Overview

overview

10

Static

static

10

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tmp

  • Size

    48KB

  • Sample

    240422-rvpddace7z

  • MD5

    d65c7a3cb25eb79571854b5fab17be35

  • SHA1

    6c980e0357dea99771704f3f122d369d90fefd5f

  • SHA256

    7d693069636a46d7d430ced104854e7a19da09fc0b1e9c43e6ac55ab52bd8eea

  • SHA512

    bcd1a7598f1740e3838592c4a853e04caa78709a98454be0f8ab7cc2a4973c12e639192f676504ee97c7cbc6e34278011d998656ac8f81dccfc56e7455eb7678

  • SSDEEP

    768:zynb12Aw5J6HC4kq5Jp9bjAzhyY55J+NStcEeUlyqgZl4p67VhPC:Ub1MsHz3JDwhyWr+N95OTga6u

Score
10/10
runningratpersistencerat

Malware Config

Targets

    • Target

      tmp

    • Size

      48KB

    • MD5

      d65c7a3cb25eb79571854b5fab17be35

    • SHA1

      6c980e0357dea99771704f3f122d369d90fefd5f

    • SHA256

      7d693069636a46d7d430ced104854e7a19da09fc0b1e9c43e6ac55ab52bd8eea

    • SHA512

      bcd1a7598f1740e3838592c4a853e04caa78709a98454be0f8ab7cc2a4973c12e639192f676504ee97c7cbc6e34278011d998656ac8f81dccfc56e7455eb7678

    • SSDEEP

      768:zynb12Aw5J6HC4kq5Jp9bjAzhyY55J+NStcEeUlyqgZl4p67VhPC:Ub1MsHz3JDwhyWr+N95OTga6u

    Score
    10/10
    runningratpersistencerat

    • RunningRat

      RunningRat is a remote access trojan first seen in 2018.

      ratrunningrat

    • Sets DLL path for service in the registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Creates a Windows Service

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks