Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2022 02:40

General

  • Target

    22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe

  • Size

    96KB

  • MD5

    2be2ce8ae439e80ea99fa51320cbc9f0

  • SHA1

    36b9e9d1345bca7abb7f5e7fe907715227961fae

  • SHA256

    22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8

  • SHA512

    8b15d17450d29dde654bcfbc6f76d6421d7a81401af67516f52aad073ea3f4213a340ac7979cf30eba674aa4e1bfdd997715d24ecdf58a2894f16fe809e6c880

  • SSDEEP

    1536:Jgtv4HxETPkgcky/Vht7ILmkAP3e3pzJuhyicgcqd33+9fX+:uv4HWT3yCfvZfucU3sf+

Malware Config

Signatures

  • RunningRat

    RunningRat is a remote access trojan first seen in 2018.

  • Executes dropped EXE 1 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe
    "C:\Users\Admin\AppData\Local\Temp\22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe"
    1⤵
    • Sets DLL path for service in the registry
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:1388
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "AxInstSVS"
    1⤵
      PID:1556
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "AxInstSVS"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2252
      • C:\Windows\SysWOW64\AxInstSVS.exe
        C:\Windows\system32\AxInstSVS.exe "c:\users\admin\appdata\local\temp\240550828.dll",MainThread
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1432

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\240550828.dll

      Filesize

      29KB

      MD5

      4f20adf798f7b1e0dce5870dbafea689

      SHA1

      49f7bd54b99daa7f0b9a9427c8ec0e93feb11b72

      SHA256

      51dc0a55e0f705d53e83dd1aa678f8db874bc02bc30d3f386858d1a3a147d8d2

      SHA512

      0169846feadf444353e5f90f614c6ba238b0a9475bfb96d53080252c73084096d6213ad9505307a7a5960cee9a96d4edf8ca017667fdc21953f10285240bd55a

    • C:\Users\Admin\AppData\Local\Temp\240550828.dll

      Filesize

      29KB

      MD5

      4f20adf798f7b1e0dce5870dbafea689

      SHA1

      49f7bd54b99daa7f0b9a9427c8ec0e93feb11b72

      SHA256

      51dc0a55e0f705d53e83dd1aa678f8db874bc02bc30d3f386858d1a3a147d8d2

      SHA512

      0169846feadf444353e5f90f614c6ba238b0a9475bfb96d53080252c73084096d6213ad9505307a7a5960cee9a96d4edf8ca017667fdc21953f10285240bd55a

    • C:\Users\Admin\AppData\Local\Temp\240550828.dll

      Filesize

      29KB

      MD5

      4f20adf798f7b1e0dce5870dbafea689

      SHA1

      49f7bd54b99daa7f0b9a9427c8ec0e93feb11b72

      SHA256

      51dc0a55e0f705d53e83dd1aa678f8db874bc02bc30d3f386858d1a3a147d8d2

      SHA512

      0169846feadf444353e5f90f614c6ba238b0a9475bfb96d53080252c73084096d6213ad9505307a7a5960cee9a96d4edf8ca017667fdc21953f10285240bd55a

    • C:\Windows\SysWOW64\AxInstSVS.exe

      Filesize

      60KB

      MD5

      889b99c52a60dd49227c5e485a016679

      SHA1

      8fa889e456aa646a4d0a4349977430ce5fa5e2d7

      SHA256

      6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

      SHA512

      08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

    • C:\Windows\SysWOW64\AxInstSVS.exe

      Filesize

      60KB

      MD5

      889b99c52a60dd49227c5e485a016679

      SHA1

      8fa889e456aa646a4d0a4349977430ce5fa5e2d7

      SHA256

      6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

      SHA512

      08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

    • \??\c:\users\admin\appdata\local\temp\240550828.dll

      Filesize

      29KB

      MD5

      4f20adf798f7b1e0dce5870dbafea689

      SHA1

      49f7bd54b99daa7f0b9a9427c8ec0e93feb11b72

      SHA256

      51dc0a55e0f705d53e83dd1aa678f8db874bc02bc30d3f386858d1a3a147d8d2

      SHA512

      0169846feadf444353e5f90f614c6ba238b0a9475bfb96d53080252c73084096d6213ad9505307a7a5960cee9a96d4edf8ca017667fdc21953f10285240bd55a

    • memory/1432-135-0x0000000000000000-mapping.dmp