Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-08-2022 20:28

General

  • Target

    1.exe

  • Size

    68KB

  • MD5

    93dff428b7ecfc0e4320d5190bd095b4

  • SHA1

    2c8b2fbc863bdbbbe9ec69ec4ca0cefa5afef503

  • SHA256

    76d00037ad0e19a299b97f7781affae6c33254887d0068dd7d13a34cc3d26297

  • SHA512

    a77712c3f40a0ab0ef7bfd8927f5815d1c2d506cd5013fe44a392b1f585e889001ce48e424415c4fbd0598877fd9def3a26e1d24f27731e070d34dffb1b6ba58

Malware Config

Signatures

  • RunningRat

    RunningRat is a remote access trojan first seen in 2018.

  • RunningRat payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 4 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    1⤵
    • Sets DLL path for service in the registry
    • Loads dropped DLL
    • Drops file in System32 directory
    PID:3108
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "SRDSLS"
    1⤵
      PID:4384
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "SRDSLS"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4428
      • C:\Windows\SysWOW64\SRDSLS.exe
        C:\Windows\system32\SRDSLS.exe "c:\windows\system32\240572671.dll",MainThread
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        PID:1168

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\240572671.dll

      Filesize

      37KB

      MD5

      69d28b043400bca977bf2007e534810e

      SHA1

      e35fafaf1b38fce03fd72aa055d0004b086b224b

      SHA256

      bd376cb3099da07ab9c140044f73cb8335956244cd7b5bf6cdfab4f708fa1d90

      SHA512

      dc9e932db1c8527ed731ef90ef991152a219f09290b97a52f480fe1b49546b75568c6b9197bb2a8718709752aeffa6196cff6103a363507d90b5cd4aa1198160

    • C:\Windows\SysWOW64\240572671.dll

      Filesize

      37KB

      MD5

      69d28b043400bca977bf2007e534810e

      SHA1

      e35fafaf1b38fce03fd72aa055d0004b086b224b

      SHA256

      bd376cb3099da07ab9c140044f73cb8335956244cd7b5bf6cdfab4f708fa1d90

      SHA512

      dc9e932db1c8527ed731ef90ef991152a219f09290b97a52f480fe1b49546b75568c6b9197bb2a8718709752aeffa6196cff6103a363507d90b5cd4aa1198160

    • C:\Windows\SysWOW64\240572671.dll

      Filesize

      37KB

      MD5

      69d28b043400bca977bf2007e534810e

      SHA1

      e35fafaf1b38fce03fd72aa055d0004b086b224b

      SHA256

      bd376cb3099da07ab9c140044f73cb8335956244cd7b5bf6cdfab4f708fa1d90

      SHA512

      dc9e932db1c8527ed731ef90ef991152a219f09290b97a52f480fe1b49546b75568c6b9197bb2a8718709752aeffa6196cff6103a363507d90b5cd4aa1198160

    • C:\Windows\SysWOW64\240572671.dll

      Filesize

      37KB

      MD5

      69d28b043400bca977bf2007e534810e

      SHA1

      e35fafaf1b38fce03fd72aa055d0004b086b224b

      SHA256

      bd376cb3099da07ab9c140044f73cb8335956244cd7b5bf6cdfab4f708fa1d90

      SHA512

      dc9e932db1c8527ed731ef90ef991152a219f09290b97a52f480fe1b49546b75568c6b9197bb2a8718709752aeffa6196cff6103a363507d90b5cd4aa1198160

    • C:\Windows\SysWOW64\SRDSLS.exe

      Filesize

      60KB

      MD5

      889b99c52a60dd49227c5e485a016679

      SHA1

      8fa889e456aa646a4d0a4349977430ce5fa5e2d7

      SHA256

      6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

      SHA512

      08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

    • C:\Windows\SysWOW64\SRDSLS.exe

      Filesize

      60KB

      MD5

      889b99c52a60dd49227c5e485a016679

      SHA1

      8fa889e456aa646a4d0a4349977430ce5fa5e2d7

      SHA256

      6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

      SHA512

      08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

    • C:\Windows\SysWOW64\ini.ini

      Filesize

      44B

      MD5

      f9466b450a335ca7e6dd5ad45d89b5e2

      SHA1

      2f5b7a72afae7af9d411759a43bc7fbb6ab555c6

      SHA256

      cf033b2090dee429d48cd6b8bf6664c318f1b5f188d99265cd85d282fda5318e

      SHA512

      8b2f1c68ce31b96ed85f9752d49dcb39d2dd05dfd39f5d09d1a8dc1bf37a024bf960edc556d1c1854e2fbedca4e45839dbf641402f0108f4c416b4a41c709f5e

    • \??\c:\windows\SysWOW64\240572671.dll

      Filesize

      37KB

      MD5

      69d28b043400bca977bf2007e534810e

      SHA1

      e35fafaf1b38fce03fd72aa055d0004b086b224b

      SHA256

      bd376cb3099da07ab9c140044f73cb8335956244cd7b5bf6cdfab4f708fa1d90

      SHA512

      dc9e932db1c8527ed731ef90ef991152a219f09290b97a52f480fe1b49546b75568c6b9197bb2a8718709752aeffa6196cff6103a363507d90b5cd4aa1198160

    • memory/1168-141-0x0000000000000000-mapping.dmp

    • memory/3108-132-0x0000000010000000-0x000000001000F000-memory.dmp

      Filesize

      60KB

    • memory/3108-138-0x0000000000510000-0x000000000051D000-memory.dmp

      Filesize

      52KB