Analysis
-
max time kernel
118s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
06-12-2021 06:30
Static task
static1
Behavioral task
behavioral1
Sample
84bc5e264f5d9f894b7f7c3e8af39721.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
84bc5e264f5d9f894b7f7c3e8af39721.exe
Resource
win10-en-20211014
General
-
Target
84bc5e264f5d9f894b7f7c3e8af39721.exe
-
Size
34KB
-
MD5
84bc5e264f5d9f894b7f7c3e8af39721
-
SHA1
71c23342f56fd45fc9e3979b0e17304ded0a6af1
-
SHA256
d8af26541263929cbba975eff6cc79173eae5fb97f05e8fa36297ba83c6ef2c9
-
SHA512
1fdaf12530fbb339f0abde2836eaa1887bd306e629cb7380d80d6f88f487862dd20ccfdb9d202552d8be697232ee5887c22fe46edd532424f14c8a2efa42c999
Malware Config
Signatures
-
RunningRat
RunningRat is a remote access trojan first seen in 2018.
-
Executes dropped EXE 1 IoCs
Processes:
conhost.exepid process 1232 conhost.exe -
Sets DLL path for service in the registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1472 cmd.exe -
Loads dropped DLL 7 IoCs
Processes:
84bc5e264f5d9f894b7f7c3e8af39721.exesvchost.execonhost.exepid process 1644 84bc5e264f5d9f894b7f7c3e8af39721.exe 1380 svchost.exe 1380 svchost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe -
Creates a Windows Service
-
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\conhost.exe svchost.exe File opened for modification C:\Windows\SysWOW64\conhost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
conhost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz conhost.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
conhost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software conhost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft conhost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie conhost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum conhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" conhost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
84bc5e264f5d9f894b7f7c3e8af39721.execonhost.exepid process 1644 84bc5e264f5d9f894b7f7c3e8af39721.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe 1232 conhost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
84bc5e264f5d9f894b7f7c3e8af39721.exedescription pid process Token: SeIncBasePriorityPrivilege 1644 84bc5e264f5d9f894b7f7c3e8af39721.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
84bc5e264f5d9f894b7f7c3e8af39721.exepid process 1644 84bc5e264f5d9f894b7f7c3e8af39721.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
84bc5e264f5d9f894b7f7c3e8af39721.execmd.exesvchost.exedescription pid process target process PID 1644 wrote to memory of 1472 1644 84bc5e264f5d9f894b7f7c3e8af39721.exe cmd.exe PID 1644 wrote to memory of 1472 1644 84bc5e264f5d9f894b7f7c3e8af39721.exe cmd.exe PID 1644 wrote to memory of 1472 1644 84bc5e264f5d9f894b7f7c3e8af39721.exe cmd.exe PID 1644 wrote to memory of 1472 1644 84bc5e264f5d9f894b7f7c3e8af39721.exe cmd.exe PID 1472 wrote to memory of 1284 1472 cmd.exe PING.EXE PID 1472 wrote to memory of 1284 1472 cmd.exe PING.EXE PID 1472 wrote to memory of 1284 1472 cmd.exe PING.EXE PID 1472 wrote to memory of 1284 1472 cmd.exe PING.EXE PID 1380 wrote to memory of 1232 1380 svchost.exe conhost.exe PID 1380 wrote to memory of 1232 1380 svchost.exe conhost.exe PID 1380 wrote to memory of 1232 1380 svchost.exe conhost.exe PID 1380 wrote to memory of 1232 1380 svchost.