Malware Analysis Report

2024-10-24 17:03

Sample ID 220820-y8z6csgcgp
Target 1.exe
SHA256 76d00037ad0e19a299b97f7781affae6c33254887d0068dd7d13a34cc3d26297
Tags
runningrat persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76d00037ad0e19a299b97f7781affae6c33254887d0068dd7d13a34cc3d26297

Threat Level: Known bad

The file 1.exe was found to be: Known bad.

Malicious Activity Summary

runningrat persistence rat

Runningrat family

RunningRat

RunningRat payload

Executes dropped EXE

Sets DLL path for service in the registry

Loads dropped DLL

Drops file in System32 directory

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-20 20:28

Signatures

RunningRat payload

Description Indicator Process Target
N/A N/A N/A N/A

Runningrat family

runningrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-20 20:28

Reported

2022-08-20 20:30

Platform

win7-20220812-en

Max time kernel

47s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1.exe"

Signatures

RunningRat

rat runningrat

RunningRat payload

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SRDSLS.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SRDSLS\Parameters\ServiceDll = "C:\\Windows\\system32\\7088170.dll" C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ini.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File created C:\Windows\SysWOW64\SRDSLS.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\SRDSLS.exe C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\7088170.dll C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\SRDSLS.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\SRDSLS.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\SRDSLS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\SRDSLS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\SysWOW64\SRDSLS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\SysWOW64\SRDSLS.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" C:\Windows\SysWOW64\SRDSLS.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1296 wrote to memory of 964 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\SRDSLS.exe
PID 1296 wrote to memory of 964 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\SRDSLS.exe
PID 1296 wrote to memory of 964 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\SRDSLS.exe
PID 1296 wrote to memory of 964 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\SRDSLS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "SRDSLS"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "SRDSLS"

C:\Windows\SysWOW64\SRDSLS.exe

C:\Windows\system32\SRDSLS.exe "c:\windows\system32\7088170.dll",MainThread

Network

Country Destination Domain Proto
NL 142.250.179.202:443 tcp
NL 142.250.179.195:443 tcp
US 8.8.8.8:443 tcp
US 8.8.8.8:53 wuxi.tanxinyu.cn udp
HK 20.239.56.69:520 wuxi.tanxinyu.cn tcp

Files

memory/1916-54-0x0000000010000000-0x000000001000F000-memory.dmp

memory/1916-58-0x00000000759E1000-0x00000000759E3000-memory.dmp

\Windows\SysWOW64\7088170.dll

MD5 06dc6402f153aaa067f95cce93e23cd6
SHA1 dd74618956182878e33110d2f0900e442c5875a4
SHA256 9ef9d33de25bd7eb1692612909c4bb83e754b3824b6088469d6e082e5c8b368c
SHA512 401aaa6fd7e57927d87223124b5e0bf69d4a4c9d48c2f349082da65481cabec9f0b89f4a05d39d3fe9b4a6ed1ba040e3f905583b0f181ed2107e2f8edc7c8f16

memory/1916-60-0x00000000001E0000-0x00000000001ED000-memory.dmp

\??\c:\windows\SysWOW64\7088170.dll

MD5 06dc6402f153aaa067f95cce93e23cd6
SHA1 dd74618956182878e33110d2f0900e442c5875a4
SHA256 9ef9d33de25bd7eb1692612909c4bb83e754b3824b6088469d6e082e5c8b368c
SHA512 401aaa6fd7e57927d87223124b5e0bf69d4a4c9d48c2f349082da65481cabec9f0b89f4a05d39d3fe9b4a6ed1ba040e3f905583b0f181ed2107e2f8edc7c8f16

\Windows\SysWOW64\7088170.dll

MD5 06dc6402f153aaa067f95cce93e23cd6
SHA1 dd74618956182878e33110d2f0900e442c5875a4
SHA256 9ef9d33de25bd7eb1692612909c4bb83e754b3824b6088469d6e082e5c8b368c
SHA512 401aaa6fd7e57927d87223124b5e0bf69d4a4c9d48c2f349082da65481cabec9f0b89f4a05d39d3fe9b4a6ed1ba040e3f905583b0f181ed2107e2f8edc7c8f16

