Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2022 02:40
Behavioral task
behavioral1
Sample
22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe
Resource
win10v2004-20220812-en
General
-
Target
22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe
-
Size
96KB
-
MD5
2be2ce8ae439e80ea99fa51320cbc9f0
-
SHA1
36b9e9d1345bca7abb7f5e7fe907715227961fae
-
SHA256
22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8
-
SHA512
8b15d17450d29dde654bcfbc6f76d6421d7a81401af67516f52aad073ea3f4213a340ac7979cf30eba674aa4e1bfdd997715d24ecdf58a2894f16fe809e6c880
-
SSDEEP
1536:Jgtv4HxETPkgcky/Vht7ILmkAP3e3pzJuhyicgcqd33+9fX+:uv4HWT3yCfvZfucU3sf+
Malware Config
Signatures
-
RunningRat
RunningRat is a remote access trojan first seen in 2018.
-
Executes dropped EXE 1 IoCs
Processes:
AxInstSVS.exepid process 1432 AxInstSVS.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AxInstSVS\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\240550828.dll" 22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe -
Loads dropped DLL 3 IoCs
Processes:
22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exesvchost.exeAxInstSVS.exepid process 1388 22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe 2252 svchost.exe 1432 AxInstSVS.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\AxInstSVS.exe svchost.exe File opened for modification C:\Windows\SysWOW64\AxInstSVS.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exepid process 1388 22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe 1388 22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe 1388 22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe 1388 22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe 1388 22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe 1388 22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe 1388 22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe 1388 22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe 1388 22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe 1388 22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe 1388 22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe 1388 22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exepid process 1388 22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe 1388 22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
svchost.exedescription pid process target process PID 2252 wrote to memory of 1432 2252 svchost.exe AxInstSVS.exe PID 2252 wrote to memory of 1432 2252 svchost.exe AxInstSVS.exe PID 2252 wrote to memory of 1432 2252 svchost.exe AxInstSVS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe"C:\Users\Admin\AppData\Local\Temp\22b7f81d57e0b35a909e158d1342bff6afd00aeb19a51f5c486583d7047768d8.exe"1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1388
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "AxInstSVS"1⤵PID:1556
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "AxInstSVS"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\AxInstSVS.exeC:\Windows\system32\AxInstSVS.exe "c:\users\admin\appdata\local\temp\240550828.dll",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1432
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD54f20adf798f7b1e0dce5870dbafea689
SHA149f7bd54b99daa7f0b9a9427c8ec0e93feb11b72
SHA25651dc0a55e0f705d53e83dd1aa678f8db874bc02bc30d3f386858d1a3a147d8d2
SHA5120169846feadf444353e5f90f614c6ba238b0a9475bfb96d53080252c73084096d6213ad9505307a7a5960cee9a96d4edf8ca017667fdc21953f10285240bd55a
-
Filesize
29KB
MD54f20adf798f7b1e0dce5870dbafea689
SHA149f7bd54b99daa7f0b9a9427c8ec0e93feb11b72
SHA25651dc0a55e0f705d53e83dd1aa678f8db874bc02bc30d3f386858d1a3a147d8d2
SHA5120169846feadf444353e5f90f614c6ba238b0a9475bfb96d53080252c73084096d6213ad9505307a7a5960cee9a96d4edf8ca017667fdc21953f10285240bd55a
-
Filesize
29KB
MD54f20adf798f7b1e0dce5870dbafea689
SHA149f7bd54b99daa7f0b9a9427c8ec0e93feb11b72
SHA25651dc0a55e0f705d53e83dd1aa678f8db874bc02bc30d3f386858d1a3a147d8d2
SHA5120169846feadf444353e5f90f614c6ba238b0a9475bfb96d53080252c73084096d6213ad9505307a7a5960cee9a96d4edf8ca017667fdc21953f10285240bd55a
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
29KB
MD54f20adf798f7b1e0dce5870dbafea689
SHA149f7bd54b99daa7f0b9a9427c8ec0e93feb11b72
SHA25651dc0a55e0f705d53e83dd1aa678f8db874bc02bc30d3f386858d1a3a147d8d2
SHA5120169846feadf444353e5f90f614c6ba238b0a9475bfb96d53080252c73084096d6213ad9505307a7a5960cee9a96d4edf8ca017667fdc21953f10285240bd55a