Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-10-2024 02:15
Behavioral task
behavioral1
Sample
96bed5fdefc903bc41e0ffbe328e8ed6cb4c3261dd711b3e3e7b56df45d90135.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
96bed5fdefc903bc41e0ffbe328e8ed6cb4c3261dd711b3e3e7b56df45d90135.exe
Resource
win10v2004-20241007-en
General
-
Target
96bed5fdefc903bc41e0ffbe328e8ed6cb4c3261dd711b3e3e7b56df45d90135.exe
-
Size
48KB
-
MD5
a2d7a570dc6b46bed057743394b59577
-
SHA1
4288fb43166954fc551b502585e481f629f89e91
-
SHA256
96bed5fdefc903bc41e0ffbe328e8ed6cb4c3261dd711b3e3e7b56df45d90135
-
SHA512
fee4d1bed29187e0298d4b19550827a313e1d1515f742fc8fe52b5dc82cf06bf3915b9e4a00c43d672f2e7b3b146fd1887737446ee9b3e11253967879ddc4898
-
SSDEEP
768:zynb12Aw5J6HC4kq5Jp9bjAzhyY55J+NStcEeUlyqgZl4p67RhPC:Ub1MsHz3JDwhyWr+N95OTga6S
Malware Config
Signatures
-
RunningRat
RunningRat is a remote access trojan first seen in 2018.
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SySyeu\Parameters\ServiceDll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\240615234.dll" 96bed5fdefc903bc41e0ffbe328e8ed6cb4c3261dd711b3e3e7b56df45d90135.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 96bed5fdefc903bc41e0ffbe328e8ed6cb4c3261dd711b3e3e7b56df45d90135.exe -
Executes dropped EXE 1 IoCs
pid Process 1692 SySyeu.exe -
Loads dropped DLL 3 IoCs
pid Process 2352 96bed5fdefc903bc41e0ffbe328e8ed6cb4c3261dd711b3e3e7b56df45d90135.exe 2584 svchost.exe 1692 SySyeu.exe -
Creates a Windows Service
-
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\SySyeu.exe svchost.exe File opened for modification C:\Windows\SysWOW64\SySyeu.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SySyeu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 96bed5fdefc903bc41e0ffbe328e8ed6cb4c3261dd711b3e3e7b56df45d90135.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 868 cmd.exe 1440 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1440 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2352 96bed5fdefc903bc41e0ffbe328e8ed6cb4c3261dd711b3e3e7b56df45d90135.exe 2352 96bed5fdefc903bc41e0ffbe328e8ed6cb4c3261dd711b3e3e7b56df45d90135.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2352 96bed5fdefc903bc41e0ffbe328e8ed6cb4c3261dd711b3e3e7b56df45d90135.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2352 96bed5fdefc903bc41e0ffbe328e8ed6cb4c3261dd711b3e3e7b56df45d90135.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2352 wrote to memory of 868 2352 96bed5fdefc903bc41e0ffbe328e8ed6cb4c3261dd711b3e3e7b56df45d90135.exe 87 PID 2352 wrote to memory of 868 2352 96bed5fdefc903bc41e0ffbe328e8ed6cb4c3261dd711b3e3e7b56df45d90135.exe 87 PID 2352 wrote to memory of 868 2352 96bed5fdefc903bc41e0ffbe328e8ed6cb4c3261dd711b3e3e7b56df45d90135.exe 87 PID 868 wrote to memory of 1440 868 cmd.exe 89 PID 868 wrote to memory of 1440 868 cmd.exe 89 PID 868 wrote to memory of 1440 868 cmd.exe 89 PID 2584 wrote to memory of 1692 2584 svchost.exe 94 PID 2584 wrote to memory of 1692 2584 svchost.exe 94 PID 2584 wrote to memory of 1692 2584 svchost.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\96bed5fdefc903bc41e0ffbe328e8ed6cb4c3261dd711b3e3e7b56df45d90135.exe"C:\Users\Admin\AppData\Local\Temp\96bed5fdefc903bc41e0ffbe328e8ed6cb4c3261dd711b3e3e7b56df45d90135.exe"1⤵
- Server Software Component: Terminal Services DLL
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\96bed5fdefc903bc41e0ffbe328e8ed6cb4c3261dd711b3e3e7b56df45d90135.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1440
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "SySyeu"1⤵PID:1364
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "SySyeu"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\SySyeu.exeC:\Windows\system32\SySyeu.exe "c:\users\admin\appdata\local\temp\240615234.dll",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1692
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD5db598538e7a70b73298f6424ae507e02
SHA1d06a04fb9ca1bb8da5974870196ae5c0eadc1fa9
SHA256cc4ab82995b0c0c827e99870948ef6a1371d4d1ed6d167a087c0d5c123d0f15e
SHA512ebedb94e2ba77836317596557fb447e6abc78fecfafce8de900d70202994fe829459665e0dec8813c51039b64a12d08258bc6074324b729994b61e8467f5e3fa
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641