Analysis Overview
SHA256
cb042a1253d6619982a9d42cf4a868282079974731caf8b2f4f505f8ae1debd1
Threat Level: Known bad
The file cb042a1253d6619982a9d42cf4a868282079974731caf8b2f4f505f8ae1debd1 was found to be: Known bad.
Malicious Activity Summary
Imminent RAT
Executes dropped EXE
Loads dropped DLL
Drops startup file
Adds Run key to start application
AutoIT Executable
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-24 05:07
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-24 05:07
Reported
2022-10-24 05:07
Platform
win7-20220812-en
Max time kernel
9s
Max time network
6s
Command Line
Signatures
Imminent RAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\PGAh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDLLAARFHKbd.lnk | C:\Users\Admin\AppData\Roaming\PGAh.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\pic2347.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\pic2347.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1396 set thread context of 1740 | N/A | C:\Users\Admin\AppData\Roaming\PGAh.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\PGAh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\PGAh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\PGAh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\PGAh.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\pic2347.exe
"C:\Users\Admin\AppData\Local\Temp\pic2347.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE
C:\Users\Admin\AppData\Roaming\PGAh.exe
"C:\Users\Admin\AppData\Roaming\PGAh.exe" "C:\Users\Admin\AppData\Roaming\PGAhA.au3"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | aboja.duckdns.org | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE
| MD5 | 71862df435a8a4560d18ffa2c804a206 |
| SHA1 | c6ecec74e8258522278ccf7f65fc3acde09b53d1 |
| SHA256 | b31163134bfb15cd6d484e8f24b8926e7491ec3e59b45e3f395d63e9059d2c27 |
| SHA512 | c87370a41065036513c0dd159b9c2223a8f7a1c60bbc672fa9a8729cd886c45729284d928164783aff33ae2de3ca7fc5ab51bb019cc5319772ee2cefa2f7746c |
memory/1960-54-0x0000000000000000-mapping.dmp
memory/1960-56-0x0000000076321000-0x0000000076323000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE
| MD5 | 71862df435a8a4560d18ffa2c804a206 |
| SHA1 | c6ecec74e8258522278ccf7f65fc3acde09b53d1 |
| SHA256 | b31163134bfb15cd6d484e8f24b8926e7491ec3e59b45e3f395d63e9059d2c27 |
| SHA512 | c87370a41065036513c0dd159b9c2223a8f7a1c60bbc672fa9a8729cd886c45729284d928164783aff33ae2de3ca7fc5ab51bb019cc5319772ee2cefa2f7746c |
\Users\Admin\AppData\Roaming\PGAh.exe
| MD5 | b06e67f9767e5023892d9698703ad098 |
| SHA1 | acc07666f4c1d4461d3e1c263cf6a194a8dd1544 |
| SHA256 | 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb |
| SHA512 | 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943 |
memory/1396-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\PGAhA.au3
| MD5 | 4d5824752390f37c6a9abe3bfe3fd288 |
| SHA1 | abbc37a4b691e7f8f27b01195f9b1a917c133f2f |
| SHA256 | 8eee91f8fde74863178bcb872073642adbde5b2a272674479171d2d8cb383529 |
| SHA512 | 3fbee004ebf74d10513cf964841fd6be6477718178224d28ddd38c442303cf5feff57002643a5e0200f4a5e8c1756739d0714091a46a1d8468efa53fe5e70fce |
C:\Users\Admin\AppData\Roaming\PGAh.exe
| MD5 | b06e67f9767e5023892d9698703ad098 |
| SHA1 | acc07666f4c1d4461d3e1c263cf6a194a8dd1544 |
| SHA256 | 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb |
| SHA512 | 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943 |
memory/1740-63-0x00000000000E0000-0x0000000000154000-memory.dmp
memory/1740-65-0x00000000000E0000-0x0000000000154000-memory.dmp
memory/1740-66-0x000000000014F8EE-mapping.dmp
C:\Users\Admin\AppData\Roaming\PGAh.exe
| MD5 | b06e67f9767e5023892d9698703ad098 |
| SHA1 | acc07666f4c1d4461d3e1c263cf6a194a8dd1544 |
| SHA256 | 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb |
| SHA512 | 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943 |
memory/1740-69-0x00000000000E0000-0x0000000000154000-memory.dmp
memory/1740-71-0x00000000000E0000-0x0000000000154000-memory.dmp
memory/1740-72-0x0000000000480000-0x00000000004A8000-memory.dmp
memory/1740-74-0x00000000000E0000-0x0000000000154000-memory.dmp
memory/1740-75-0x00000000000E0000-0x0000000000154000-memory.dmp
memory/1740-76-0x00000000000E0000-0x0000000000154000-memory.dmp
memory/1740-77-0x00000000000E0000-0x0000000000154000-memory.dmp
memory/1740-79-0x00000000000E0000-0x0000000000154000-memory.dmp
memory/1740-78-0x00000000000E0000-0x0000000000154000-memory.dmp
memory/1740-80-0x00000000000E0000-0x0000000000154000-memory.dmp
memory/1740-82-0x00000000000E0000-0x0000000000154000-memory.dmp
memory/1740-84-0x00000000000E0000-0x0000000000154000-memory.dmp
memory/1740-85-0x00000000000E0000-0x0000000000154000-memory.dmp
memory/1740-88-0x00000000000E0000-0x0000000000154000-memory.dmp
