runningrat | a13b433519a5f4ec9fb2338575371222bdf7147dcb96f31954167733ab3d7c0d

General

Target

tmp.exe
Size

48KB
MD5

84390188f985b677d7791e1ac337b20b
SHA1

6b03cc432e9db6e4e27570e96aac1ebd7a87416a
SHA256

a13b433519a5f4ec9fb2338575371222bdf7147dcb96f31954167733ab3d7c0d
SHA512

406a2c386613cc1411ed83cf6b1341543a079e7cc2f83f4f3c5d638fa0103146f444b0849b7981779970084ba44683f2128e7357ce9d45b2a1e85738a0736c86
SSDEEP

768:zynb12Aw5J6HC4kq5Jp9bjAzhyY55J+NStcEeUlyqgZl4p67lhPC:Ub1MsHz3JDwhyWr+N95OTga6O

Score

10^/10

runningrat persistence rat

Malware Config

Signatures

RunningRat
RunningRat is a remote access trojan first seen in 2018.
rat runningrat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SICK\Parameters\ServiceDll = "C:\\Windows\\system32\\240648062.dll"	tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	tmp.exe

Executes dropped EXE 1 IoCs

Processes:

SICK.exe

pid	Process
3504	SICK.exe

Loads dropped DLL 3 IoCs

Processes:

tmp.exesvchost.exeSICK.exe

pid	Process
4620	tmp.exe
3236	svchost.exe
3504	SICK.exe

Creates a Windows Service
persistence

Drops file in System32 directory 3 IoCs

Processes:

tmp.exesvchost.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\240648062.dll	tmp.exe
File created	C:\Windows\SysWOW64\SICK.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\SICK.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SICK.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SICK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SICK.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

SICK.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	SICK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SICK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SICK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SICK.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	SICK.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
5548	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

tmp.exe

pid	Process
4620	tmp.exe
4620	tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tmp.exe

description	pid	Process
Token: SeIncBasePriorityPrivilege	4620	tmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

tmp.exe

pid	Process
4620	tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

tmp.execmd.exesvchost.exe

description	pid	Process	procid_target
PID 4620 wrote to memory of 532	4620	tmp.exe	93
PID 4620 wrote to memory of 532	4620	tmp.exe	93
PID 4620 wrote to memory of 532	4620	tmp.exe	93
PID 532 wrote to memory of 5548	532	cmd.exe	95
PID 532 wrote to memory of 5548	532	cmd.exe	95
PID 532 wrote to memory of 5548	532	cmd.exe	95
PID 3236 wrote to memory of 3504	3236	svchost.exe	96
PID 3236 wrote to memory of 3504	3236	svchost.exe	96
PID 3236 wrote to memory of 3504	3236	svchost.exe	96

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Sets DLL path for service in the registry
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 1
    3⤵
    - Runs ping.exe
    PID:5548

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "SICK"
1⤵
PID:1052

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "SICK"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Windows\SysWOW64\SICK.exe
  C:\Windows\system32\SICK.exe "c:\windows\system32\240648062.dll",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:3504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3984 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\240648062.dll

Filesize
25KB

MD5
b55fc3dd51d12fcdc94d24d324249f55

SHA1
cbd0a4835e34cb776ce597c47354ba36cba32988

SHA256
da9ef83ad8cee1bb91075d3e190cbd7dd37d886d7062a49770e61c3f02231540

SHA512
5b4d508bca7069b37e7bbc6dad3f3cfae696fbbd403ec33275f7dcdeca52930c5a780ee22674dc5720bf09be04c9b50ca16b1e39e7219e23d90f2fcda44308de

Download Submit
C:\Windows\SysWOW64\SICK.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads