08d49d88c70b139a00f9eb87de734644.exe

General
Target

08d49d88c70b139a00f9eb87de734644.exe

Filesize

100KB

Completed

27-12-2020 07:42

Score
10 /10
MD5

08d49d88c70b139a00f9eb87de734644

SHA1

1624a339f5bdfd5f166c211b5d4f06ab489cd406

SHA256

9b1367b0da26125af6946a108e9e657c373ad4e25be8e9a9eaa3a29adf6c95d9

Malware Config
Signatures 13

Filter: none

Defense Evasion
Discovery
Persistence
  • RunningRat

    Description

    RunningRat is a remote access trojan first seen in 2018.

  • Executes dropped EXE
    enterprise.exe

    Reported IOCs

    pidprocess
    2644enterprise.exe
  • Sets DLL path for service in the registry

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Loads dropped DLL
    08d49d88c70b139a00f9eb87de734644.exesvchost.exeenterprise.exe

    Reported IOCs

    pidprocess
    406808d49d88c70b139a00f9eb87de734644.exe
    2040svchost.exe
    2644enterprise.exe
  • Drops file in System32 directory
    svchost.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\SysWOW64\enterprise.exesvchost.exe
    File opened for modificationC:\Windows\SysWOW64\enterprise.exesvchost.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Checks processor information in registry
    enterprise.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0enterprise.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzenterprise.exe
  • Modifies data under HKEY_USERS
    enterprise.exe

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"enterprise.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenumenterprise.exe
    Key created\REGISTRY\USER\.DEFAULT\Softwareenterprise.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoftenterprise.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovieenterprise.exe
  • Runs ping.exe
    PING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    2660PING.EXE
  • Suspicious behavior: EnumeratesProcesses
    08d49d88c70b139a00f9eb87de734644.exeenterprise.exe

    Reported IOCs

    pidprocess
    406808d49d88c70b139a00f9eb87de734644.exe
    406808d49d88c70b139a00f9eb87de734644.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
    2644enterprise.exe
  • Suspicious use of AdjustPrivilegeToken
    08d49d88c70b139a00f9eb87de734644.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeIncBasePriorityPrivilege406808d49d88c70b139a00f9eb87de734644.exe
  • Suspicious use of SetWindowsHookEx
    08d49d88c70b139a00f9eb87de734644.exe

    Reported IOCs

    pidprocess
    406808d49d88c70b139a00f9eb87de734644.exe
  • Suspicious use of WriteProcessMemory
    08d49d88c70b139a00f9eb87de734644.execmd.exesvchost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4068 wrote to memory of 2516406808d49d88c70b139a00f9eb87de734644.execmd.exe
    PID 4068 wrote to memory of 2516406808d49d88c70b139a00f9eb87de734644.execmd.exe
    PID 4068 wrote to memory of 2516406808d49d88c70b139a00f9eb87de734644.execmd.exe
    PID 2516 wrote to memory of 26602516cmd.exePING.EXE
    PID 2516 wrote to memory of 26602516cmd.exePING.EXE
    PID 2516 wrote to memory of 26602516cmd.exePING.EXE
    PID 2040 wrote to memory of 26442040svchost.exeenterprise.exe
    PID 2040 wrote to memory of 26442040svchost.exeenterprise.exe
    PID 2040 wrote to memory of 26442040svchost.exeenterprise.exe
Processes 6
  • C:\Users\Admin\AppData\Local\Temp\08d49d88c70b139a00f9eb87de734644.exe
    "C:\Users\Admin\AppData\Local\Temp\08d49d88c70b139a00f9eb87de734644.exe"
    Loads dropped DLL
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:4068
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\08d49d88c70b139a00f9eb87de734644.exe"
      Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 1
        Runs ping.exe
        PID:2660
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "enterprise"
    PID:1664
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "enterprise"
    Loads dropped DLL
    Drops file in System32 directory
    Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\SysWOW64\enterprise.exe
      C:\Windows\system32\enterprise.exe "c:\users\admin\appdata\local\temp\259273062.dll",MainThread
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:2644
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Windows\SysWOW64\enterprise.exe

                      MD5

                      f57886ace1ab4972b0308f69b1a0029c

                      SHA1

                      519b2a981cb522ed2b0901f9871f9aa9781a6cd5

                      SHA256

                      2be981b3686ee5e725583f5936f5f0a0992723cad784457f91d9d1d5a15a0852

                      SHA512

                      c2b3f016a8c3993771cd5709e469c9dedfa1dd35047691de5e853e2ad0ac025ec210fc6cb662c82d08f62e2c889e5060e796414a4eaf6a6c1719cdd7e5debdf8

                    • C:\Windows\SysWOW64\enterprise.exe

                      MD5

                      f57886ace1ab4972b0308f69b1a0029c

                      SHA1

                      519b2a981cb522ed2b0901f9871f9aa9781a6cd5

                      SHA256

                      2be981b3686ee5e725583f5936f5f0a0992723cad784457f91d9d1d5a15a0852

                      SHA512

                      c2b3f016a8c3993771cd5709e469c9dedfa1dd35047691de5e853e2ad0ac025ec210fc6cb662c82d08f62e2c889e5060e796414a4eaf6a6c1719cdd7e5debdf8

                    • \??\c:\users\admin\appdata\local\temp\259273062.dll

                      MD5

                      7c65ebad78610be557889d4905f5d991

                      SHA1

                      bfd2d6b61db89ed0d3a136dbe4907f1829723675

                      SHA256

                      330a8b58d0ee174ba5c054a2ed0faa4323b1a2ec0057312c60db29c82c1fc2dc

                      SHA512

                      9dacbdcae73a15e6758a85d6d4597186a3b3401565df8cbc30e0227265a1ceee6e319c97a01b3471ae816e664647816a7a79e3e52c76dcbbb929a1c7a46551d6

                    • \Users\Admin\AppData\Local\Temp\259273062.dll

                      MD5

                      7c65ebad78610be557889d4905f5d991

                      SHA1

                      bfd2d6b61db89ed0d3a136dbe4907f1829723675

                      SHA256

                      330a8b58d0ee174ba5c054a2ed0faa4323b1a2ec0057312c60db29c82c1fc2dc

                      SHA512

                      9dacbdcae73a15e6758a85d6d4597186a3b3401565df8cbc30e0227265a1ceee6e319c97a01b3471ae816e664647816a7a79e3e52c76dcbbb929a1c7a46551d6

                    • \Users\Admin\AppData\Local\Temp\259273062.dll

                      MD5

                      7c65ebad78610be557889d4905f5d991

                      SHA1

                      bfd2d6b61db89ed0d3a136dbe4907f1829723675

                      SHA256

                      330a8b58d0ee174ba5c054a2ed0faa4323b1a2ec0057312c60db29c82c1fc2dc

                      SHA512

                      9dacbdcae73a15e6758a85d6d4597186a3b3401565df8cbc30e0227265a1ceee6e319c97a01b3471ae816e664647816a7a79e3e52c76dcbbb929a1c7a46551d6

                    • \Users\Admin\AppData\Local\Temp\259273062.dll

                      MD5

                      7c65ebad78610be557889d4905f5d991

                      SHA1

                      bfd2d6b61db89ed0d3a136dbe4907f1829723675

                      SHA256

                      330a8b58d0ee174ba5c054a2ed0faa4323b1a2ec0057312c60db29c82c1fc2dc

                      SHA512

                      9dacbdcae73a15e6758a85d6d4597186a3b3401565df8cbc30e0227265a1ceee6e319c97a01b3471ae816e664647816a7a79e3e52c76dcbbb929a1c7a46551d6

                    • memory/2516-5-0x0000000000000000-mapping.dmp

                    • memory/2644-7-0x0000000000000000-mapping.dmp

                    • memory/2660-6-0x0000000000000000-mapping.dmp