Analysis
-
max time kernel
142s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-09-2022 18:40
Behavioral task
behavioral1
Sample
server.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
server.exe
Resource
win10v2004-20220812-en
General
-
Target
server.exe
-
Size
68KB
-
MD5
a91a3c7dab07eebc283ae3fa1f3b7227
-
SHA1
e88d92ef9354efa3c7f14e9a323e3c96bb2033ad
-
SHA256
8c210c79c2b7c4ea35fa08d0c994a3ab26f50ee639c497f341b20da965cfbd1b
-
SHA512
a74077b53023cdeff7fb6733e87ffe8f488b69be00d8ef027fdf935efaa79e5882e75956f01c6a94770b612ec0b39a2d8c08822c5f6dbecf956fadfad1f00e83
-
SSDEEP
768:BCB8S+OR7dOahyoHokBtqN74W7bZZmYb9PyzcjRlYlwa6NVdkPnJJMIxV:BHJaAoHoc2x7bZoYBAcQlwJdMZ
Malware Config
Signatures
-
RunningRat
RunningRat is a remote access trojan first seen in 2018.
-
RunningRat payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4872-132-0x0000000010000000-0x000000001000F000-memory.dmp family_runningrat -
Loads dropped DLL 2 IoCs
Processes:
server.exepid process 4872 server.exe 4872 server.exe -
Drops file in System32 directory 1 IoCs
Processes:
server.exedescription ioc process File created C:\Windows\SysWOW64\240572015.dll server.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1716 4872 WerFault.exe server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:4872 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 4642⤵
- Program crash
PID:1716
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4872 -ip 48721⤵PID:2080
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5b12a81048269cc1bad0cf68cc6eda857
SHA1486588daefd8f9c4fdcb081351bbb7aeb0552dc9
SHA2569de0e6dcfce129d162569037022fd63d8c3ecbdd53ccc98934820d689eccc6cf
SHA512cc1afe6986b67a1a4e0006d3754bf515cc8b9e52bccfffd0c18d69c5ea234a02995a7e9c4c9b86c51d148294af3cfc59f697ab8e604b584db17c7a6f17a82028
-
Filesize
37KB
MD5b12a81048269cc1bad0cf68cc6eda857
SHA1486588daefd8f9c4fdcb081351bbb7aeb0552dc9
SHA2569de0e6dcfce129d162569037022fd63d8c3ecbdd53ccc98934820d689eccc6cf
SHA512cc1afe6986b67a1a4e0006d3754bf515cc8b9e52bccfffd0c18d69c5ea234a02995a7e9c4c9b86c51d148294af3cfc59f697ab8e604b584db17c7a6f17a82028