Analysis Overview
SHA256
44ae5d2173ef2de82335e4f8c206deaf754f8d413c24c983fa66711baeabffc3
Threat Level: Known bad
The file j1.exe was found to be: Known bad.
Malicious Activity Summary
Runningrat family
RunningRat
RunningRat payload
Loads dropped DLL
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-08-20 20:35
Signatures
RunningRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Runningrat family
Analysis: behavioral1
Detonation Overview
Submitted
2022-08-20 20:35
Reported
2022-08-20 20:37
Platform
win7-20220812-en
Max time kernel
46s
Max time network
122s
Command Line
Signatures
RunningRat
RunningRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\j1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\j1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\j1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\j1.exe
"C:\Users\Admin\AppData\Local\Temp\j1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wuxi.tanxinyu.cn | udp |
| HK | 20.239.56.69:520 | wuxi.tanxinyu.cn | tcp |
Files
memory/2012-54-0x0000000010000000-0x000000001000F000-memory.dmp
memory/2012-58-0x00000000765F1000-0x00000000765F3000-memory.dmp
memory/2012-60-0x00000000002D0000-0x00000000002DD000-memory.dmp
\Users\Admin\AppData\Local\Temp\7085019.dll
| MD5 | bcee601174e502b890d9885c17821fed |
| SHA1 | 1307067751e0dffae6e730ffde136ce7e2215069 |
| SHA256 | 1bddfa0f321a0603ffca9e642e8984f050591b18041645a9e68df657f2d63624 |
| SHA512 | 3b9b0a4c9e13452f5e2d708db5d652524b01ca4222ba0b09d938637f14acb9f9f78892b1ce152d893e1bba47abb393f65cfb303c0594ea8dfd2edf05d952a537 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-08-20 20:35
Reported
2022-08-20 20:37
Platform
win10v2004-20220812-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
RunningRat
RunningRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\j1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\j1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\j1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\j1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\j1.exe
"C:\Users\Admin\AppData\Local\Temp\j1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wuxi.tanxinyu.cn | udp |
| HK | 20.239.56.69:520 | wuxi.tanxinyu.cn | tcp |
| IE | 20.190.159.64:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 52.109.12.20:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| FR | 40.79.150.121:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| N/A | 8.238.23.254:80 | tcp |
Files
memory/4860-132-0x0000000010000000-0x000000001000F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\240545546.dll
| MD5 | 4ae6358f0925de54dc99473ea6c25b69 |
| SHA1 | c422ba6cab67a1c17b9d7bc86e5823b82c635e5e |
| SHA256 | 5353709baadace594247c5cb5b37d1d5113dcc89594e205db91f1a2854bb540b |
| SHA512 | a57b393df7768eb0ed0be9e13d5bcc721fad657dcc091c4d16c8b4958e46283d7b92d3a5ae235214f8bb40939526198e9a2c2540ba67c7ef05a8ebc844d987e0 |
C:\Users\Admin\AppData\Local\Temp\240545546.dll
| MD5 | 4ae6358f0925de54dc99473ea6c25b69 |
| SHA1 | c422ba6cab67a1c17b9d7bc86e5823b82c635e5e |
| SHA256 | 5353709baadace594247c5cb5b37d1d5113dcc89594e205db91f1a2854bb540b |
| SHA512 | a57b393df7768eb0ed0be9e13d5bcc721fad657dcc091c4d16c8b4958e46283d7b92d3a5ae235214f8bb40939526198e9a2c2540ba67c7ef05a8ebc844d987e0 |
memory/4860-138-0x00000000005E0000-0x00000000005ED000-memory.dmp