Analysis
-
max time kernel
121s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
06-12-2021 06:30
Static task
static1
Behavioral task
behavioral1
Sample
84bc5e264f5d9f894b7f7c3e8af39721.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
84bc5e264f5d9f894b7f7c3e8af39721.exe
Resource
win10-en-20211014
General
-
Target
84bc5e264f5d9f894b7f7c3e8af39721.exe
-
Size
34KB
-
MD5
84bc5e264f5d9f894b7f7c3e8af39721
-
SHA1
71c23342f56fd45fc9e3979b0e17304ded0a6af1
-
SHA256
d8af26541263929cbba975eff6cc79173eae5fb97f05e8fa36297ba83c6ef2c9
-
SHA512
1fdaf12530fbb339f0abde2836eaa1887bd306e629cb7380d80d6f88f487862dd20ccfdb9d202552d8be697232ee5887c22fe46edd532424f14c8a2efa42c999
Malware Config
Signatures
-
RunningRat
RunningRat is a remote access trojan first seen in 2018.
-
Executes dropped EXE 1 IoCs
Processes:
conhost.exepid process 1272 conhost.exe -
Sets DLL path for service in the registry 2 TTPs
-
Loads dropped DLL 3 IoCs
Processes:
84bc5e264f5d9f894b7f7c3e8af39721.exesvchost.execonhost.exepid process 2640 84bc5e264f5d9f894b7f7c3e8af39721.exe 3712 svchost.exe 1272 conhost.exe -
Creates a Windows Service
-
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\conhost.exe svchost.exe File opened for modification C:\Windows\SysWOW64\conhost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
conhost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 conhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz conhost.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
conhost.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie conhost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
84bc5e264f5d9f894b7f7c3e8af39721.execonhost.exepid process 2640 84bc5e264f5d9f894b7f7c3e8af39721.exe 2640 84bc5e264f5d9f894b7f7c3e8af39721.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe 1272 conhost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
84bc5e264f5d9f894b7f7c3e8af39721.exedescription pid process Token: SeIncBasePriorityPrivilege 2640 84bc5e264f5d9f894b7f7c3e8af39721.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
84bc5e264f5d9f894b7f7c3e8af39721.exepid process 2640 84bc5e264f5d9f894b7f7c3e8af39721.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
84bc5e264f5d9f894b7f7c3e8af39721.execmd.exesvchost.exedescription pid process target process PID 2640 wrote to memory of 3932 2640 84bc5e264f5d9f894b7f7c3e8af39721.exe cmd.exe PID 2640 wrote to memory of 3932 2640 84bc5e264f5d9f894b7f7c3e8af39721.exe cmd.exe PID 2640 wrote to memory of 3932 2640 84bc5e264f5d9f894b7f7c3e8af39721.exe cmd.exe PID 3932 wrote to memory of 3880 3932 cmd.exe PING.EXE PID 3932 wrote to memory of 3880 3932 cmd.exe PING.EXE PID 3932 wrote to memory of 3880 3932 cmd.exe PING.EXE PID 3712 wrote to memory of 1272 3712 svchost.exe conhost.exe PID 3712 wrote to memory of 1272 3712 svchost.exe conhost.exe PID 3712 wrote to memory of 1272 3712 svchost.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\84bc5e264f5d9f894b7f7c3e8af39721.exe"C:\Users\Admin\AppData\Local\Temp\84bc5e264f5d9f894b7f7c3e8af39721.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\84bc5e264f5d9f894b7f7c3e8af39721.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "conhost"1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "conhost"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\conhost.exeC:\Windows\system32\conhost.exe "c:\users\admin\appdata\local\temp\259374921.dll",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\conhost.exeMD5
f57886ace1ab4972b0308f69b1a0029c
SHA1519b2a981cb522ed2b0901f9871f9aa9781a6cd5
SHA2562be981b3686ee5e725583f5936f5f0a0992723cad784457f91d9d1d5a15a0852
SHA512c2b3f016a8c3993771cd5709e469c9dedfa1dd35047691de5e853e2ad0ac025ec210fc6cb662c82d08f62e2c889e5060e796414a4eaf6a6c1719cdd7e5debdf8
-
C:\Windows\SysWOW64\conhost.exeMD5
f57886ace1ab4972b0308f69b1a0029c
SHA1519b2a981cb522ed2b0901f9871f9aa9781a6cd5
SHA2562be981b3686ee5e725583f5936f5f0a0992723cad784457f91d9d1d5a15a0852
SHA512c2b3f016a8c3993771cd5709e469c9dedfa1dd35047691de5e853e2ad0ac025ec210fc6cb662c82d08f62e2c889e5060e796414a4eaf6a6c1719cdd7e5debdf8
-
\??\c:\users\admin\appdata\local\temp\259374921.dllMD5
1f58a2c8d9beb8d028bb309e8383425c
SHA1e5a3ad14b99f46b6ab47589364b011cf3a3190f4
SHA256a5045c305fc5df803c2f2070187d100b13c7c802f8390b458adec86ac69b8420
SHA5126ade7e425f5c441c3c156c4d6084aa3b9d6bf21c1daeecea9c8a458d3f6761577ebb122d4e46c30185739bba699f00b87392cbd7b4a0c9d601f31a3aa308f84c
-
\Users\Admin\AppData\Local\Temp\259374921.dllMD5
1f58a2c8d9beb8d028bb309e8383425c
SHA1e5a3ad14b99f46b6ab47589364b011cf3a3190f4
SHA256a5045c305fc5df803c2f2070187d100b13c7c802f8390b458adec86ac69b8420
SHA5126ade7e425f5c441c3c156c4d6084aa3b9d6bf21c1daeecea9c8a458d3f6761577ebb122d4e46c30185739bba699f00b87392cbd7b4a0c9d601f31a3aa308f84c
-
\Users\Admin\AppData\Local\Temp\259374921.dllMD5
1f58a2c8d9beb8d028bb309e8383425c
SHA1e5a3ad14b99f46b6ab47589364b011cf3a3190f4
SHA256a5045c305fc5df803c2f2070187d100b13c7c802f8390b458adec86ac69b8420
SHA5126ade7e425f5c441c3c156c4d6084aa3b9d6bf21c1daeecea9c8a458d3f6761577ebb122d4e46c30185739bba699f00b87392cbd7b4a0c9d601f31a3aa308f84c
-
\Users\Admin\AppData\Local\Temp\259374921.dllMD5
1f58a2c8d9beb8d028bb309e8383425c
SHA1e5a3ad14b99f46b6ab47589364b011cf3a3190f4
SHA256a5045c305fc5df803c2f2070187d100b13c7c802f8390b458adec86ac69b8420
SHA5126ade7e425f5c441c3c156c4d6084aa3b9d6bf21c1daeecea9c8a458d3f6761577ebb122d4e46c30185739bba699f00b87392cbd7b4a0c9d601f31a3aa308f84c
-
memory/1272-120-0x0000000000000000-mapping.dmp
-
memory/3880-119-0x0000000000000000-mapping.dmp
-
memory/3932-118-0x0000000000000000-mapping.dmp