Overview

overview

10

Static

static

10

me.exe

windows7-x64

10

me.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-04-2024 12:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    me.exe

  • Size

    68KB

  • MD5

    56ebc5ff9dece63f071cb0632a7cf43b

  • SHA1

    50373327e5aee1719f7d7ba1387a2ac67abc7111

  • SHA256

    bbe31a4ecad08a0cd9d895fcb01f6d2353d6e3a69a76c6d25ca0365eac810884

  • SHA512

    d73b5399baf7ad66b00eea5c601a8aeb1d3900a9b345ede09796eb732be556e5b79a7dbd587fa7939e4986828a6846c782f9908dda528d0bc1d9d9fb6e0d5d39

  • SSDEEP

    768:BCB8S+OR7dOahyoHokBtqN74W7bZZmYb9PyzcjRlYlwa6NVdkPnJJMI5V:BHJaAoHoc2x7bZoYBAcQlwJdMJ

Score
10/10
runningratpersistencerat

Malware Config

Signatures

  • RunningRat

    RunningRat is a remote access trojan first seen in 2018.

    ratrunningrat
  • RunningRat payload 1 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\me.exe
    "C:\Users\Admin\AppData\Local\Temp\me.exe"
    1⤵
    • Sets DLL path for service in the registry
    • Loads dropped DLL
    • Drops file in System32 directory
    PID:4620
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "NETRUSDDL"
    1⤵
      PID:672
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "NETRUSDDL"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4356
      • C:\Windows\SysWOW64\NETRUSDDL.exe
        C:\Windows\system32\NETRUSDDL.exe "c:\windows\system32\240595328.dll",MainThread
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:3908

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\240595328.dll
      Filesize

      37KB

      MD5

      4846bc2f230a559f16085f8f6539db14

      SHA1

      ebf67aa28742dc138d67cb66d31ff2f6c090e74a

      SHA256

      adba9413b442d6d0298cfa70acc38591e9b0fac7bc07e91d1dffc0962de90d1b

      SHA512

      861b184f39d80b81379e9781375d578fd40fdaa282b70f876300d1b58bbadd36d65630ce6e6d56c7e02f31276a3fd18c10362ab0e1be865cb97b3b0009270449

      Download Submit

    • C:\Windows\SysWOW64\NETRUSDDL.exe
      Filesize

      60KB

      MD5

      889b99c52a60dd49227c5e485a016679

      SHA1

      8fa889e456aa646a4d0a4349977430ce5fa5e2d7

      SHA256

      6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

      SHA512

      08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

      Download Submit

    • memory/4620-0-0x0000000010000000-0x000000001000F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/4620-8-0x0000000002220000-0x000000000222D000-memory.dmp

      Filesize

      52KB

      Download