\Windows\SysWOW64\SRDSLS.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

memory/964-65-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\SRDSLS.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

\Windows\SysWOW64\7088170.dll

MD5 06dc6402f153aaa067f95cce93e23cd6
SHA1 dd74618956182878e33110d2f0900e442c5875a4
SHA256 9ef9d33de25bd7eb1692612909c4bb83e754b3824b6088469d6e082e5c8b368c
SHA512 401aaa6fd7e57927d87223124b5e0bf69d4a4c9d48c2f349082da65481cabec9f0b89f4a05d39d3fe9b4a6ed1ba040e3f905583b0f181ed2107e2f8edc7c8f16

C:\Windows\SysWOW64\SRDSLS.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

\Windows\SysWOW64\7088170.dll

MD5 06dc6402f153aaa067f95cce93e23cd6
SHA1 dd74618956182878e33110d2f0900e442c5875a4
SHA256 9ef9d33de25bd7eb1692612909c4bb83e754b3824b6088469d6e082e5c8b368c
SHA512 401aaa6fd7e57927d87223124b5e0bf69d4a4c9d48c2f349082da65481cabec9f0b89f4a05d39d3fe9b4a6ed1ba040e3f905583b0f181ed2107e2f8edc7c8f16

\Windows\SysWOW64\7088170.dll

MD5 06dc6402f153aaa067f95cce93e23cd6
SHA1 dd74618956182878e33110d2f0900e442c5875a4
SHA256 9ef9d33de25bd7eb1692612909c4bb83e754b3824b6088469d6e082e5c8b368c
SHA512 401aaa6fd7e57927d87223124b5e0bf69d4a4c9d48c2f349082da65481cabec9f0b89f4a05d39d3fe9b4a6ed1ba040e3f905583b0f181ed2107e2f8edc7c8f16

\Windows\SysWOW64\7088170.dll

MD5 06dc6402f153aaa067f95cce93e23cd6
SHA1 dd74618956182878e33110d2f0900e442c5875a4
SHA256 9ef9d33de25bd7eb1692612909c4bb83e754b3824b6088469d6e082e5c8b368c
SHA512 401aaa6fd7e57927d87223124b5e0bf69d4a4c9d48c2f349082da65481cabec9f0b89f4a05d39d3fe9b4a6ed1ba040e3f905583b0f181ed2107e2f8edc7c8f16

C:\Windows\SysWOW64\ini.ini

MD5 688a0af27b9161aedaf4d2a6e7836ccd
SHA1 bf5b413bfb1244446a011174c9d15f2ba6b2f4ba
SHA256 11a949b684cd68137a8ec9378dd3f82c3a6bc7c1a91bd8ac865ef58beea84540
SHA512 262dce9ebcf79d9c7a637185aa3383a811e55bd77e9e29c79967ae5ef8bb2337895e5e02d60f353797f91cbf45fb4628a82990ee36c47077c807737f8f235ec7

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-20 20:28

Reported

2022-08-20 20:30

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1.exe"

Signatures

RunningRat

rat runningrat

RunningRat payload

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SRDSLS.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SRDSLS\Parameters\ServiceDll = "C:\\Windows\\system32\\240572671.dll" C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\SRDSLS.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\240572671.dll C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\Windows\SysWOW64\ini.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File created C:\Windows\SysWOW64\SRDSLS.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\SRDSLS.exe C:\Windows\SysWOW64\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\SRDSLS.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\SRDSLS.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\SysWOW64\SRDSLS.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" C:\Windows\SysWOW64\SRDSLS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\SRDSLS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\SRDSLS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\SysWOW64\SRDSLS.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4428 wrote to memory of 1168 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\SRDSLS.exe
PID 4428 wrote to memory of 1168 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\SRDSLS.exe
PID 4428 wrote to memory of 1168 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\SRDSLS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "SRDSLS"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "SRDSLS"

