runningrat | 9b1367b0da26125af6946a108e9e657c373ad4e25be8e9a9eaa3a29adf6c95d9

General

Target

08d49d88c70b139a00f9eb87de734644.exe
Size

100KB
MD5

08d49d88c70b139a00f9eb87de734644
SHA1

1624a339f5bdfd5f166c211b5d4f06ab489cd406
SHA256

9b1367b0da26125af6946a108e9e657c373ad4e25be8e9a9eaa3a29adf6c95d9
SHA512

ae06bff8cd9f6d8a0cd07da540122d6bfb26c7061c7a2f3d6d1cf5b547ee73e67a321ac6600016e5c2ae3c8c599533442930454f8ac180696fd6ce5f9b0e7cb4

Score

10^/10

runningrat persistence rat

Malware Config

Signatures

RunningRat
RunningRat is a remote access trojan first seen in 2018.
rat runningrat
Executes dropped EXE 1 IoCs

Processes:

enterprise.exe

pid process

2644 enterprise.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Loads dropped DLL 3 IoCs

Processes:

08d49d88c70b139a00f9eb87de734644.exesvchost.exeenterprise.exe

pid process

4068 08d49d88c70b139a00f9eb87de734644.exe
2040 svchost.exe
2644 enterprise.exe

pid	process
2644	enterprise.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\enterprise.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\enterprise.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

enterprise.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	enterprise.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	enterprise.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

enterprise.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	enterprise.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	enterprise.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	enterprise.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	enterprise.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	enterprise.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2660 PING.EXE

pid	process
2660	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

08d49d88c70b139a00f9eb87de734644.exeenterprise.exe

pid	process
4068	08d49d88c70b139a00f9eb87de734644.exe
4068	08d49d88c70b139a00f9eb87de734644.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe
2644	enterprise.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

08d49d88c70b139a00f9eb87de734644.exe

description pid process

Token: SeIncBasePriorityPrivilege 4068 08d49d88c70b139a00f9eb87de734644.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

08d49d88c70b139a00f9eb87de734644.exe

pid process

4068 08d49d88c70b139a00f9eb87de734644.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4068	08d49d88c70b139a00f9eb87de734644.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

08d49d88c70b139a00f9eb87de734644.execmd.exesvchost.exe

description	pid	process	target process
PID 4068 wrote to memory of 2516	4068	08d49d88c70b139a00f9eb87de734644.exe	cmd.exe
PID 4068 wrote to memory of 2516	4068	08d49d88c70b139a00f9eb87de734644.exe	cmd.exe
PID 4068 wrote to memory of 2516	4068	08d49d88c70b139a00f9eb87de734644.exe	cmd.exe
PID 2516 wrote to memory of 2660	2516	cmd.exe	PING.EXE
PID 2516 wrote to memory of 2660	2516	cmd.exe	PING.EXE
PID 2516 wrote to memory of 2660	2516	cmd.exe	PING.EXE
PID 2040 wrote to memory of 2644	2040	svchost.exe	enterprise.exe
PID 2040 wrote to memory of 2644	2040	svchost.exe	enterprise.exe
PID 2040 wrote to memory of 2644	2040	svchost.exe	enterprise.exe

C:\Users\Admin\AppData\Local\Temp\08d49d88c70b139a00f9eb87de734644.exe
"C:\Users\Admin\AppData\Local\Temp\08d49d88c70b139a00f9eb87de734644.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\08d49d88c70b139a00f9eb87de734644.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 1
    3⤵
    - Runs ping.exe
    PID:2660

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "enterprise"
1⤵
PID:1664

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "enterprise"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\enterprise.exe
  C:\Windows\system32\enterprise.exe "c:\users\admin\appdata\local\temp\259273062.dll",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\enterprise.exe

MD5
f57886ace1ab4972b0308f69b1a0029c

SHA1
519b2a981cb522ed2b0901f9871f9aa9781a6cd5

SHA256
2be981b3686ee5e725583f5936f5f0a0992723cad784457f91d9d1d5a15a0852

SHA512
c2b3f016a8c3993771cd5709e469c9dedfa1dd35047691de5e853e2ad0ac025ec210fc6cb662c82d08f62e2c889e5060e796414a4eaf6a6c1719cdd7e5debdf8

Download Submit
C:\Windows\SysWOW64\enterprise.exe

MD5
f57886ace1ab4972b0308f69b1a0029c

SHA1
519b2a981cb522ed2b0901f9871f9aa9781a6cd5

SHA256
2be981b3686ee5e725583f5936f5f0a0992723cad784457f91d9d1d5a15a0852

SHA512
c2b3f016a8c3993771cd5709e469c9dedfa1dd35047691de5e853e2ad0ac025ec210fc6cb662c82d08f62e2c889e5060e796414a4eaf6a6c1719cdd7e5debdf8

Download Submit
\??\c:\users\admin\appdata\local\temp\259273062.dll

MD5
7c65ebad78610be557889d4905f5d991

SHA1
bfd2d6b61db89ed0d3a136dbe4907f1829723675

SHA256
330a8b58d0ee174ba5c054a2ed0faa4323b1a2ec0057312c60db29c82c1fc2dc

SHA512
9dacbdcae73a15e6758a85d6d4597186a3b3401565df8cbc30e0227265a1ceee6e319c97a01b3471ae816e664647816a7a79e3e52c76dcbbb929a1c7a46551d6

Download Submit
\Users\Admin\AppData\Local\Temp\259273062.dll

MD5
7c65ebad78610be557889d4905f5d991

SHA1
bfd2d6b61db89ed0d3a136dbe4907f1829723675

SHA256
330a8b58d0ee174ba5c054a2ed0faa4323b1a2ec0057312c60db29c82c1fc2dc

SHA512
9dacbdcae73a15e6758a85d6d4597186a3b3401565df8cbc30e0227265a1ceee6e319c97a01b3471ae816e664647816a7a79e3e52c76dcbbb929a1c7a46551d6

Download Submit
\Users\Admin\AppData\Local\Temp\259273062.dll

MD5
7c65ebad78610be557889d4905f5d991

SHA1
bfd2d6b61db89ed0d3a136dbe4907f1829723675

SHA256
330a8b58d0ee174ba5c054a2ed0faa4323b1a2ec0057312c60db29c82c1fc2dc

SHA512
9dacbdcae73a15e6758a85d6d4597186a3b3401565df8cbc30e0227265a1ceee6e319c97a01b3471ae816e664647816a7a79e3e52c76dcbbb929a1c7a46551d6

Download Submit
\Users\Admin\AppData\Local\Temp\259273062.dll

MD5
7c65ebad78610be557889d4905f5d991

SHA1
bfd2d6b61db89ed0d3a136dbe4907f1829723675

SHA256
330a8b58d0ee174ba5c054a2ed0faa4323b1a2ec0057312c60db29c82c1fc2dc

SHA512
9dacbdcae73a15e6758a85d6d4597186a3b3401565df8cbc30e0227265a1ceee6e319c97a01b3471ae816e664647816a7a79e3e52c76dcbbb929a1c7a46551d6

Download Submit
memory/2516-5-0x0000000000000000-mapping.dmp

Download
memory/2644-7-0x0000000000000000-mapping.dmp

Download
memory/2660-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads