Analysis

  • max time kernel
    5s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    27-12-2020 07:39

General

  • Target

    cdc887bb5bff153dcff3330f0fbb9bdf.exe

  • Size

    100KB

  • MD5

    cdc887bb5bff153dcff3330f0fbb9bdf

  • SHA1

    1465f62b20e495cf9a12bc4faac5246cc0c2db3b

  • SHA256

    0175a29f801ef7a555c3d20744a5fa5336604d420d8ffe98bb5723744d1a82cd

  • SHA512

    30f5a6dbed556ebd99fd339222012e5f7d401486995147b68b63490244c4d20cf11ad1588d159f8e23807125ecd2383e9228a3a69dc553741a67eda508ddabe7

Malware Config

Signatures

  • RunningRat

    RunningRat is a remote access trojan first seen in 2018.

  • Executes dropped EXE 1 IoCs
  • Sets DLL path for service in the registry 2 TTPs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cdc887bb5bff153dcff3330f0fbb9bdf.exe
    "C:\Users\Admin\AppData\Local\Temp\cdc887bb5bff153dcff3330f0fbb9bdf.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\cdc887bb5bff153dcff3330f0fbb9bdf.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1192
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 1
        3⤵
        • Runs ping.exe
        PID:1964
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "enterprise"
    1⤵
      PID:1188
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "enterprise"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1256
      • C:\Windows\SysWOW64\enterprise.exe
        C:\Windows\system32\enterprise.exe "c:\users\admin\appdata\local\temp\259270931.dll",MainThread
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        PID:1080

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Defense Evasion

    Modify Registry

    1
    T1112

    Discovery

    System Information Discovery

    2
    T1082

    Query Registry

    1
    T1012

    Remote System Discovery

    1
    T1018

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\enterprise.exe
      MD5

      51138beea3e2c21ec44d0932c71762a8

      SHA1

      8939cf35447b22dd2c6e6f443446acc1bf986d58

      SHA256

      5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

      SHA512

      794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

    • C:\Windows\SysWOW64\enterprise.exe
      MD5

      51138beea3e2c21ec44d0932c71762a8

      SHA1

      8939cf35447b22dd2c6e6f443446acc1bf986d58

      SHA256

      5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

      SHA512

      794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

    • \??\c:\users\admin\appdata\local\temp\259270931.dll
      MD5

      b2c027c5d8e1143caba8e2ef50d846b2

      SHA1

      6cfdee72f6de424be7651f25a79d6bd4cf14c6b7

      SHA256

      a960830ad0627ee89876509ecd95a92d4f67c1a56343b59e7789ad14421e5406

      SHA512

      ebaf84b5e765848fdcd4ece1b043c2a03d6e82c006c0ebe2594196b120ab4d639081a8868ad7a5b80ffb3afd9dc1712477ddbc9ac66fa5c71eddd5ab1809642d

    • \Users\Admin\AppData\Local\Temp\259270931.dll
      MD5

      b2c027c5d8e1143caba8e2ef50d846b2

      SHA1

      6cfdee72f6de424be7651f25a79d6bd4cf14c6b7

      SHA256

      a960830ad0627ee89876509ecd95a92d4f67c1a56343b59e7789ad14421e5406

      SHA512

      ebaf84b5e765848fdcd4ece1b043c2a03d6e82c006c0ebe2594196b120ab4d639081a8868ad7a5b80ffb3afd9dc1712477ddbc9ac66fa5c71eddd5ab1809642d

    • \Users\Admin\AppData\Local\Temp\259270931.dll
      MD5

      b2c027c5d8e1143caba8e2ef50d846b2

      SHA1

      6cfdee72f6de424be7651f25a79d6bd4cf14c6b7

      SHA256

      a960830ad0627ee89876509ecd95a92d4f67c1a56343b59e7789ad14421e5406

      SHA512

      ebaf84b5e765848fdcd4ece1b043c2a03d6e82c006c0ebe2594196b120ab4d639081a8868ad7a5b80ffb3afd9dc1712477ddbc9ac66fa5c71eddd5ab1809642d

    • \Users\Admin\AppData\Local\Temp\259270931.dll
      MD5

      b2c027c5d8e1143caba8e2ef50d846b2

      SHA1

      6cfdee72f6de424be7651f25a79d6bd4cf14c6b7

      SHA256

      a960830ad0627ee89876509ecd95a92d4f67c1a56343b59e7789ad14421e5406

      SHA512

      ebaf84b5e765848fdcd4ece1b043c2a03d6e82c006c0ebe2594196b120ab4d639081a8868ad7a5b80ffb3afd9dc1712477ddbc9ac66fa5c71eddd5ab1809642d

    • \Users\Admin\AppData\Local\Temp\259270931.dll
      MD5

      b2c027c5d8e1143caba8e2ef50d846b2

      SHA1

      6cfdee72f6de424be7651f25a79d6bd4cf14c6b7

      SHA256

      a960830ad0627ee89876509ecd95a92d4f67c1a56343b59e7789ad14421e5406

      SHA512

      ebaf84b5e765848fdcd4ece1b043c2a03d6e82c006c0ebe2594196b120ab4d639081a8868ad7a5b80ffb3afd9dc1712477ddbc9ac66fa5c71eddd5ab1809642d

    • \Users\Admin\AppData\Local\Temp\259270931.dll
      MD5

      b2c027c5d8e1143caba8e2ef50d846b2

      SHA1

      6cfdee72f6de424be7651f25a79d6bd4cf14c6b7

      SHA256

      a960830ad0627ee89876509ecd95a92d4f67c1a56343b59e7789ad14421e5406

      SHA512

      ebaf84b5e765848fdcd4ece1b043c2a03d6e82c006c0ebe2594196b120ab4d639081a8868ad7a5b80ffb3afd9dc1712477ddbc9ac66fa5c71eddd5ab1809642d

    • \Users\Admin\AppData\Local\Temp\259270931.dll
      MD5

      b2c027c5d8e1143caba8e2ef50d846b2

      SHA1

      6cfdee72f6de424be7651f25a79d6bd4cf14c6b7

      SHA256

      a960830ad0627ee89876509ecd95a92d4f67c1a56343b59e7789ad14421e5406

      SHA512

      ebaf84b5e765848fdcd4ece1b043c2a03d6e82c006c0ebe2594196b120ab4d639081a8868ad7a5b80ffb3afd9dc1712477ddbc9ac66fa5c71eddd5ab1809642d

    • \Windows\SysWOW64\enterprise.exe
      MD5

      51138beea3e2c21ec44d0932c71762a8

      SHA1

      8939cf35447b22dd2c6e6f443446acc1bf986d58

      SHA256

      5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

      SHA512

      794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

    • memory/1080-8-0x0000000000000000-mapping.dmp
    • memory/1192-5-0x0000000000000000-mapping.dmp
    • memory/1964-6-0x0000000000000000-mapping.dmp