Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20-08-2022 20:28
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20220812-en
General
-
Target
1.exe
-
Size
68KB
-
MD5
93dff428b7ecfc0e4320d5190bd095b4
-
SHA1
2c8b2fbc863bdbbbe9ec69ec4ca0cefa5afef503
-
SHA256
76d00037ad0e19a299b97f7781affae6c33254887d0068dd7d13a34cc3d26297
-
SHA512
a77712c3f40a0ab0ef7bfd8927f5815d1c2d506cd5013fe44a392b1f585e889001ce48e424415c4fbd0598877fd9def3a26e1d24f27731e070d34dffb1b6ba58
Malware Config
Signatures
-
RunningRat
RunningRat is a remote access trojan first seen in 2018.
-
RunningRat payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3108-132-0x0000000010000000-0x000000001000F000-memory.dmp family_runningrat -
Executes dropped EXE 1 IoCs
Processes:
SRDSLS.exepid process 1168 SRDSLS.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SRDSLS\Parameters\ServiceDll = "C:\\Windows\\system32\\240572671.dll" 1.exe -
Loads dropped DLL 4 IoCs
Processes:
1.exesvchost.exeSRDSLS.exepid process 3108 1.exe 3108 1.exe 4428 svchost.exe 1168 SRDSLS.exe -
Drops file in System32 directory 4 IoCs
Processes:
1.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\240572671.dll 1.exe File opened for modification C:\Windows\SysWOW64\ini.ini 1.exe File created C:\Windows\SysWOW64\SRDSLS.exe svchost.exe File opened for modification C:\Windows\SysWOW64\SRDSLS.exe svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
SRDSLS.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SRDSLS.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz SRDSLS.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
SRDSLS.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SRDSLS.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" SRDSLS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum SRDSLS.exe Key created \REGISTRY\USER\.DEFAULT\Software SRDSLS.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SRDSLS.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
svchost.exedescription pid process target process PID 4428 wrote to memory of 1168 4428 svchost.exe SRDSLS.exe PID 4428 wrote to memory of 1168 4428 svchost.exe SRDSLS.exe PID 4428 wrote to memory of 1168 4428 svchost.exe SRDSLS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
PID:3108
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "SRDSLS"1⤵PID:4384
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "SRDSLS"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\SRDSLS.exeC:\Windows\system32\SRDSLS.exe "c:\windows\system32\240572671.dll",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:1168
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD569d28b043400bca977bf2007e534810e
SHA1e35fafaf1b38fce03fd72aa055d0004b086b224b
SHA256bd376cb3099da07ab9c140044f73cb8335956244cd7b5bf6cdfab4f708fa1d90
SHA512dc9e932db1c8527ed731ef90ef991152a219f09290b97a52f480fe1b49546b75568c6b9197bb2a8718709752aeffa6196cff6103a363507d90b5cd4aa1198160
-
Filesize
37KB
MD569d28b043400bca977bf2007e534810e
SHA1e35fafaf1b38fce03fd72aa055d0004b086b224b
SHA256bd376cb3099da07ab9c140044f73cb8335956244cd7b5bf6cdfab4f708fa1d90
SHA512dc9e932db1c8527ed731ef90ef991152a219f09290b97a52f480fe1b49546b75568c6b9197bb2a8718709752aeffa6196cff6103a363507d90b5cd4aa1198160
-
Filesize
37KB
MD569d28b043400bca977bf2007e534810e
SHA1e35fafaf1b38fce03fd72aa055d0004b086b224b
SHA256bd376cb3099da07ab9c140044f73cb8335956244cd7b5bf6cdfab4f708fa1d90
SHA512dc9e932db1c8527ed731ef90ef991152a219f09290b97a52f480fe1b49546b75568c6b9197bb2a8718709752aeffa6196cff6103a363507d90b5cd4aa1198160
-
Filesize
37KB
MD569d28b043400bca977bf2007e534810e
SHA1e35fafaf1b38fce03fd72aa055d0004b086b224b
SHA256bd376cb3099da07ab9c140044f73cb8335956244cd7b5bf6cdfab4f708fa1d90
SHA512dc9e932db1c8527ed731ef90ef991152a219f09290b97a52f480fe1b49546b75568c6b9197bb2a8718709752aeffa6196cff6103a363507d90b5cd4aa1198160
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
44B
MD5f9466b450a335ca7e6dd5ad45d89b5e2
SHA12f5b7a72afae7af9d411759a43bc7fbb6ab555c6
SHA256cf033b2090dee429d48cd6b8bf6664c318f1b5f188d99265cd85d282fda5318e
SHA5128b2f1c68ce31b96ed85f9752d49dcb39d2dd05dfd39f5d09d1a8dc1bf37a024bf960edc556d1c1854e2fbedca4e45839dbf641402f0108f4c416b4a41c709f5e
-
Filesize
37KB
MD569d28b043400bca977bf2007e534810e
SHA1e35fafaf1b38fce03fd72aa055d0004b086b224b
SHA256bd376cb3099da07ab9c140044f73cb8335956244cd7b5bf6cdfab4f708fa1d90
SHA512dc9e932db1c8527ed731ef90ef991152a219f09290b97a52f480fe1b49546b75568c6b9197bb2a8718709752aeffa6196cff6103a363507d90b5cd4aa1198160