Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 21:14
Behavioral task
behavioral1
Sample
36f053514147667738bcfa6d3d48a910_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
36f053514147667738bcfa6d3d48a910_NEIKI.exe
Resource
win10v2004-20240426-en
General
-
Target
36f053514147667738bcfa6d3d48a910_NEIKI.exe
-
Size
68KB
-
MD5
36f053514147667738bcfa6d3d48a910
-
SHA1
3924eb86882a70030ef22e9ac3e08dc01c181bb3
-
SHA256
bfb5b461d77189c56c95a3dc85d27ee4dfba10526be7d2295f7053dd83a9d206
-
SHA512
f58eceb42bcffb135322cc99277041982e89401e1798cf58df1548c7222eeffe896dfab1c949b8378fbe561fd354203aed56bd57b26fa02092db2cda880db6fe
-
SSDEEP
768:BCB8S+OR7dOahyoHokBtqN74W7bZZmYb9PyzcjRlYlwa6NVdkPnJJMIDV:BHJaAoHoc2x7bZoYBAcQlwJdM7
Malware Config
Signatures
-
RunningRat
RunningRat is a remote access trojan first seen in 2018.
-
RunningRat payload 1 IoCs
resource yara_rule behavioral2/memory/4952-0-0x0000000010000000-0x000000001000F000-memory.dmp family_runningrat -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Remote Desktop Service\Parameters\ServiceDll = "C:\\Windows\\system32\\240597421.dll" 36f053514147667738bcfa6d3d48a910_NEIKI.exe -
Executes dropped EXE 1 IoCs
pid Process 316 Remote Desktop Service.exe -
Loads dropped DLL 4 IoCs
pid Process 4952 36f053514147667738bcfa6d3d48a910_NEIKI.exe 4952 36f053514147667738bcfa6d3d48a910_NEIKI.exe 1028 svchost.exe 316 Remote Desktop Service.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ini.ini 36f053514147667738bcfa6d3d48a910_NEIKI.exe File created C:\Windows\SysWOW64\Remote Desktop Service.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Remote Desktop Service.exe svchost.exe File created C:\Windows\SysWOW64\240597421.dll 36f053514147667738bcfa6d3d48a910_NEIKI.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1028 wrote to memory of 316 1028 svchost.exe 91 PID 1028 wrote to memory of 316 1028 svchost.exe 91 PID 1028 wrote to memory of 316 1028 svchost.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\36f053514147667738bcfa6d3d48a910_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\36f053514147667738bcfa6d3d48a910_NEIKI.exe"1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
PID:4952
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Desktop Service"1⤵PID:3248
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Desktop Service"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Remote Desktop Service.exe"C:\Windows\system32\Remote Desktop Service.exe" "c:\windows\system32\240597421.dll",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:316
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD563c34de15b5947ca8a499e63f5f9fc4e
SHA10719fe95a6f4979e44a571b5ba57a51406f535d2
SHA2563b6e89b8f85c465d288c0e74cb6dacedd4744167561acbd9ffc07a366a47fb7b
SHA5126235b9af1062c53416de62f7d95719ed348295ec3c0bc1f60e006e40704876f42b67eb4ef7100a91447eaf84eb1293dc1512bc5300c73f5e08ad6324e4eca146
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641