80 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| US | 8.8.8.8:53 | 14.110.152.52.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp |
Files
memory/1216-132-0x0000000074EC0000-0x0000000075471000-memory.dmp
memory/4944-133-0x0000000000000000-mapping.dmp
memory/1216-134-0x0000000074EC0000-0x0000000075471000-memory.dmp
memory/1216-135-0x0000000074EC0000-0x0000000075471000-memory.dmp