Analysis

  • max time kernel
    148s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/04/2024, 12:08 UTC

General

  • Target

    me.exe

  • Size

    68KB

  • MD5

    56ebc5ff9dece63f071cb0632a7cf43b

  • SHA1

    50373327e5aee1719f7d7ba1387a2ac67abc7111

  • SHA256

    bbe31a4ecad08a0cd9d895fcb01f6d2353d6e3a69a76c6d25ca0365eac810884

  • SHA512

    d73b5399baf7ad66b00eea5c601a8aeb1d3900a9b345ede09796eb732be556e5b79a7dbd587fa7939e4986828a6846c782f9908dda528d0bc1d9d9fb6e0d5d39

  • SSDEEP

    768:BCB8S+OR7dOahyoHokBtqN74W7bZZmYb9PyzcjRlYlwa6NVdkPnJJMI5V:BHJaAoHoc2x7bZoYBAcQlwJdMJ

Malware Config

Signatures

  • RunningRat

    RunningRat is a remote access trojan first seen in 2018.

  • RunningRat payload 1 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\me.exe
    "C:\Users\Admin\AppData\Local\Temp\me.exe"
    1⤵
    • Sets DLL path for service in the registry
    • Loads dropped DLL
    • Drops file in System32 directory
    PID:4620
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "NETRUSDDL"
    1⤵
      PID:672
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "NETRUSDDL"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4356
      • C:\Windows\SysWOW64\NETRUSDDL.exe
        C:\Windows\system32\NETRUSDDL.exe "c:\windows\system32\240595328.dll",MainThread
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:3908

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
    • flag-us
      DNS
      s.skybad.top
      NETRUSDDL.exe
      Remote address:
      8.8.8.8:53
      Request
      s.skybad.top
      IN A
    • flag-us
      DNS
      s.skybad.top
      NETRUSDDL.exe
      Remote address:
      8.8.8.8:53
      Request
      s.skybad.top
      IN A
    • flag-us
      DNS
      s.skybad.top
      NETRUSDDL.exe
      Remote address:
      8.8.8.8:53
      Request
      s.skybad.top
      IN A
    • flag-us
      DNS
      s.skybad.top
      NETRUSDDL.exe
      Remote address:
      8.8.8.8:53
      Request
      s.skybad.top
      IN A
    • flag-us
      DNS
      s.skybad.top
      NETRUSDDL.exe
      Remote address:
      8.8.8.8:53
      Request
      s.skybad.top
      IN A
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
    • flag-us
      DNS
      s.skybad.top
      NETRUSDDL.exe
      Remote address:
      8.8.8.8:53
      Request
      s.skybad.top
      IN A
    • flag-us
      DNS
      s.skybad.top
      NETRUSDDL.exe
      Remote address:
      8.8.8.8:53
      Request
      s.skybad.top
      IN A
    • flag-us
      DNS
      s.skybad.top
      NETRUSDDL.exe
      Remote address:
      8.8.8.8:53
      Request
      s.skybad.top
      IN A
    • flag-us
      DNS
      s.skybad.top
      NETRUSDDL.exe
      Remote address:
      8.8.8.8:53
      Request
      s.skybad.top
      IN A
    • flag-us
      DNS
      s.skybad.top
      NETRUSDDL.exe
      Remote address:
      8.8.8.8:53
      Request
      s.skybad.top
      IN A
    No results found
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      330 B
      5

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      g.bing.com
      dns
      280 B
      5

      DNS Request

      g.bing.com

      DNS Request

      g.bing.com

      DNS Request

      g.bing.com

      DNS Request

      g.bing.com

      DNS Request

      g.bing.com

    • 8.8.8.8:53
      s.skybad.top
      dns
      NETRUSDDL.exe
      290 B
      5

      DNS Request

      s.skybad.top

      DNS Request

      s.skybad.top

      DNS Request

      s.skybad.top

      DNS Request

      s.skybad.top

      DNS Request

      s.skybad.top

    • 8.8.8.8:53
      g.bing.com
      dns
      280 B
      5

      DNS Request

      g.bing.com

      DNS Request

      g.bing.com

      DNS Request

      g.bing.com

      DNS Request

      g.bing.com

      DNS Request

      g.bing.com

    • 8.8.8.8:53
      s.skybad.top
      dns
      NETRUSDDL.exe
      290 B
      5

      DNS Request

      s.skybad.top

      DNS Request

      s.skybad.top

      DNS Request

      s.skybad.top

      DNS Request

      s.skybad.top

      DNS Request

      s.skybad.top

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\240595328.dll

      Filesize

      37KB

      MD5

      4846bc2f230a559f16085f8f6539db14

      SHA1

      ebf67aa28742dc138d67cb66d31ff2f6c090e74a

      SHA256

      adba9413b442d6d0298cfa70acc38591e9b0fac7bc07e91d1dffc0962de90d1b

      SHA512

      861b184f39d80b81379e9781375d578fd40fdaa282b70f876300d1b58bbadd36d65630ce6e6d56c7e02f31276a3fd18c10362ab0e1be865cb97b3b0009270449

    • C:\Windows\SysWOW64\NETRUSDDL.exe

      Filesize

      60KB

      MD5

      889b99c52a60dd49227c5e485a016679

      SHA1

      8fa889e456aa646a4d0a4349977430ce5fa5e2d7

      SHA256

      6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

      SHA512

      08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

    • memory/4620-0-0x0000000010000000-0x000000001000F000-memory.dmp

      Filesize

      60KB

    • memory/4620-8-0x0000000002220000-0x000000000222D000-memory.dmp

      Filesize

      52KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.