Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
07-09-2022 11:36
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20220901-en
General
-
Target
1.exe
-
Size
68KB
-
MD5
93dff428b7ecfc0e4320d5190bd095b4
-
SHA1
2c8b2fbc863bdbbbe9ec69ec4ca0cefa5afef503
-
SHA256
76d00037ad0e19a299b97f7781affae6c33254887d0068dd7d13a34cc3d26297
-
SHA512
a77712c3f40a0ab0ef7bfd8927f5815d1c2d506cd5013fe44a392b1f585e889001ce48e424415c4fbd0598877fd9def3a26e1d24f27731e070d34dffb1b6ba58
-
SSDEEP
768:BCB8S+OR7dOahyoHokBtqN74W7bZZmYb9PyzcjRlYlwa6NVdkPnJJMINEV:BHJaAoHoc2x7bZoYBAcQlwJdMC
Malware Config
Signatures
-
RunningRat
RunningRat is a remote access trojan first seen in 2018.
-
RunningRat payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4888-132-0x0000000010000000-0x000000001000F000-memory.dmp family_runningrat -
Executes dropped EXE 1 IoCs
Processes:
SRDSLS.exepid process 2440 SRDSLS.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SRDSLS\Parameters\ServiceDll = "C:\\Windows\\system32\\240562484.dll" 1.exe -
Loads dropped DLL 4 IoCs
Processes:
1.exesvchost.exeSRDSLS.exepid process 4888 1.exe 4888 1.exe 444 svchost.exe 2440 SRDSLS.exe -
Drops file in System32 directory 4 IoCs
Processes:
1.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\240562484.dll 1.exe File opened for modification C:\Windows\SysWOW64\ini.ini 1.exe File created C:\Windows\SysWOW64\SRDSLS.exe svchost.exe File opened for modification C:\Windows\SysWOW64\SRDSLS.exe svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
svchost.exedescription pid process target process PID 444 wrote to memory of 2440 444 svchost.exe SRDSLS.exe PID 444 wrote to memory of 2440 444 svchost.exe SRDSLS.exe PID 444 wrote to memory of 2440 444 svchost.exe SRDSLS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
PID:4888
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "SRDSLS"1⤵PID:4108
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "SRDSLS"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\SRDSLS.exeC:\Windows\system32\SRDSLS.exe "c:\windows\system32\240562484.dll",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5164715ebaa909f51ca71773f920f7309
SHA125391b5a4e70a18146860922dd167a16e1561541
SHA256169d74f19b79a6e0bdcc79386517b784870f9a6d4e3ff0174ddd03436f7496d7
SHA5122ead5f0d370e72e942031cd8777deff76adaa03b2f17d1c556f622326271da19a5d29d5f84e55b885fbb6305b99a4f51f5015e0fd71d0936ce301d89f31cb826
-
Filesize
37KB
MD5164715ebaa909f51ca71773f920f7309
SHA125391b5a4e70a18146860922dd167a16e1561541
SHA256169d74f19b79a6e0bdcc79386517b784870f9a6d4e3ff0174ddd03436f7496d7
SHA5122ead5f0d370e72e942031cd8777deff76adaa03b2f17d1c556f622326271da19a5d29d5f84e55b885fbb6305b99a4f51f5015e0fd71d0936ce301d89f31cb826
-
Filesize
37KB
MD5164715ebaa909f51ca71773f920f7309
SHA125391b5a4e70a18146860922dd167a16e1561541
SHA256169d74f19b79a6e0bdcc79386517b784870f9a6d4e3ff0174ddd03436f7496d7
SHA5122ead5f0d370e72e942031cd8777deff76adaa03b2f17d1c556f622326271da19a5d29d5f84e55b885fbb6305b99a4f51f5015e0fd71d0936ce301d89f31cb826
-
Filesize
37KB
MD5164715ebaa909f51ca71773f920f7309
SHA125391b5a4e70a18146860922dd167a16e1561541
SHA256169d74f19b79a6e0bdcc79386517b784870f9a6d4e3ff0174ddd03436f7496d7
SHA5122ead5f0d370e72e942031cd8777deff76adaa03b2f17d1c556f622326271da19a5d29d5f84e55b885fbb6305b99a4f51f5015e0fd71d0936ce301d89f31cb826
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
37KB
MD5164715ebaa909f51ca71773f920f7309
SHA125391b5a4e70a18146860922dd167a16e1561541
SHA256169d74f19b79a6e0bdcc79386517b784870f9a6d4e3ff0174ddd03436f7496d7
SHA5122ead5f0d370e72e942031cd8777deff76adaa03b2f17d1c556f622326271da19a5d29d5f84e55b885fbb6305b99a4f51f5015e0fd71d0936ce301d89f31cb826