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\84bc5e264f5d9f894b7f7c3e8af39721.exe"C:\Users\Admin\AppData\Local\Temp\84bc5e264f5d9f894b7f7c3e8af39721.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\84bc5e264f5d9f894b7f7c3e8af39721.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "conhost"1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "conhost"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\conhost.exeC:\Windows\system32\conhost.exe "c:\users\admin\appdata\local\temp\259370070.dll",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\conhost.exeMD5
51138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
C:\Windows\SysWOW64\conhost.exeMD5
51138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
\??\c:\users\admin\appdata\local\temp\259370070.dllMD5
1f58a2c8d9beb8d028bb309e8383425c
SHA1e5a3ad14b99f46b6ab47589364b011cf3a3190f4
SHA256a5045c305fc5df803c2f2070187d100b13c7c802f8390b458adec86ac69b8420
SHA5126ade7e425f5c441c3c156c4d6084aa3b9d6bf21c1daeecea9c8a458d3f6761577ebb122d4e46c30185739bba699f00b87392cbd7b4a0c9d601f31a3aa308f84c
-
\Users\Admin\AppData\Local\Temp\259370070.dllMD5
1f58a2c8d9beb8d028bb309e8383425c
SHA1e5a3ad14b99f46b6ab47589364b011cf3a3190f4
SHA256a5045c305fc5df803c2f2070187d100b13c7c802f8390b458adec86ac69b8420
SHA5126ade7e425f5c441c3c156c4d6084aa3b9d6bf21c1daeecea9c8a458d3f6761577ebb122d4e46c30185739bba699f00b87392cbd7b4a0c9d601f31a3aa308f84c
-
\Users\Admin\AppData\Local\Temp\259370070.dllMD5
1f58a2c8d9beb8d028bb309e8383425c
SHA1e5a3ad14b99f46b6ab47589364b011cf3a3190f4
SHA256a5045c305fc5df803c2f2070187d100b13c7c802f8390b458adec86ac69b8420
SHA5126ade7e425f5c441c3c156c4d6084aa3b9d6bf21c1daeecea9c8a458d3f6761577ebb122d4e46c30185739bba699f00b87392cbd7b4a0c9d601f31a3aa308f84c
-
\Users\Admin\AppData\Local\Temp\259370070.dllMD5
1f58a2c8d9beb8d028bb309e8383425c
SHA1e5a3ad14b99f46b6ab47589364b011cf3a3190f4
SHA256a5045c305fc5df803c2f2070187d100b13c7c802f8390b458adec86ac69b8420
SHA5126ade7e425f5c441c3c156c4d6084aa3b9d6bf21c1daeecea9c8a458d3f6761577ebb122d4e46c30185739bba699f00b87392cbd7b4a0c9d601f31a3aa308f84c
-
\Users\Admin\AppData\Local\Temp\259370070.dllMD5
1f58a2c8d9beb8d028bb309e8383425c
SHA1e5a3ad14b99f46b6ab47589364b011cf3a3190f4
SHA256a5045c305fc5df803c2f2070187d100b13c7c802f8390b458adec86ac69b8420
SHA5126ade7e425f5c441c3c156c4d6084aa3b9d6bf21c1daeecea9c8a458d3f6761577ebb122d4e46c30185739bba699f00b87392cbd7b4a0c9d601f31a3aa308f84c
-
\Users\Admin\AppData\Local\Temp\259370070.dllMD5
1f58a2c8d9beb8d028bb309e8383425c
SHA1e5a3ad14b99f46b6ab47589364b011cf3a3190f4
SHA256a5045c305fc5df803c2f2070187d100b13c7c802f8390b458adec86ac69b8420
SHA5126ade7e425f5c441c3c156c4d6084aa3b9d6bf21c1daeecea9c8a458d3f6761577ebb122d4e46c30185739bba699f00b87392cbd7b4a0c9d601f31a3aa308f84c
-
\Users\Admin\AppData\Local\Temp\259370070.dllMD5
1f58a2c8d9beb8d028bb309e8383425c
SHA1e5a3ad14b99f46b6ab47589364b011cf3a3190f4
SHA256a5045c305fc5df803c2f2070187d100b13c7c802f8390b458adec86ac69b8420
SHA5126ade7e425f5c441c3c156c4d6084aa3b9d6bf21c1daeecea9c8a458d3f6761577ebb122d4e46c30185739bba699f00b87392cbd7b4a0c9d601f31a3aa308f84c
-
\Windows\SysWOW64\conhost.exeMD5
51138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
memory/1232-62-0x0000000000000000-mapping.dmp
-
memory/1284-60-0x0000000000000000-mapping.dmp
-
memory/1472-59-0x0000000000000000-mapping.dmp
-
memory/1644-55-0x0000000076761000-0x0000000076763000-memory.dmpFilesize
8KB