08d49d88c70b139a00f9eb87de734644.exe

General
Target

08d49d88c70b139a00f9eb87de734644.exe

Filesize

100KB

Completed

27-12-2020 07:42

Score
10 /10
MD5

08d49d88c70b139a00f9eb87de734644

SHA1

1624a339f5bdfd5f166c211b5d4f06ab489cd406

SHA256

9b1367b0da26125af6946a108e9e657c373ad4e25be8e9a9eaa3a29adf6c95d9

Malware Config
Signatures 14

Filter: none

Defense Evasion
Discovery
Persistence
  • RunningRat

    Description

    RunningRat is a remote access trojan first seen in 2018.

  • Executes dropped EXE
    enterprise.exe

    Reported IOCs

    pidprocess
    1340enterprise.exe
  • Sets DLL path for service in the registry

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    1448cmd.exe
  • Loads dropped DLL
    08d49d88c70b139a00f9eb87de734644.exesvchost.exeenterprise.exe

    Reported IOCs

    pidprocess
    104808d49d88c70b139a00f9eb87de734644.exe
    1104svchost.exe
    1104svchost.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
  • Drops file in System32 directory
    svchost.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SysWOW64\enterprise.exesvchost.exe
    File createdC:\Windows\SysWOW64\enterprise.exesvchost.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Checks processor information in registry
    enterprise.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0enterprise.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzenterprise.exe
  • Modifies data under HKEY_USERS
    enterprise.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenumenterprise.exe
    Key created\REGISTRY\USER\.DEFAULT\Softwareenterprise.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoftenterprise.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovieenterprise.exe
    Key created\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenumenterprise.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"enterprise.exe
  • Runs ping.exe
    PING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    1976PING.EXE
  • Suspicious behavior: EnumeratesProcesses
    08d49d88c70b139a00f9eb87de734644.exeenterprise.exe

    Reported IOCs

    pidprocess
    104808d49d88c70b139a00f9eb87de734644.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
    1340enterprise.exe
  • Suspicious use of AdjustPrivilegeToken
    08d49d88c70b139a00f9eb87de734644.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeIncBasePriorityPrivilege104808d49d88c70b139a00f9eb87de734644.exe
  • Suspicious use of SetWindowsHookEx
    08d49d88c70b139a00f9eb87de734644.exe

    Reported IOCs

    pidprocess
    104808d49d88c70b139a00f9eb87de734644.exe
  • Suspicious use of WriteProcessMemory
    08d49d88c70b139a00f9eb87de734644.execmd.exesvchost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1048 wrote to memory of 1448104808d49d88c70b139a00f9eb87de734644.execmd.exe
    PID 1048 wrote to memory of 1448104808d49d88c70b139a00f9eb87de734644.execmd.exe
    PID 1048 wrote to memory of 1448104808d49d88c70b139a00f9eb87de734644.execmd.exe
    PID 1048 wrote to memory of 1448104808d49d88c70b139a00f9eb87de734644.execmd.exe
    PID 1048 wrote to memory of 1448104808d49d88c70b139a00f9eb87de734644.execmd.exe
    PID 1048 wrote to memory of 1448104808d49d88c70b139a00f9eb87de734644.execmd.exe
    PID 1048 wrote to memory of 1448104808d49d88c70b139a00f9eb87de734644.execmd.exe
    PID 1448 wrote to memory of 19761448cmd.exePING.EXE
    PID 1448 wrote to memory of 19761448cmd.exePING.EXE
    PID 1448 wrote to memory of 19761448cmd.exePING.EXE
    PID 1448 wrote to memory of 19761448cmd.exePING.EXE
    PID 1448 wrote to memory of 19761448cmd.exePING.EXE
    PID 1448 wrote to memory of 19761448cmd.exePING.EXE
    PID 1448 wrote to memory of 19761448cmd.exePING.EXE
    PID 1104 wrote to memory of 13401104svchost.exeenterprise.exe
    PID 1104 wrote to memory of 13401104svchost.exeenterprise.exe
    PID 1104 wrote to memory of 13401104svchost.exeenterprise.exe
    PID 1104 wrote to memory of 13401104svchost.exeenterprise.exe
Processes 6
  • C:\Users\Admin\AppData\Local\Temp\08d49d88c70b139a00f9eb87de734644.exe
    "C:\Users\Admin\AppData\Local\Temp\08d49d88c70b139a00f9eb87de734644.exe"
    Loads dropped DLL
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\08d49d88c70b139a00f9eb87de734644.exe"
      Deletes itself
      Suspicious use of WriteProcessMemory
      PID:1448
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 1
        Runs ping.exe
        PID:1976
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "enterprise"
    PID:2040
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "enterprise"
    Loads dropped DLL
    Drops file in System32 directory
    Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Windows\SysWOW64\enterprise.exe
      C:\Windows\system32\enterprise.exe "c:\users\admin\appdata\local\temp\259273911.dll",MainThread
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:1340
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Windows\SysWOW64\enterprise.exe

