runningrat | ef03a58568ec094636fe33261e1fafbb6aa77125be68c3615da4823abba198d8

General

Target

af9faa36dfa99d285a266bc0f11d6436.exe
Size

100KB
MD5

af9faa36dfa99d285a266bc0f11d6436
SHA1

78cdd663c8a7fafdedf787aa56ada343dae051ce
SHA256

ef03a58568ec094636fe33261e1fafbb6aa77125be68c3615da4823abba198d8
SHA512

ed8a80b6994f6dc4702de6568b84e9fc7b344e00dddfd4def847dcbb852ef8b295a3979aae20e5601c302ef5af180d095600e791ba95bf973ed24e854edab304

Score

10^/10

runningrat persistence rat

Malware Config

Signatures

RunningRat
RunningRat is a remote access trojan first seen in 2018.
rat runningrat
Executes dropped EXE 1 IoCs

Processes:

enterprise.exe

pid process

3620 enterprise.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Loads dropped DLL 3 IoCs

Processes:

af9faa36dfa99d285a266bc0f11d6436.exesvchost.exeenterprise.exe

pid process

3160 af9faa36dfa99d285a266bc0f11d6436.exe
888 svchost.exe
3620 enterprise.exe

pid	process
3620	enterprise.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\enterprise.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\enterprise.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

enterprise.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	enterprise.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	enterprise.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

enterprise.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	enterprise.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	enterprise.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	enterprise.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	enterprise.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	enterprise.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2820 PING.EXE

pid	process
2820	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

af9faa36dfa99d285a266bc0f11d6436.exeenterprise.exe

pid	process
3160	af9faa36dfa99d285a266bc0f11d6436.exe
3160	af9faa36dfa99d285a266bc0f11d6436.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe
3620	enterprise.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

af9faa36dfa99d285a266bc0f11d6436.exe

description pid process

Token: SeIncBasePriorityPrivilege 3160 af9faa36dfa99d285a266bc0f11d6436.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

af9faa36dfa99d285a266bc0f11d6436.exe

pid process

3160 af9faa36dfa99d285a266bc0f11d6436.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3160	af9faa36dfa99d285a266bc0f11d6436.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

af9faa36dfa99d285a266bc0f11d6436.execmd.exesvchost.exe

description	pid	process	target process
PID 3160 wrote to memory of 2456	3160	af9faa36dfa99d285a266bc0f11d6436.exe	cmd.exe
PID 3160 wrote to memory of 2456	3160	af9faa36dfa99d285a266bc0f11d6436.exe	cmd.exe
PID 3160 wrote to memory of 2456	3160	af9faa36dfa99d285a266bc0f11d6436.exe	cmd.exe
PID 2456 wrote to memory of 2820	2456	cmd.exe	PING.EXE
PID 2456 wrote to memory of 2820	2456	cmd.exe	PING.EXE
PID 2456 wrote to memory of 2820	2456	cmd.exe	PING.EXE
PID 888 wrote to memory of 3620	888	svchost.exe	enterprise.exe
PID 888 wrote to memory of 3620	888	svchost.exe	enterprise.exe
PID 888 wrote to memory of 3620	888	svchost.exe	enterprise.exe

C:\Users\Admin\AppData\Local\Temp\af9faa36dfa99d285a266bc0f11d6436.exe
"C:\Users\Admin\AppData\Local\Temp\af9faa36dfa99d285a266bc0f11d6436.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\af9faa36dfa99d285a266bc0f11d6436.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 1
    3⤵
    - Runs ping.exe
    PID:2820

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "enterprise"
1⤵
PID:804

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "enterprise"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:888
- C:\Windows\SysWOW64\enterprise.exe
  C:\Windows\system32\enterprise.exe "c:\users\admin\appdata\local\temp\259272203.dll",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\enterprise.exe

MD5
f57886ace1ab4972b0308f69b1a0029c

SHA1
519b2a981cb522ed2b0901f9871f9aa9781a6cd5

SHA256
2be981b3686ee5e725583f5936f5f0a0992723cad784457f91d9d1d5a15a0852

SHA512
c2b3f016a8c3993771cd5709e469c9dedfa1dd35047691de5e853e2ad0ac025ec210fc6cb662c82d08f62e2c889e5060e796414a4eaf6a6c1719cdd7e5debdf8

Download Submit
C:\Windows\SysWOW64\enterprise.exe

MD5
f57886ace1ab4972b0308f69b1a0029c

SHA1
519b2a981cb522ed2b0901f9871f9aa9781a6cd5

SHA256
2be981b3686ee5e725583f5936f5f0a0992723cad784457f91d9d1d5a15a0852

SHA512
c2b3f016a8c3993771cd5709e469c9dedfa1dd35047691de5e853e2ad0ac025ec210fc6cb662c82d08f62e2c889e5060e796414a4eaf6a6c1719cdd7e5debdf8

Download Submit
\??\c:\users\admin\appdata\local\temp\259272203.dll

MD5
622c94f347f35df0f59e152c274a37ec

SHA1
230e53e15e8907b2c4cb7df751b0f5c651dcfe71

SHA256
b9e7a68c7c3ca0a0e2665e7752f077d9b328eadf4428cf0d6d66cd3e0b92a3d1

SHA512
c493f18c27d8576c181b71ecbcbcf95cb9252c6e8b87775fcb0a0082d96ce310aa574946a8b6ddf3cc39ba4834020ccceca4ce96d68e33d6568cc3b04035a7cc

Download Submit
\Users\Admin\AppData\Local\Temp\259272203.dll

MD5
622c94f347f35df0f59e152c274a37ec

SHA1
230e53e15e8907b2c4cb7df751b0f5c651dcfe71

SHA256
b9e7a68c7c3ca0a0e2665e7752f077d9b328eadf4428cf0d6d66cd3e0b92a3d1

SHA512
c493f18c27d8576c181b71ecbcbcf95cb9252c6e8b87775fcb0a0082d96ce310aa574946a8b6ddf3cc39ba4834020ccceca4ce96d68e33d6568cc3b04035a7cc

Download Submit
\Users\Admin\AppData\Local\Temp\259272203.dll

MD5
622c94f347f35df0f59e152c274a37ec

SHA1
230e53e15e8907b2c4cb7df751b0f5c651dcfe71

SHA256
b9e7a68c7c3ca0a0e2665e7752f077d9b328eadf4428cf0d6d66cd3e0b92a3d1

SHA512
c493f18c27d8576c181b71ecbcbcf95cb9252c6e8b87775fcb0a0082d96ce310aa574946a8b6ddf3cc39ba4834020ccceca4ce96d68e33d6568cc3b04035a7cc

Download Submit
\Users\Admin\AppData\Local\Temp\259272203.dll

MD5
622c94f347f35df0f59e152c274a37ec

SHA1
230e53e15e8907b2c4cb7df751b0f5c651dcfe71

SHA256
b9e7a68c7c3ca0a0e2665e7752f077d9b328eadf4428cf0d6d66cd3e0b92a3d1

SHA512
c493f18c27d8576c181b71ecbcbcf95cb9252c6e8b87775fcb0a0082d96ce310aa574946a8b6ddf3cc39ba4834020ccceca4ce96d68e33d6568cc3b04035a7cc

Download Submit
memory/2456-5-0x0000000000000000-mapping.dmp

Download
memory/2820-6-0x0000000000000000-mapping.dmp

Download
memory/3620-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads