4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d

max time kernel150s
max time network145s
platformwindows10_x64
resourcewin10v20201028
submitted28-02-2021 07:08

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe

Filesize

78KB

Completed

28-02-2021 07:11

Score

10^/10

MD5

0106ede4fe7c8704ea04b3f66c5d80d6

SHA1

59d774bed7c7c8f76de7fa436e238413870d16b6

SHA256

4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d

Defense Evasion

Discovery

Persistence

MetamorpherRAT

Description

Metamorpherrat is a hacking tool that has been around for a while since 2013.

Tags

trojan rat stealer metamorpherrat
Executes dropped EXE
tmp8A54.tmp.exe

Reported IOCs

pid process

3128 tmp8A54.tmp.exe
Deletes itself
tmp8A54.tmp.exe

Reported IOCs

pid process

3128 tmp8A54.tmp.exe
Uses the VBS compiler for execution

TTPs

Scripting

pid	process
3128	tmp8A54.tmp.exe

pid	process
3128	tmp8A54.tmp.exe

Adds Run key to start application

tmp8A54.tmp.exe

TTPs

Registry Run Keys / Startup FolderModify Registry

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp8A54.tmp.exe

Enumerates physical storage devices

Description

Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs

System Information Discovery

Suspicious use of AdjustPrivilegeToken

4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exetmp8A54.tmp.exe

Reported IOCs

description	pid	process
Token: SeDebugPrivilege	1812	4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe
Token: SeDebugPrivilege	3128	tmp8A54.tmp.exe

Suspicious use of WriteProcessMemory

4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exevbc.exe

Reported IOCs

description	pid	process	target process
PID 1812 wrote to memory of 3840	1812	4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe	vbc.exe
PID 1812 wrote to memory of 3840	1812	4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe	vbc.exe
PID 1812 wrote to memory of 3840	1812	4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe	vbc.exe
PID 3840 wrote to memory of 708	3840	vbc.exe	cvtres.exe
PID 3840 wrote to memory of 708	3840	vbc.exe	cvtres.exe
PID 3840 wrote to memory of 708	3840	vbc.exe	cvtres.exe
PID 1812 wrote to memory of 3128	1812	4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe	tmp8A54.tmp.exe
PID 1812 wrote to memory of 3128	1812	4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe	tmp8A54.tmp.exe
PID 1812 wrote to memory of 3128	1812	4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe	tmp8A54.tmp.exe

C:\Users\Admin\AppData\Local\Temp\4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe

"C:\Users\Admin\AppData\Local\Temp\4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe"

Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:1812

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7xpglucq.cmdline"

Suspicious use of WriteProcessMemory

PID:3840

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DCE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB76B2E4B635547FF9CF8AB1DC113EC2.TMP"

PID:708

C:\Users\Admin\AppData\Local\Temp\tmp8A54.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8A54.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe

Executes dropped EXE
Deletes itself
Adds Run key to start application
Suspicious use of AdjustPrivilegeToken

PID:3128

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\Temp\7xpglucq.0.vb
MD5
50ea8ebb497f72c885d4185e51cee7b3

SHA1
3dcad645f1b64671c62de547f62388e80963b6cc

SHA256
0577e08a48f0d5701f60ba6e3105010c90bf384912f931439eecb48521c0a997

SHA512
128de8970052c7489c8f67c588cbe73dcc5327cfdade215e67564522ee6f63bd477398aa7bce4ba847a8f1c3820a9d4fa85fd84058e39270299edc03aa311a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7xpglucq.cmdline
MD5
54ea6e58b11aa2cd3d0d176507315b25

SHA1
238f63fab5e26c5ddfe13895538753b921099600

SHA256
0d090835f10712282e1fd9af159f34a13083685a511cab0279610920ba142396

SHA512
b297ef338247eff314ea3617f063851617afd148a33bed5ec3e09e70e5dca94d887b9779470060683288fe1fd3c4eb859c32a5ad2e5692d618ff364030ace118

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8DCE.tmp
MD5
dcf7a8b0609b81fbb066e43c875b5e44

SHA1
c4931cf18e5519f55b137d715cc3c181ff5a806d

SHA256
3a2afcc231b74bce5a7670e39e7cd4cc04b27b1dccb0cfbc891275efbb12585d

SHA512
ed4d10ed15a76b437f81acea18c0e6b27ef25c488efdd8ccad22ef2100aeae182f562b4f4370f3ace39ba1f29af3a8a60050392ae5a1b55560608a6a4303f413

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8A54.tmp.exe
MD5
387a86d366dde8ec42ff8a8416a2197a

SHA1
ed64e75c87eac03b2ec4a3505261b7f0d8760b14

SHA256
d985674ad482d289da2819c5c9c722777a3fdcbaefa444db31c41231fe362e46

SHA512
fe3c6c91e47e0b935042ea00b1cbc50129c9f096642412d7f68257ed4f31fefeeab1d5cb8e51c2af3f2aa212708b1c2272d86f7d855c228b616b213e05802b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8A54.tmp.exe
MD5
387a86d366dde8ec42ff8a8416a2197a

SHA1
ed64e75c87eac03b2ec4a3505261b7f0d8760b14

SHA256
d985674ad482d289da2819c5c9c722777a3fdcbaefa444db31c41231fe362e46

SHA512
fe3c6c91e47e0b935042ea00b1cbc50129c9f096642412d7f68257ed4f31fefeeab1d5cb8e51c2af3f2aa212708b1c2272d86f7d855c228b616b213e05802b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB76B2E4B635547FF9CF8AB1DC113EC2.TMP
MD5
4026604773f1ed9d748c28cf5f39430d

SHA1
5977d4b52403bd41989b62964b34c32ff272b869

SHA256
5f7e9c93b30ebd23356736628c0f6152b05ea0c3049cef76268a58fe733b797d

SHA512
9df5346db274199b8a07990cb802c2914f2d8302a973a3dd95ecfd1a1641027937d5e3ff1d9e4cff44f07bdaa3968d27c641e4be8d94b073675d5f187ce6d096

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/708-7-0x0000000000000000-mapping.dmp

Download
memory/1812-2-0x00000000023D0000-0x00000000023D1000-memory.dmp

Download
memory/3128-12-0x0000000000000000-mapping.dmp

Download
memory/3128-14-0x00000000005D0000-0x00000000005D1000-memory.dmp

Download
memory/3128-15-0x00000000005D3000-0x00000000005D5000-memory.dmp

Download
memory/3840-11-0x0000000002480000-0x0000000002481000-memory.dmp

Download
memory/3840-3-0x0000000000000000-mapping.dmp

Download

4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d

Filter: none

Description

Tags

Reported IOCs

Reported IOCs

TTPs

Tags

TTPs

Reported IOCs

Description

TTPs

Reported IOCs

Reported IOCs

Title