Analysis Overview
SHA256
e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e
Threat Level: Known bad
The file e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e was found to be: Known bad.
Malicious Activity Summary
Imminent RAT
Checks computer location settings
Drops desktop.ini file(s)
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-29 14:42
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-29 14:42
Reported
2022-10-29 20:31
Platform
win7-20220812-en
Max time kernel
132s
Max time network
181s
Command Line
Signatures
Imminent RAT
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe" | C:\Windows\SysWOW64\WScript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1912 set thread context of 1596 | N/A | C:\Users\Admin\AppData\Local\Temp\e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe | \??\c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe | N/A |
| Token: SeDebugPrivilege | N/A | \??\c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe
"C:\Users\Admin\AppData\Local\Temp\e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe"
\??\c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe
"c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\fuckyounod32.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | steamgreenlight.duckdns.org | udp |
| CA | 173.32.221.176:9004 | steamgreenlight.duckdns.org | tcp |
| CA | 173.32.221.176:9004 | steamgreenlight.duckdns.org | tcp |
| CA | 173.32.221.176:9004 | steamgreenlight.duckdns.org | tcp |
| US | 8.8.8.8:53 | steamgreenlight.duckdns.org | udp |
| CA | 173.32.221.176:9004 | steamgreenlight.duckdns.org | tcp |
| CA | 173.32.221.176:9004 | steamgreenlight.duckdns.org | tcp |
| CA | 173.32.221.176:9004 | steamgreenlight.duckdns.org | tcp |
Files
memory/1912-54-0x0000000076031000-0x0000000076033000-memory.dmp
memory/1596-55-0x0000000000400000-0x000000000044A000-memory.dmp
memory/1596-56-0x0000000000400000-0x000000000044A000-memory.dmp
memory/1596-58-0x0000000000400000-0x000000000044A000-memory.dmp
memory/1596-59-0x0000000000400000-0x000000000044A000-memory.dmp
memory/1596-60-0x0000000000400000-0x000000000044A000-memory.dmp
memory/1596-61-0x000000000044563E-mapping.dmp
memory/1596-63-0x0000000000400000-0x000000000044A000-memory.dmp
memory/1596-65-0x0000000000400000-0x000000000044A000-memory.dmp
memory/1560-67-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\fuckyounod32.vbs
| MD5 | f03812089f155d3e548e470fcf70f8d7 |
| SHA1 | a3668fcead6b9079c4962ffbec8ea81fb8120d48 |
| SHA256 | 9c0cfffb385fb4d93f81b0f1fa599545900328a6b948eba2a7f35acfba2cd5a2 |
| SHA512 | 1fa023f31178cb63208dfb9b098fc664ef0628c987c92c7c209a5dcf8af66253d9ce8720fe9af64d4b61159353056266ea3e5eb3842396806200164c61cd6e46 |
memory/1668-70-0x0000000000000000-mapping.dmp
memory/1912-71-0x0000000074360000-0x000000007490B000-memory.dmp
memory/1596-72-0x0000000074360000-0x000000007490B000-memory.dmp
memory/1912-74-0x0000000074360000-0x000000007490B000-memory.dmp
memory/1596-75-0x0000000074360000-0x000000007490B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-29 14:42
Reported
2022-10-29 20:31
Platform
win10v2004-20220812-en
Max time kernel
158s
Max time network
185s
Command Line
Signatures
Imminent RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\WScript.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | \??\c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | \??\c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 552 set thread context of 4916 | N/A | C:\Users\Admin\AppData\Local\Temp\e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe | \??\c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | \??\c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | \??\c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | \??\c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe | N/A |
| Token: SeDebugPrivilege | N/A | \??\c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe
"C:\Users\Admin\AppData\Local\Temp\e481d4881a3189a1f38ed1a1d5de98c177004f94896c1780f0c5dbf3d6675f4e.exe"
\??\c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe
"c:\windows\microsoft.net\framework\v2.0.50727\CasPol.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\fuckyounod32.vbs"
Network
| Country | Destination | Domain | Proto |
| NL | 178.79.208.1:80 | tcp | |
| US | 8.8.8.8:53 | steamgreenlight.duckdns.org | udp |
| CA | 173.32.221.176:9004 | steamgreenlight.duckdns.org | tcp |
| NL | 52.178.17.3:443 | tcp | |
| CA | 173.32.221.176:9004 | steamgreenlight.duckdns.org | tcp |
| NL | 178.79.208.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| CA | 173.32.221.176:9004 | steamgreenlight.duckdns.org | tcp |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | steamgreenlight.duckdns.org | udp |
| CA | 173.32.221.176:9004 | steamgreenlight.duckdns.org | tcp |
| US | 8.8.8.8:53 | a.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| CA | 173.32.221.176:9004 | steamgreenlight.duckdns.org | tcp |
| CA | 173.32.221.176:9004 | steamgreenlight.duckdns.org | tcp |
| US | 8.8.8.8:53 | steamgreenlight.duckdns.org | udp |
| CA | 173.32.221.176:9004 | steamgreenlight.duckdns.org | tcp |
Files
memory/552-132-0x00000000750D0000-0x0000000075681000-memory.dmp
memory/4916-133-0x0000000000000000-mapping.dmp
memory/4916-134-0x0000000000400000-0x000000000044A000-memory.dmp
memory/1312-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\fuckyounod32.vbs
| MD5 | f03812089f155d3e548e470fcf70f8d7 |
| SHA1 | a3668fcead6b9079c4962ffbec8ea81fb8120d48 |
| SHA256 | 9c0cfffb385fb4d93f81b0f1fa599545900328a6b948eba2a7f35acfba2cd5a2 |
| SHA512 | 1fa023f31178cb63208dfb9b098fc664ef0628c987c92c7c209a5dcf8af66253d9ce8720fe9af64d4b61159353056266ea3e5eb3842396806200164c61cd6e46 |
memory/3008-137-0x0000000000000000-mapping.dmp
memory/4916-138-0x00000000750D0000-0x0000000075681000-memory.dmp
memory/552-139-0x00000000750D0000-0x0000000075681000-memory.dmp
memory/4916-140-0x00000000750D0000-0x0000000075681000-memory.dmp