memory/1740-91-0x00000000000E0000-0x0000000000154000-memory.dmp
memory/1740-90-0x00000000000E0000-0x0000000000154000-memory.dmp
memory/1740-93-0x00000000000E0000-0x0000000000154000-memory.dmp
memory/1740-95-0x00000000006C0000-0x00000000006D6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-24 05:07
Reported
2022-10-24 05:07
Platform
win10v2004-20220812-en
Max time kernel
9s
Max time network
11s
Command Line
Signatures
Imminent RAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\PGAh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IDLLAARFHKbd.lnk | C:\Users\Admin\AppData\Roaming\PGAh.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\pic2347.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\pic2347.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3108 set thread context of 1224 | N/A | C:\Users\Admin\AppData\Roaming\PGAh.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\PGAh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\PGAh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\PGAh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\PGAh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\PGAh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\PGAh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\PGAh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\PGAh.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\pic2347.exe
"C:\Users\Admin\AppData\Local\Temp\pic2347.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE
C:\Users\Admin\AppData\Roaming\PGAh.exe
"C:\Users\Admin\AppData\Roaming\PGAh.exe" "C:\Users\Admin\AppData\Roaming\PGAhA.au3"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
0
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | tcp | |
| US | 8.8.8.8:53 | aboja.duckdns.org | udp |
Files
memory/4916-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE
| MD5 | 71862df435a8a4560d18ffa2c804a206 |
| SHA1 | c6ecec74e8258522278ccf7f65fc3acde09b53d1 |
| SHA256 | b31163134bfb15cd6d484e8f24b8926e7491ec3e59b45e3f395d63e9059d2c27 |
| SHA512 | c87370a41065036513c0dd159b9c2223a8f7a1c60bbc672fa9a8729cd886c45729284d928164783aff33ae2de3ca7fc5ab51bb019cc5319772ee2cefa2f7746c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COCCAQ~1.EXE
| MD5 | 71862df435a8a4560d18ffa2c804a206 |
| SHA1 | c6ecec74e8258522278ccf7f65fc3acde09b53d1 |
| SHA256 | b31163134bfb15cd6d484e8f24b8926e7491ec3e59b45e3f395d63e9059d2c27 |
| SHA512 | c87370a41065036513c0dd159b9c2223a8f7a1c60bbc672fa9a8729cd886c45729284d928164783aff33ae2de3ca7fc5ab51bb019cc5319772ee2cefa2f7746c |
C:\Users\Admin\AppData\Roaming\PGAh.exe
| MD5 | b06e67f9767e5023892d9698703ad098 |
| SHA1 | acc07666f4c1d4461d3e1c263cf6a194a8dd1544 |
| SHA256 | 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb |
| SHA512 | 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943 |
memory/3108-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\PGAhA.au3
| MD5 | 4d5824752390f37c6a9abe3bfe3fd288 |
| SHA1 | abbc37a4b691e7f8f27b01195f9b1a917c133f2f |
| SHA256 | 8eee91f8fde74863178bcb872073642adbde5b2a272674479171d2d8cb383529 |
| SHA512 | 3fbee004ebf74d10513cf964841fd6be6477718178224d28ddd38c442303cf5feff57002643a5e0200f4a5e8c1756739d0714091a46a1d8468efa53fe5e70fce |
memory/1224-138-0x0000000000410000-0x0000000000484000-memory.dmp
memory/1224-139-0x000000000047F8EE-mapping.dmp
C:\Users\Admin\AppData\Roaming\PGAh.exe
| MD5 | b06e67f9767e5023892d9698703ad098 |
| SHA1 | acc07666f4c1d4461d3e1c263cf6a194a8dd1544 |
| SHA256 | 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb |
| SHA512 | 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943 |
memory/1224-142-0x0000000000410000-0x0000000000484000-memory.dmp
memory/1224-143-0x0000000000410000-0x0000000000484000-memory.dmp
memory/1224-145-0x0000000000410000-0x0000000000484000-memory.dmp
memory/1224-144-0x0000000000410000-0x0000000000484000-memory.dmp
memory/1224-147-0x0000000000410000-0x0000000000484000-memory.dmp
memory/1224-148-0x0000000000410000-0x0000000000484000-memory.dmp
memory/1224-146-0x0000000000410000-0x0000000000484000-memory.dmp
memory/1224-150-0x0000000000410000-0x0000000000484000-memory.dmp
memory/1224-152-0x0000000000410000-0x0000000000484000-memory.dmp
memory/1224-153-0x0000000000410000-0x0000000000484000-memory.dmp
memory/1224-156-0x0000000000410000-0x0000000000484000-memory.dmp
memory/1224-158-0x0000000000410000-0x0000000000484000-memory.dmp
memory/1224-159-0x0000000000410000-0x0000000000484000-memory.dmp
memory/1224-161-0x0000000000410000-0x0000000000484000-memory.dmp
memory/1224-162-0x0000000009340000-0x00000000093DC000-memory.dmp
memory/1224-163-0x0000000009990000-0x0000000009F34000-memory.dmp
memory/1224-164-0x00000000057F0000-0x0000000005882000-memory.dmp
memory/1224-165-0x00000000057A0000-0x00000000057AA000-memory.dmp