Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2024 08:31
Behavioral task
behavioral1
Sample
me.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
me.exe
Resource
win10v2004-20241007-en
General
-
Target
me.exe
-
Size
68KB
-
MD5
04485ee0f0313f990255aa4a06546abb
-
SHA1
fa87b9a7b914c11fb75b775e391a3ad46d4eb432
-
SHA256
b10884a495070c2f9ee183bbbb6d1b8f7351fc75d094f4bb212c38c859a6e867
-
SHA512
d95011d0bbae4c63ab0acf26568d0759990f26ed87dbc60ed01fdb840477519adb931feff6a6029c0b32d4ba4623ef2951ca260fcfabc609b364f51f775f024b
-
SSDEEP
768:BCB8S+OR7dOahyoHokBtqN74W7bZZmYb9PyzcjRlYlwa6NVdkPnJJMI4V:BHJaAoHoc2x7bZoYBAcQlwJdME
Malware Config
Extracted
runningrat
Signatures
-
RunningRat
RunningRat is a remote access trojan first seen in 2018.
-
RunningRat payload 1 IoCs
resource yara_rule behavioral2/memory/4820-1-0x0000000010000000-0x000000001000F000-memory.dmp family_runningrat -
Runningrat family
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NETSYSDDL\Parameters\ServiceDll = "C:\\Windows\\system32\\240626437.dll" me.exe -
Executes dropped EXE 1 IoCs
pid Process 2468 NETSYSDDL.exe -
Loads dropped DLL 4 IoCs
pid Process 4820 me.exe 4820 me.exe 3688 svchost.exe 2468 NETSYSDDL.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\240626437.dll me.exe File opened for modification C:\Windows\SysWOW64\ini.ini me.exe File created C:\Windows\SysWOW64\NETSYSDDL.exe svchost.exe File opened for modification C:\Windows\SysWOW64\NETSYSDDL.exe svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language me.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NETSYSDDL.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 NETSYSDDL.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz NETSYSDDL.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software NETSYSDDL.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft NETSYSDDL.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie NETSYSDDL.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" NETSYSDDL.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum NETSYSDDL.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3688 wrote to memory of 2468 3688 svchost.exe 96 PID 3688 wrote to memory of 2468 3688 svchost.exe 96 PID 3688 wrote to memory of 2468 3688 svchost.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\me.exe"C:\Users\Admin\AppData\Local\Temp\me.exe"1⤵
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4820
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "NETSYSDDL"1⤵PID:3276
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "NETSYSDDL"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\NETSYSDDL.exeC:\Windows\system32\NETSYSDDL.exe "c:\windows\system32\240626437.dll",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:2468
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD58aa7b4bea7fdb2be4e55653a66f2a571
SHA11176c7d9a1212dd6f7859385582378c0d435c906
SHA2562748749a30129f7bdf0f29147fb4dcebe19942d9dadd425c900faa5c0efe2ee3
SHA512dc0c97d74da87f37867eb66258e049d5cbd64396880a0e587b75086f7f106a2388ec0fd93133480da819d1308c2c4553e966fe49e99d6cffa30cdac0283b986b
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
44B
MD51de46e06331c92fc4370f7019eaed8bd
SHA1524ab017351337c4344adf0d8b37d1a753af8039
SHA256c5dbbc9a98229831162e34fed510139827c35dbc9b2067c39d0c9f5385d33570
SHA5126a06fdffd6a523d7e868eac7985e385d73ee4943721a4cb3c2ef07e134a3a0dfc5ea24bdd28ff705cdfaecae4961f35597626e1763d8357aa6b6455cfd3a30f5