Malware Analysis Report

2024-10-24 17:03

Sample ID 221126-wmw6gadb54
Target f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18
SHA256 f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18
Tags
runningrat persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18

Threat Level: Known bad

The file f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18 was found to be: Known bad.

Malicious Activity Summary

runningrat persistence

Runningrat family

RunningRat payload

Executes dropped EXE

Sets DLL path for service in the registry

Deletes itself

Loads dropped DLL

Checks computer location settings

Creates a Windows Service

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-26 18:02

Signatures

RunningRat payload

Description Indicator Process Target
N/A N/A N/A N/A

Runningrat family

runningrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-26 18:02

Reported

2022-11-27 09:17

Platform

win7-20220812-en

Max time kernel

161s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\123.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\123\Parameters\ServiceDll = "C:\\Program Files (x86)\\Google\\7101961.dll" C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Creates a Windows Service

persistence

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\123.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\123.exe C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\7101961.dll C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 328 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe C:\Windows\SysWOW64\cmd.exe
PID 328 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe C:\Windows\SysWOW64\cmd.exe
PID 328 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe C:\Windows\SysWOW64\cmd.exe
PID 328 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1116 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1116 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1116 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2044 wrote to memory of 1908 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\123.exe
PID 2044 wrote to memory of 1908 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\123.exe
PID 2044 wrote to memory of 1908 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\123.exe
PID 2044 wrote to memory of 1908 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\123.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe

"C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "123"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "123"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 1

C:\Windows\SysWOW64\123.exe

C:\Windows\system32\123.exe "c:\program files (x86)\google\7101961.dll",MainThread

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 ip.cn udp
N/A 104.21.6.167:80 ip.cn tcp
N/A 104.21.6.167:80 ip.cn tcp
N/A 104.21.6.167:80 ip.cn tcp
N/A 104.21.6.167:80 ip.cn tcp
N/A 104.21.6.167:80 ip.cn tcp
N/A 104.21.6.167:80 ip.cn tcp
N/A 104.21.6.167:80 ip.cn tcp
N/A 104.21.6.167:80 ip.cn tcp
N/A 104.21.6.167:80 ip.cn tcp

Files

memory/328-54-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

\Program Files (x86)\Google\7101961.dll

MD5 7584e503fa363f192940905470467f87
SHA1 212df83d88300008faef1730d14f7945930c6836
SHA256 b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913
SHA512 c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5

\??\c:\program files (x86)\google\7101961.dll

MD5 7584e503fa363f192940905470467f87
SHA1 212df83d88300008faef1730d14f7945930c6836
SHA256 b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913
SHA512 c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5

\Program Files (x86)\Google\7101961.dll

MD5 7584e503fa363f192940905470467f87
SHA1 212df83d88300008faef1730d14f7945930c6836
SHA256 b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913
SHA512 c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5

memory/1116-58-0x0000000000000000-mapping.dmp

memory/2032-59-0x0000000000000000-mapping.dmp

\Windows\SysWOW64\123.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

memory/1908-61-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\123.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

\Program Files (x86)\Google\7101961.dll

MD5 7584e503fa363f192940905470467f87
SHA1 212df83d88300008faef1730d14f7945930c6836
SHA256 b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913
SHA512 c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5

\Program Files (x86)\Google\7101961.dll

MD5 7584e503fa363f192940905470467f87
SHA1 212df83d88300008faef1730d14f7945930c6836
SHA256 b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913
SHA512 c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5

\Program Files (x86)\Google\7101961.dll

MD5 7584e503fa363f192940905470467f87
SHA1 212df83d88300008faef1730d14f7945930c6836
SHA256 b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913
SHA512 c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5

C:\Windows\SysWOW64\123.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

\Program Files (x86)\Google\7101961.dll

MD5 7584e503fa363f192940905470467f87
SHA1 212df83d88300008faef1730d14f7945930c6836
SHA256 b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913
SHA512 c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-26 18:02

Reported

2022-11-27 09:17

Platform

win10v2004-20220812-en

Max time kernel

147s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\123.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\123\Parameters\ServiceDll = "C:\\Program Files (x86)\\Google\\240552281.dll" C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe N/A

Creates a Windows Service

persistence

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\123.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\123.exe C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\240552281.dll C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe

"C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "123"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "123"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\f9db82c372cf49d7adfeb19deb46a8f291cccd255acd7402d8bd8188eec85a18.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 1

C:\Windows\SysWOW64\123.exe

C:\Windows\system32\123.exe "c:\program files (x86)\google\240552281.dll",MainThread

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 ip.cn udp
N/A 172.67.135.10:80 ip.cn tcp
N/A 172.67.135.10:80 ip.cn tcp
N/A 172.67.135.10:80 ip.cn tcp
N/A 95.101.78.82:80 tcp
N/A 209.197.3.8:80 tcp
N/A 172.67.135.10:80 ip.cn tcp
N/A 20.42.65.85:443 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 172.67.135.10:80 ip.cn tcp
N/A 172.67.135.10:80 ip.cn tcp
N/A 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
N/A 8.8.8.8:53 ip.cn udp
N/A 172.67.135.10:80 ip.cn tcp
N/A 172.67.135.10:80 ip.cn tcp

Files

C:\Program Files (x86)\Google\240552281.dll

MD5 7584e503fa363f192940905470467f87
SHA1 212df83d88300008faef1730d14f7945930c6836
SHA256 b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913
SHA512 c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5

C:\Program Files (x86)\Google\240552281.dll

MD5 7584e503fa363f192940905470467f87
SHA1 212df83d88300008faef1730d14f7945930c6836
SHA256 b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913
SHA512 c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5

\??\c:\program files (x86)\google\240552281.dll

MD5 7584e503fa363f192940905470467f87
SHA1 212df83d88300008faef1730d14f7945930c6836
SHA256 b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913
SHA512 c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5

memory/4944-135-0x0000000000000000-mapping.dmp

memory/4416-136-0x0000000000000000-mapping.dmp

memory/4884-137-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\123.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

C:\Program Files (x86)\Google\240552281.dll

MD5 7584e503fa363f192940905470467f87
SHA1 212df83d88300008faef1730d14f7945930c6836
SHA256 b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913
SHA512 c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5

C:\Windows\SysWOW64\123.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641