runningrat | 4021b25dc6a32dc9157ee22bcf818f9eca8fe0d304ab1b436ea71eefbff92920

Analysis

max time kernel
143s
max time network
11s
platform
windows7_x64
resource
win7v20210410
submitted
07-05-2021 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

446.exe
Size

32KB
MD5

1ad4a95949bcea5fc59d635f020e39fc
SHA1

60d6ffd37ce2642ea8699cb0d13e940e4c08619f
SHA256

4021b25dc6a32dc9157ee22bcf818f9eca8fe0d304ab1b436ea71eefbff92920
SHA512

0615fc8007cf43ba3d9ed0d86ccf07ff88f4d89c7dc2d88592f12a8e186c5255029e64376fa84781aad576cedc37c826865c719c6a159e2a7e713c92c204f32f

Score

10^/10

runningrat xmrig miner persistence rat

Malware Config

Signatures

RunningRat
RunningRat is a remote access trojan first seen in 2018.
rat runningrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Executes dropped EXE 1 IoCs

Processes:

serviecs.exe

pid process

400 serviecs.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1988 cmd.exe
Loads dropped DLL 7 IoCs

Processes:

446.exesvchost.exeserviecs.exe

pid process

2020 446.exe
1632 svchost.exe
1632 svchost.exe
400 serviecs.exe
400 serviecs.exe
400 serviecs.exe
400 serviecs.exe

pid	process
400	serviecs.exe

pid	process
1988	cmd.exe

pid	process
2020	446.exe
1632	svchost.exe
1632	svchost.exe
400	serviecs.exe
400	serviecs.exe
400	serviecs.exe
400	serviecs.exe

Drops file in System32 directory 3 IoCs

Processes:

446.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\259271087.dll	446.exe
File created	C:\Windows\SysWOW64\serviecs.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\serviecs.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1952 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

446.exe

pid process

2020 446.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

446.exe

description pid process

Token: SeIncBasePriorityPrivilege 2020 446.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

446.exe

pid process

2020 446.exe

pid	process
1952	PING.EXE

pid	process
2020	446.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2020	446.exe

pid	process
2020	446.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

446.execmd.exesvchost.exe

description	pid	process	target process
PID 2020 wrote to memory of 1988	2020	446.exe	cmd.exe
PID 2020 wrote to memory of 1988	2020	446.exe	cmd.exe
PID 2020 wrote to memory of 1988	2020	446.exe	cmd.exe
PID 2020 wrote to memory of 1988	2020	446.exe	cmd.exe
PID 1988 wrote to memory of 1952	1988	cmd.exe	PING.EXE
PID 1988 wrote to memory of 1952	1988	cmd.exe	PING.EXE
PID 1988 wrote to memory of 1952	1988	cmd.exe	PING.EXE
PID 1988 wrote to memory of 1952	1988	cmd.exe	PING.EXE
PID 1632 wrote to memory of 400	1632	svchost.exe	serviecs.exe
PID 1632 wrote to memory of 400	1632	svchost.exe	serviecs.exe
PID 1632 wrote to memory of 400	1632	svchost.exe	serviecs.exe
PID 1632 wrote to memory of 400	1632	svchost.exe	serviecs.exe

C:\Users\Admin\AppData\Local\Temp\446.exe
"C:\Users\Admin\AppData\Local\Temp\446.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\446.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 1
3⤵
- Runs ping.exe
PID:1952

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "serviecs"
1⤵
PID:1392

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "serviecs"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\serviecs.exe
C:\Windows\system32\serviecs.exe "c:\windows\system32\259271087.dll",MainThread
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\serviecs.exe
MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\SysWOW64\serviecs.exe
MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\??\c:\windows\SysWOW64\259271087.dll
MD5
f85e29f1f415f7954841f92966bb3681

