Analysis Overview
SHA256
f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18
Threat Level: Known bad
The file f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18 was found to be: Known bad.
Malicious Activity Summary
Runningrat family
RunningRat payload
Executes dropped EXE
Sets DLL path for service in the registry
Deletes itself
Loads dropped DLL
Checks computer location settings
Creates a Windows Service
Drops file in System32 directory
Drops file in Program Files directory
Enumerates physical storage devices
Runs ping.exe
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-26 18:02
Signatures
RunningRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Runningrat family
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-26 18:02
Reported
2022-11-27 09:17
Platform
win7-20220812-en
Max time kernel
161s
Max time network
167s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\123.exe | N/A |
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\123\Parameters\ServiceDll = "C:\\Program Files (x86)\\Google\\7101961.dll" | C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\123.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\123.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\123.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\123.exe | N/A |
Creates a Windows Service
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\123.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\123.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Google\7101961.dll | C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe
"C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "123"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "123"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 1
C:\Windows\SysWOW64\123.exe
C:\Windows\system32\123.exe "c:\program files (x86)\google\7101961.dll",MainThread
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | ip.cn | udp |
| N/A | 104.21.6.167:80 | ip.cn | tcp |
| N/A | 104.21.6.167:80 | ip.cn | tcp |
| N/A | 104.21.6.167:80 | ip.cn | tcp |
| N/A | 104.21.6.167:80 | ip.cn | tcp |
| N/A | 104.21.6.167:80 | ip.cn | tcp |
| N/A | 104.21.6.167:80 | ip.cn | tcp |
| N/A | 104.21.6.167:80 | ip.cn | tcp |
| N/A | 104.21.6.167:80 | ip.cn | tcp |
| N/A | 104.21.6.167:80 | ip.cn | tcp |
Files
memory/328-54-0x0000000075ED1000-0x0000000075ED3000-memory.dmp
\Program Files (x86)\Google\7101961.dll
| MD5 | 7584e503fa363f192940905470467f87 |
| SHA1 | 212df83d88300008faef1730d14f7945930c6836 |
| SHA256 | b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913 |
| SHA512 | c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5 |
\??\c:\program files (x86)\google\7101961.dll
| MD5 | 7584e503fa363f192940905470467f87 |
| SHA1 | 212df83d88300008faef1730d14f7945930c6836 |
| SHA256 | b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913 |
| SHA512 | c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5 |
\Program Files (x86)\Google\7101961.dll
| MD5 | 7584e503fa363f192940905470467f87 |
| SHA1 | 212df83d88300008faef1730d14f7945930c6836 |
| SHA256 | b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913 |
| SHA512 | c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5 |
memory/1116-58-0x0000000000000000-mapping.dmp
memory/2032-59-0x0000000000000000-mapping.dmp
\Windows\SysWOW64\123.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
memory/1908-61-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\123.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
\Program Files (x86)\Google\7101961.dll
| MD5 | 7584e503fa363f192940905470467f87 |
| SHA1 | 212df83d88300008faef1730d14f7945930c6836 |
| SHA256 | b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913 |
| SHA512 | c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5 |
\Program Files (x86)\Google\7101961.dll
| MD5 | 7584e503fa363f192940905470467f87 |
| SHA1 | 212df83d88300008faef1730d14f7945930c6836 |
| SHA256 | b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913 |
| SHA512 | c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5 |
\Program Files (x86)\Google\7101961.dll
| MD5 | 7584e503fa363f192940905470467f87 |
| SHA1 | 212df83d88300008faef1730d14f7945930c6836 |
| SHA256 | b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913 |
| SHA512 | c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5 |
C:\Windows\SysWOW64\123.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
\Program Files (x86)\Google\7101961.dll
| MD5 | 7584e503fa363f192940905470467f87 |
| SHA1 | 212df83d88300008faef1730d14f7945930c6836 |
| SHA256 | b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913 |
| SHA512 | c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-26 18:02
Reported
2022-11-27 09:17
Platform
win10v2004-20220812-en
Max time kernel
147s
Max time network
156s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\123.exe | N/A |
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\123\Parameters\ServiceDll = "C:\\Program Files (x86)\\Google\\240552281.dll" | C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\123.exe | N/A |
Creates a Windows Service
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\123.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\123.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Google\240552281.dll | C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe
"C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "123"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "123"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 1
C:\Windows\SysWOW64\123.exe
C:\Windows\system32\123.exe "c:\program files (x86)\google\240552281.dll",MainThread
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | ip.cn | udp |
| N/A | 172.67.135.10:80 | ip.cn | tcp |
| N/A | 172.67.135.10:80 | ip.cn | tcp |
| N/A | 172.67.135.10:80 | ip.cn | tcp |
| N/A | 95.101.78.82:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 172.67.135.10:80 | ip.cn | tcp |
| N/A | 20.42.65.85:443 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 172.67.135.10:80 | ip.cn | tcp |
| N/A | 172.67.135.10:80 | ip.cn | tcp |
| N/A | 8.8.8.8:53 | 164.2.77.40.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | ip.cn | udp |
| N/A | 172.67.135.10:80 | ip.cn | tcp |
| N/A | 172.67.135.10:80 | ip.cn | tcp |
Files
C:\Program Files (x86)\Google\240552281.dll
| MD5 | 7584e503fa363f192940905470467f87 |
| SHA1 | 212df83d88300008faef1730d14f7945930c6836 |
| SHA256 | b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913 |
| SHA512 | c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5 |
C:\Program Files (x86)\Google\240552281.dll
| MD5 | 7584e503fa363f192940905470467f87 |
| SHA1 | 212df83d88300008faef1730d14f7945930c6836 |
| SHA256 | b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913 |
| SHA512 | c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5 |
\??\c:\program files (x86)\google\240552281.dll
| MD5 | 7584e503fa363f192940905470467f87 |
| SHA1 | 212df83d88300008faef1730d14f7945930c6836 |
| SHA256 | b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913 |
| SHA512 | c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5 |
memory/4944-135-0x0000000000000000-mapping.dmp
memory/4416-136-0x0000000000000000-mapping.dmp
memory/4884-137-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\123.exe
| MD5 | 889b99c52a60dd49227c5e485a016679 |
| SHA1 | 8fa889e456aa646a4d0a4349977430ce5fa5e2d7 |
| SHA256 | 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910 |
| SHA512 | 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641 |
C:\Program Files (x86)\Google\240552281.dll
| MD5 | 7584e503fa363f192940905470467f87 |
| SHA1 | 212df83d88300008faef1730d14f7945930c6836 |
| SHA256 | b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913 |
| SHA512 | c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5 |
C:\Windows\SysWOW64\123.exe
| MD5 | 889b99c52a60dd49227c5e485a016679 |
| SHA1 | 8fa889e456aa646a4d0a4349977430ce5fa5e2d7 |
| SHA256 | 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910 |
| SHA512 | 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641 |