Analysis
-
max time kernel
143s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
07-05-2021 05:14
Static task
static1
Behavioral task
behavioral1
Sample
446.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
446.exe
Resource
win10v20210408
General
-
Target
446.exe
-
Size
32KB
-
MD5
1ad4a95949bcea5fc59d635f020e39fc
-
SHA1
60d6ffd37ce2642ea8699cb0d13e940e4c08619f
-
SHA256
4021b25dc6a32dc9157ee22bcf818f9eca8fe0d304ab1b436ea71eefbff92920
-
SHA512
0615fc8007cf43ba3d9ed0d86ccf07ff88f4d89c7dc2d88592f12a8e186c5255029e64376fa84781aad576cedc37c826865c719c6a159e2a7e713c92c204f32f
Malware Config
Signatures
-
RunningRat
RunningRat is a remote access trojan first seen in 2018.
-
Executes dropped EXE 1 IoCs
Processes:
serviecs.exepid process 400 serviecs.exe -
Sets DLL path for service in the registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1988 cmd.exe -
Loads dropped DLL 7 IoCs
Processes:
446.exesvchost.exeserviecs.exepid process 2020 446.exe 1632 svchost.exe 1632 svchost.exe 400 serviecs.exe 400 serviecs.exe 400 serviecs.exe 400 serviecs.exe -
Drops file in System32 directory 3 IoCs
Processes:
446.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\259271087.dll 446.exe File created C:\Windows\SysWOW64\serviecs.exe svchost.exe File opened for modification C:\Windows\SysWOW64\serviecs.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
446.exepid process 2020 446.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
446.exedescription pid process Token: SeIncBasePriorityPrivilege 2020 446.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
446.exepid process 2020 446.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
446.execmd.exesvchost.exedescription pid process target process PID 2020 wrote to memory of 1988 2020 446.exe cmd.exe PID 2020 wrote to memory of 1988 2020 446.exe cmd.exe PID 2020 wrote to memory of 1988 2020 446.exe cmd.exe PID 2020 wrote to memory of 1988 2020 446.exe cmd.exe PID 1988 wrote to memory of 1952 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1952 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1952 1988 cmd.exe PING.EXE PID 1988 wrote to memory of 1952 1988 cmd.exe PING.EXE PID 1632 wrote to memory of 400 1632 svchost.exe serviecs.exe PID 1632 wrote to memory of 400 1632 svchost.exe serviecs.exe PID 1632 wrote to memory of 400 1632 svchost.exe serviecs.exe PID 1632 wrote to memory of 400 1632 svchost.exe serviecs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\446.exe"C:\Users\Admin\AppData\Local\Temp\446.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\446.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "serviecs"1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "serviecs"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\serviecs.exeC:\Windows\system32\serviecs.exe "c:\windows\system32\259271087.dll",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\serviecs.exeMD5
51138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
C:\Windows\SysWOW64\serviecs.exeMD5
51138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
\??\c:\windows\SysWOW64\259271087.dllMD5
f85e29f1f415f7954841f92966bb3681
SHA19f7897fd5e7a04d3af8053fbbf201b06fdca7a78
SHA2563bbef9eff49dbe41000603cb3eca826697f8e4b94dcf2172d7be690818f755f4
SHA512caa420d38e8f6553b54e0dd722c2618448f560c38697f4f5d04e88f2632b4e18b8bae92bf2492e63ebbb7cec06547a116536b10b51f74cac67e4c55c8b106fe2
-
\Windows\SysWOW64\259271087.dllMD5
f85e29f1f415f7954841f92966bb3681
SHA19f7897fd5e7a04d3af8053fbbf201b06fdca7a78
SHA2563bbef9eff49dbe41000603cb3eca826697f8e4b94dcf2172d7be690818f755f4
SHA512caa420d38e8f6553b54e0dd722c2618448f560c38697f4f5d04e88f2632b4e18b8bae92bf2492e63ebbb7cec06547a116536b10b51f74cac67e4c55c8b106fe2
-
\Windows\SysWOW64\259271087.dllMD5
f85e29f1f415f7954841f92966bb3681
SHA19f7897fd5e7a04d3af8053fbbf201b06fdca7a78
SHA2563bbef9eff49dbe41000603cb3eca826697f8e4b94dcf2172d7be690818f755f4
SHA512caa420d38e8f6553b54e0dd722c2618448f560c38697f4f5d04e88f2632b4e18b8bae92bf2492e63ebbb7cec06547a116536b10b51f74cac67e4c55c8b106fe2
-
\Windows\SysWOW64\259271087.dllMD5
f85e29f1f415f7954841f92966bb3681
SHA19f7897fd5e7a04d3af8053fbbf201b06fdca7a78
SHA2563bbef9eff49dbe41000603cb3eca826697f8e4b94dcf2172d7be690818f755f4
SHA512caa420d38e8f6553b54e0dd722c2618448f560c38697f4f5d04e88f2632b4e18b8bae92bf2492e63ebbb7cec06547a116536b10b51f74cac67e4c55c8b106fe2
-
\Windows\SysWOW64\259271087.dllMD5
f85e29f1f415f7954841f92966bb3681
SHA19f7897fd5e7a04d3af8053fbbf201b06fdca7a78
SHA2563bbef9eff49dbe41000603cb3eca826697f8e4b94dcf2172d7be690818f755f4
SHA512caa420d38e8f6553b54e0dd722c2618448f560c38697f4f5d04e88f2632b4e18b8bae92bf2492e63ebbb7cec06547a116536b10b51f74cac67e4c55c8b106fe2
-
\Windows\SysWOW64\259271087.dllMD5
f85e29f1f415f7954841f92966bb3681
SHA19f7897fd5e7a04d3af8053fbbf201b06fdca7a78
SHA2563bbef9eff49dbe41000603cb3eca826697f8e4b94dcf2172d7be690818f755f4
SHA512caa420d38e8f6553b54e0dd722c2618448f560c38697f4f5d04e88f2632b4e18b8bae92bf2492e63ebbb7cec06547a116536b10b51f74cac67e4c55c8b106fe2
-
\Windows\SysWOW64\259271087.dllMD5
f85e29f1f415f7954841f92966bb3681
SHA19f7897fd5e7a04d3af8053fbbf201b06fdca7a78
SHA2563bbef9eff49dbe41000603cb3eca826697f8e4b94dcf2172d7be690818f755f4
SHA512caa420d38e8f6553b54e0dd722c2618448f560c38697f4f5d04e88f2632b4e18b8bae92bf2492e63ebbb7cec06547a116536b10b51f74cac67e4c55c8b106fe2
-
\Windows\SysWOW64\serviecs.exeMD5
51138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
memory/400-67-0x0000000000000000-mapping.dmp
-
memory/1952-65-0x0000000000000000-mapping.dmp
-
memory/1988-64-0x0000000000000000-mapping.dmp
-
memory/2020-60-0x0000000076281000-0x0000000076283000-memory.dmpFilesize
8KB