                      MD5

                      51138beea3e2c21ec44d0932c71762a8

                      SHA1

                      8939cf35447b22dd2c6e6f443446acc1bf986d58

                      SHA256

                      5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

                      SHA512

                      794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

                    • C:\Windows\SysWOW64\enterprise.exe

                      MD5

                      51138beea3e2c21ec44d0932c71762a8

                      SHA1

                      8939cf35447b22dd2c6e6f443446acc1bf986d58

                      SHA256

                      5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

                      SHA512

                      794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

                    • \??\c:\users\admin\appdata\local\temp\259273911.dll

                      MD5

                      7c65ebad78610be557889d4905f5d991

                      SHA1

                      bfd2d6b61db89ed0d3a136dbe4907f1829723675

                      SHA256

                      330a8b58d0ee174ba5c054a2ed0faa4323b1a2ec0057312c60db29c82c1fc2dc

                      SHA512

                      9dacbdcae73a15e6758a85d6d4597186a3b3401565df8cbc30e0227265a1ceee6e319c97a01b3471ae816e664647816a7a79e3e52c76dcbbb929a1c7a46551d6

                    • \Users\Admin\AppData\Local\Temp\259273911.dll

                      MD5

                      7c65ebad78610be557889d4905f5d991

                      SHA1

                      bfd2d6b61db89ed0d3a136dbe4907f1829723675

                      SHA256

                      330a8b58d0ee174ba5c054a2ed0faa4323b1a2ec0057312c60db29c82c1fc2dc

                      SHA512

                      9dacbdcae73a15e6758a85d6d4597186a3b3401565df8cbc30e0227265a1ceee6e319c97a01b3471ae816e664647816a7a79e3e52c76dcbbb929a1c7a46551d6

                    • \Users\Admin\AppData\Local\Temp\259273911.dll

                      MD5

                      7c65ebad78610be557889d4905f5d991

                      SHA1

                      bfd2d6b61db89ed0d3a136dbe4907f1829723675

                      SHA256

                      330a8b58d0ee174ba5c054a2ed0faa4323b1a2ec0057312c60db29c82c1fc2dc

                      SHA512

                      9dacbdcae73a15e6758a85d6d4597186a3b3401565df8cbc30e0227265a1ceee6e319c97a01b3471ae816e664647816a7a79e3e52c76dcbbb929a1c7a46551d6

                    • \Users\Admin\AppData\Local\Temp\259273911.dll

                      MD5

                      7c65ebad78610be557889d4905f5d991

                      SHA1

                      bfd2d6b61db89ed0d3a136dbe4907f1829723675

                      SHA256

                      330a8b58d0ee174ba5c054a2ed0faa4323b1a2ec0057312c60db29c82c1fc2dc

                      SHA512

                      9dacbdcae73a15e6758a85d6d4597186a3b3401565df8cbc30e0227265a1ceee6e319c97a01b3471ae816e664647816a7a79e3e52c76dcbbb929a1c7a46551d6

                    • \Users\Admin\AppData\Local\Temp\259273911.dll

                      MD5

                      7c65ebad78610be557889d4905f5d991

                      SHA1

                      bfd2d6b61db89ed0d3a136dbe4907f1829723675

                      SHA256

                      330a8b58d0ee174ba5c054a2ed0faa4323b1a2ec0057312c60db29c82c1fc2dc

                      SHA512

                      9dacbdcae73a15e6758a85d6d4597186a3b3401565df8cbc30e0227265a1ceee6e319c97a01b3471ae816e664647816a7a79e3e52c76dcbbb929a1c7a46551d6

                    • \Users\Admin\AppData\Local\Temp\259273911.dll

                      MD5

                      7c65ebad78610be557889d4905f5d991

                      SHA1

                      bfd2d6b61db89ed0d3a136dbe4907f1829723675

                      SHA256

                      330a8b58d0ee174ba5c054a2ed0faa4323b1a2ec0057312c60db29c82c1fc2dc

                      SHA512

                      9dacbdcae73a15e6758a85d6d4597186a3b3401565df8cbc30e0227265a1ceee6e319c97a01b3471ae816e664647816a7a79e3e52c76dcbbb929a1c7a46551d6

                    • \Users\Admin\AppData\Local\Temp\259273911.dll

                      MD5

                      7c65ebad78610be557889d4905f5d991

                      SHA1

                      bfd2d6b61db89ed0d3a136dbe4907f1829723675

                      SHA256

                      330a8b58d0ee174ba5c054a2ed0faa4323b1a2ec0057312c60db29c82c1fc2dc

                      SHA512

                      9dacbdcae73a15e6758a85d6d4597186a3b3401565df8cbc30e0227265a1ceee6e319c97a01b3471ae816e664647816a7a79e3e52c76dcbbb929a1c7a46551d6

                    • \Windows\SysWOW64\enterprise.exe

                      MD5

                      51138beea3e2c21ec44d0932c71762a8

                      SHA1

                      8939cf35447b22dd2c6e6f443446acc1bf986d58

                      SHA256

                      5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

                      SHA512

                      794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

                    • memory/1340-8-0x0000000000000000-mapping.dmp

                    • memory/1448-5-0x0000000000000000-mapping.dmp

                    • memory/1976-6-0x0000000000000000-mapping.dmp