C:\Windows\SysWOW64\SRDSLS.exe

C:\Windows\system32\SRDSLS.exe "c:\windows\system32\240572671.dll",MainThread

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 wuxi.tanxinyu.cn udp
HK 20.239.56.69:520 wuxi.tanxinyu.cn tcp
NL 13.69.109.130:443 tcp
NL 104.80.225.205:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp

Files

memory/3108-132-0x0000000010000000-0x000000001000F000-memory.dmp

C:\Windows\SysWOW64\240572671.dll

MD5 69d28b043400bca977bf2007e534810e
SHA1 e35fafaf1b38fce03fd72aa055d0004b086b224b
SHA256 bd376cb3099da07ab9c140044f73cb8335956244cd7b5bf6cdfab4f708fa1d90
SHA512 dc9e932db1c8527ed731ef90ef991152a219f09290b97a52f480fe1b49546b75568c6b9197bb2a8718709752aeffa6196cff6103a363507d90b5cd4aa1198160

memory/3108-138-0x0000000000510000-0x000000000051D000-memory.dmp

C:\Windows\SysWOW64\240572671.dll

MD5 69d28b043400bca977bf2007e534810e
SHA1 e35fafaf1b38fce03fd72aa055d0004b086b224b
SHA256 bd376cb3099da07ab9c140044f73cb8335956244cd7b5bf6cdfab4f708fa1d90
SHA512 dc9e932db1c8527ed731ef90ef991152a219f09290b97a52f480fe1b49546b75568c6b9197bb2a8718709752aeffa6196cff6103a363507d90b5cd4aa1198160

\??\c:\windows\SysWOW64\240572671.dll

MD5 69d28b043400bca977bf2007e534810e
SHA1 e35fafaf1b38fce03fd72aa055d0004b086b224b
SHA256 bd376cb3099da07ab9c140044f73cb8335956244cd7b5bf6cdfab4f708fa1d90
SHA512 dc9e932db1c8527ed731ef90ef991152a219f09290b97a52f480fe1b49546b75568c6b9197bb2a8718709752aeffa6196cff6103a363507d90b5cd4aa1198160

C:\Windows\SysWOW64\240572671.dll

MD5 69d28b043400bca977bf2007e534810e
SHA1 e35fafaf1b38fce03fd72aa055d0004b086b224b
SHA256 bd376cb3099da07ab9c140044f73cb8335956244cd7b5bf6cdfab4f708fa1d90
SHA512 dc9e932db1c8527ed731ef90ef991152a219f09290b97a52f480fe1b49546b75568c6b9197bb2a8718709752aeffa6196cff6103a363507d90b5cd4aa1198160

C:\Windows\SysWOW64\SRDSLS.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

memory/1168-141-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\SRDSLS.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

C:\Windows\SysWOW64\240572671.dll

MD5 69d28b043400bca977bf2007e534810e
SHA1 e35fafaf1b38fce03fd72aa055d0004b086b224b
SHA256 bd376cb3099da07ab9c140044f73cb8335956244cd7b5bf6cdfab4f708fa1d90
SHA512 dc9e932db1c8527ed731ef90ef991152a219f09290b97a52f480fe1b49546b75568c6b9197bb2a8718709752aeffa6196cff6103a363507d90b5cd4aa1198160

C:\Windows\SysWOW64\ini.ini

MD5 f9466b450a335ca7e6dd5ad45d89b5e2
SHA1 2f5b7a72afae7af9d411759a43bc7fbb6ab555c6
SHA256 cf033b2090dee429d48cd6b8bf6664c318f1b5f188d99265cd85d282fda5318e
SHA512 8b2f1c68ce31b96ed85f9752d49dcb39d2dd05dfd39f5d09d1a8dc1bf37a024bf960edc556d1c1854e2fbedca4e45839dbf641402f0108f4c416b4a41c709f5e