SHA1
9f7897fd5e7a04d3af8053fbbf201b06fdca7a78

SHA256
3bbef9eff49dbe41000603cb3eca826697f8e4b94dcf2172d7be690818f755f4

SHA512
caa420d38e8f6553b54e0dd722c2618448f560c38697f4f5d04e88f2632b4e18b8bae92bf2492e63ebbb7cec06547a116536b10b51f74cac67e4c55c8b106fe2

Download Submit
\Windows\SysWOW64\259271087.dll
MD5
f85e29f1f415f7954841f92966bb3681

SHA1
9f7897fd5e7a04d3af8053fbbf201b06fdca7a78

SHA256
3bbef9eff49dbe41000603cb3eca826697f8e4b94dcf2172d7be690818f755f4

SHA512
caa420d38e8f6553b54e0dd722c2618448f560c38697f4f5d04e88f2632b4e18b8bae92bf2492e63ebbb7cec06547a116536b10b51f74cac67e4c55c8b106fe2

Download Submit
\Windows\SysWOW64\259271087.dll
MD5
f85e29f1f415f7954841f92966bb3681

SHA1
9f7897fd5e7a04d3af8053fbbf201b06fdca7a78

SHA256
3bbef9eff49dbe41000603cb3eca826697f8e4b94dcf2172d7be690818f755f4

SHA512
caa420d38e8f6553b54e0dd722c2618448f560c38697f4f5d04e88f2632b4e18b8bae92bf2492e63ebbb7cec06547a116536b10b51f74cac67e4c55c8b106fe2

Download Submit
\Windows\SysWOW64\259271087.dll
MD5
f85e29f1f415f7954841f92966bb3681

SHA1
9f7897fd5e7a04d3af8053fbbf201b06fdca7a78

SHA256
3bbef9eff49dbe41000603cb3eca826697f8e4b94dcf2172d7be690818f755f4

SHA512
caa420d38e8f6553b54e0dd722c2618448f560c38697f4f5d04e88f2632b4e18b8bae92bf2492e63ebbb7cec06547a116536b10b51f74cac67e4c55c8b106fe2

Download Submit
\Windows\SysWOW64\259271087.dll
MD5
f85e29f1f415f7954841f92966bb3681

SHA1
9f7897fd5e7a04d3af8053fbbf201b06fdca7a78

SHA256
3bbef9eff49dbe41000603cb3eca826697f8e4b94dcf2172d7be690818f755f4

SHA512
caa420d38e8f6553b54e0dd722c2618448f560c38697f4f5d04e88f2632b4e18b8bae92bf2492e63ebbb7cec06547a116536b10b51f74cac67e4c55c8b106fe2

Download Submit
\Windows\SysWOW64\259271087.dll
MD5
f85e29f1f415f7954841f92966bb3681

SHA1
9f7897fd5e7a04d3af8053fbbf201b06fdca7a78

SHA256
3bbef9eff49dbe41000603cb3eca826697f8e4b94dcf2172d7be690818f755f4

SHA512
caa420d38e8f6553b54e0dd722c2618448f560c38697f4f5d04e88f2632b4e18b8bae92bf2492e63ebbb7cec06547a116536b10b51f74cac67e4c55c8b106fe2

Download Submit
\Windows\SysWOW64\259271087.dll
MD5
f85e29f1f415f7954841f92966bb3681

SHA1
9f7897fd5e7a04d3af8053fbbf201b06fdca7a78

SHA256
3bbef9eff49dbe41000603cb3eca826697f8e4b94dcf2172d7be690818f755f4

SHA512
caa420d38e8f6553b54e0dd722c2618448f560c38697f4f5d04e88f2632b4e18b8bae92bf2492e63ebbb7cec06547a116536b10b51f74cac67e4c55c8b106fe2

Download Submit
\Windows\SysWOW64\serviecs.exe
MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/400-67-0x0000000000000000-mapping.dmp

Download
memory/1952-65-0x0000000000000000-mapping.dmp

Download
memory/1988-64-0x0000000000000000-mapping.dmp

Download
memory/2020-60-0x0000000076281000-0x0000000076283000-memory.dmp

Filesize
8KB

Download