Malware Analysis Report

2024-10-24 17:03

Sample ID 220907-nqz3jabhg3
Target 1.exe
SHA256 76d00037ad0e19a299b97f7781affae6c33254887d0068dd7d13a34cc3d26297
Tags
runningrat persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76d00037ad0e19a299b97f7781affae6c33254887d0068dd7d13a34cc3d26297

Threat Level: Known bad

The file 1.exe was found to be: Known bad.

Malicious Activity Summary

runningrat persistence rat

RunningRat payload

Runningrat family

RunningRat

Executes dropped EXE

Sets DLL path for service in the registry

Loads dropped DLL

Drops file in System32 directory

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-07 11:36

Signatures

RunningRat payload

Description Indicator Process Target
N/A N/A N/A N/A

Runningrat family

runningrat

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-07 11:36

Reported

2022-09-07 11:39

Platform

win10v2004-20220901-en

Max time kernel

146s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1.exe"

Signatures

RunningRat

rat runningrat

RunningRat payload

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SRDSLS.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SRDSLS\Parameters\ServiceDll = "C:\\Windows\\system32\\240562484.dll" C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\SRDSLS.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\240562484.dll C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File opened for modification C:\Windows\SysWOW64\ini.ini C:\Users\Admin\AppData\Local\Temp\1.exe N/A
File created C:\Windows\SysWOW64\SRDSLS.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\SRDSLS.exe C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 444 wrote to memory of 2440 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\SRDSLS.exe
PID 444 wrote to memory of 2440 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\SRDSLS.exe
PID 444 wrote to memory of 2440 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\SRDSLS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "SRDSLS"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "SRDSLS"

C:\Windows\SysWOW64\SRDSLS.exe

C:\Windows\system32\SRDSLS.exe "c:\windows\system32\240562484.dll",MainThread

Network

Country Destination Domain Proto
US 8.253.135.112:80 tcp
US 8.253.135.112:80 tcp
US 8.8.8.8:53 wuxi.tanxinyu.cn udp
HK 20.239.56.69:520 wuxi.tanxinyu.cn tcp
NL 104.80.225.205:443 tcp
US 20.189.173.4:443 tcp
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp
HK 20.239.56.69:520 wuxi.tanxinyu.cn tcp

Files

memory/4888-132-0x0000000010000000-0x000000001000F000-memory.dmp

C:\Windows\SysWOW64\240562484.dll

MD5 164715ebaa909f51ca71773f920f7309
SHA1 25391b5a4e70a18146860922dd167a16e1561541
SHA256 169d74f19b79a6e0bdcc79386517b784870f9a6d4e3ff0174ddd03436f7496d7
SHA512 2ead5f0d370e72e942031cd8777deff76adaa03b2f17d1c556f622326271da19a5d29d5f84e55b885fbb6305b99a4f51f5015e0fd71d0936ce301d89f31cb826

C:\Windows\SysWOW64\240562484.dll

MD5 164715ebaa909f51ca71773f920f7309
SHA1 25391b5a4e70a18146860922dd167a16e1561541
SHA256 169d74f19b79a6e0bdcc79386517b784870f9a6d4e3ff0174ddd03436f7496d7
SHA512 2ead5f0d370e72e942031cd8777deff76adaa03b2f17d1c556f622326271da19a5d29d5f84e55b885fbb6305b99a4f51f5015e0fd71d0936ce301d89f31cb826

memory/4888-138-0x00000000005C0000-0x00000000005CD000-memory.dmp

\??\c:\windows\SysWOW64\240562484.dll

MD5 164715ebaa909f51ca71773f920f7309
SHA1 25391b5a4e70a18146860922dd167a16e1561541
SHA256 169d74f19b79a6e0bdcc79386517b784870f9a6d4e3ff0174ddd03436f7496d7
SHA512 2ead5f0d370e72e942031cd8777deff76adaa03b2f17d1c556f622326271da19a5d29d5f84e55b885fbb6305b99a4f51f5015e0fd71d0936ce301d89f31cb826

C:\Windows\SysWOW64\240562484.dll

MD5 164715ebaa909f51ca71773f920f7309
SHA1 25391b5a4e70a18146860922dd167a16e1561541
SHA256 169d74f19b79a6e0bdcc79386517b784870f9a6d4e3ff0174ddd03436f7496d7
SHA512 2ead5f0d370e72e942031cd8777deff76adaa03b2f17d1c556f622326271da19a5d29d5f84e55b885fbb6305b99a4f51f5015e0fd71d0936ce301d89f31cb826

memory/2440-141-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\SRDSLS.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

C:\Windows\SysWOW64\SRDSLS.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

C:\Windows\SysWOW64\240562484.dll

MD5 164715ebaa909f51ca71773f920f7309
SHA1 25391b5a4e70a18146860922dd167a16e1561541
SHA256 169d74f19b79a6e0bdcc79386517b784870f9a6d4e3ff0174ddd03436f7496d7
SHA512 2ead5f0d370e72e942031cd8777deff76adaa03b2f17d1c556f622326271da19a5d29d5f84e55b885fbb6305b99a4f51f5015e0fd71d0936ce301d89f31cb826

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-07 11:36

Reported

2022-09-07 11:39

Platform

win7-20220812-en

Max time kernel

37s

Max time network

41s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1.exe"

Signatures

RunningRat

rat runningrat

RunningRat payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\7093724.dll C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

Network

N/A

Files

memory/1384-54-0x0000000010000000-0x000000001000F000-memory.dmp

memory/1384-58-0x0000000076701000-0x0000000076703000-memory.dmp

\Windows\SysWOW64\7093724.dll

MD5 6885e1deaf80970a470bc0beecd46632
SHA1 3e1d477eafb9573c58d25c7fc2037b643056f524
SHA256 4463d79f7e2b8e03129d0a2ac355ac7f3edf2bcdb2b627ebb932438992be9e8b
SHA512 e45f27712629701feb729e2ec2b9377e236004074afb2dbb00914c6abe04446c7d1251d3db4178a430382f0708c1a401a01ff65e6e2b7f54f5f910045f18956f

memory/1384-60-0x0000000000250000-0x000000000025D000-memory.dmp