Malware Analysis Report

2024-10-24 17:03

Sample ID 220820-zczqdsahf4
Target j1.exe
SHA256 44ae5d2173ef2de82335e4f8c206deaf754f8d413c24c983fa66711baeabffc3
Tags
runningrat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44ae5d2173ef2de82335e4f8c206deaf754f8d413c24c983fa66711baeabffc3

Threat Level: Known bad

The file j1.exe was found to be: Known bad.

Malicious Activity Summary

runningrat rat

Runningrat family

RunningRat

RunningRat payload

Loads dropped DLL

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-20 20:35

Signatures

RunningRat payload

Description Indicator Process Target
N/A N/A N/A N/A

Runningrat family

runningrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-20 20:35

Reported

2022-08-20 20:37

Platform

win7-20220812-en

Max time kernel

46s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\j1.exe"

Signatures

RunningRat

rat runningrat

RunningRat payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\j1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\j1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\j1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\j1.exe

"C:\Users\Admin\AppData\Local\Temp\j1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 wuxi.tanxinyu.cn udp
HK 20.239.56.69:520 wuxi.tanxinyu.cn tcp

Files

memory/2012-54-0x0000000010000000-0x000000001000F000-memory.dmp

memory/2012-58-0x00000000765F1000-0x00000000765F3000-memory.dmp

memory/2012-60-0x00000000002D0000-0x00000000002DD000-memory.dmp

\Users\Admin\AppData\Local\Temp\7085019.dll

MD5 bcee601174e502b890d9885c17821fed
SHA1 1307067751e0dffae6e730ffde136ce7e2215069
SHA256 1bddfa0f321a0603ffca9e642e8984f050591b18041645a9e68df657f2d63624
SHA512 3b9b0a4c9e13452f5e2d708db5d652524b01ca4222ba0b09d938637f14acb9f9f78892b1ce152d893e1bba47abb393f65cfb303c0594ea8dfd2edf05d952a537

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-20 20:35

Reported

2022-08-20 20:37

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\j1.exe"

Signatures

RunningRat

rat runningrat

RunningRat payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\j1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\j1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\j1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\j1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\j1.exe

"C:\Users\Admin\AppData\Local\Temp\j1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 wuxi.tanxinyu.cn udp
HK 20.239.56.69:520 wuxi.tanxinyu.cn tcp
IE 20.190.159.64:443 tcp
US 209.197.3.8:80 tcp
US 52.109.12.20:443 tcp
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
NL 104.80.225.205:443 tcp
FR 40.79.150.121:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
N/A 8.238.23.254:80 tcp

Files

memory/4860-132-0x0000000010000000-0x000000001000F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\240545546.dll

MD5 4ae6358f0925de54dc99473ea6c25b69
SHA1 c422ba6cab67a1c17b9d7bc86e5823b82c635e5e
SHA256 5353709baadace594247c5cb5b37d1d5113dcc89594e205db91f1a2854bb540b
SHA512 a57b393df7768eb0ed0be9e13d5bcc721fad657dcc091c4d16c8b4958e46283d7b92d3a5ae235214f8bb40939526198e9a2c2540ba67c7ef05a8ebc844d987e0

C:\Users\Admin\AppData\Local\Temp\240545546.dll

MD5 4ae6358f0925de54dc99473ea6c25b69
SHA1 c422ba6cab67a1c17b9d7bc86e5823b82c635e5e
SHA256 5353709baadace594247c5cb5b37d1d5113dcc89594e205db91f1a2854bb540b
SHA512 a57b393df7768eb0ed0be9e13d5bcc721fad657dcc091c4d16c8b4958e46283d7b92d3a5ae235214f8bb40939526198e9a2c2540ba67c7ef05a8ebc844d987e0

memory/4860-138-0x00000000005E0000-0x00000000005ED000-memory.dmp