Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28-02-2021 07:08
Static task
static1
Behavioral task
behavioral1
Sample
4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe
Resource
win10v20201028
General
-
Target
4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe
-
Size
78KB
-
MD5
0106ede4fe7c8704ea04b3f66c5d80d6
-
SHA1
59d774bed7c7c8f76de7fa436e238413870d16b6
-
SHA256
4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d
-
SHA512
8ed68cc9a26eb9ce1f9fd0d70ae0d0a6ba91c3d3cc3a2feb730957556f981edbcf41841815220552aedffcf85b1d967442e9d7fe9fd8f5a20ef19d1f7340439e
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp8A54.tmp.exepid process 3128 tmp8A54.tmp.exe -
Deletes itself 1 IoCs
Processes:
tmp8A54.tmp.exepid process 3128 tmp8A54.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp8A54.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmp8A54.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exetmp8A54.tmp.exedescription pid process Token: SeDebugPrivilege 1812 4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe Token: SeDebugPrivilege 3128 tmp8A54.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exevbc.exedescription pid process target process PID 1812 wrote to memory of 3840 1812 4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe vbc.exe PID 1812 wrote to memory of 3840 1812 4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe vbc.exe PID 1812 wrote to memory of 3840 1812 4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe vbc.exe PID 3840 wrote to memory of 708 3840 vbc.exe cvtres.exe PID 3840 wrote to memory of 708 3840 vbc.exe cvtres.exe PID 3840 wrote to memory of 708 3840 vbc.exe cvtres.exe PID 1812 wrote to memory of 3128 1812 4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe tmp8A54.tmp.exe PID 1812 wrote to memory of 3128 1812 4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe tmp8A54.tmp.exe PID 1812 wrote to memory of 3128 1812 4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe tmp8A54.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe"C:\Users\Admin\AppData\Local\Temp\4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7xpglucq.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DCE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB76B2E4B635547FF9CF8AB1DC113EC2.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp8A54.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8A54.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4d7e3818fcaa4b55056d58e20420d10fe1d8e56fbd6059d0a716c877f73aaa5d.exe2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7xpglucq.0.vbMD5
50ea8ebb497f72c885d4185e51cee7b3
SHA13dcad645f1b64671c62de547f62388e80963b6cc
SHA2560577e08a48f0d5701f60ba6e3105010c90bf384912f931439eecb48521c0a997
SHA512128de8970052c7489c8f67c588cbe73dcc5327cfdade215e67564522ee6f63bd477398aa7bce4ba847a8f1c3820a9d4fa85fd84058e39270299edc03aa311a1f
-
C:\Users\Admin\AppData\Local\Temp\7xpglucq.cmdlineMD5
54ea6e58b11aa2cd3d0d176507315b25
SHA1238f63fab5e26c5ddfe13895538753b921099600
SHA2560d090835f10712282e1fd9af159f34a13083685a511cab0279610920ba142396
SHA512b297ef338247eff314ea3617f063851617afd148a33bed5ec3e09e70e5dca94d887b9779470060683288fe1fd3c4eb859c32a5ad2e5692d618ff364030ace118
-
C:\Users\Admin\AppData\Local\Temp\RES8DCE.tmpMD5
dcf7a8b0609b81fbb066e43c875b5e44
SHA1c4931cf18e5519f55b137d715cc3c181ff5a806d
SHA2563a2afcc231b74bce5a7670e39e7cd4cc04b27b1dccb0cfbc891275efbb12585d
SHA512ed4d10ed15a76b437f81acea18c0e6b27ef25c488efdd8ccad22ef2100aeae182f562b4f4370f3ace39ba1f29af3a8a60050392ae5a1b55560608a6a4303f413
-
C:\Users\Admin\AppData\Local\Temp\tmp8A54.tmp.exeMD5
387a86d366dde8ec42ff8a8416a2197a
SHA1ed64e75c87eac03b2ec4a3505261b7f0d8760b14
SHA256d985674ad482d289da2819c5c9c722777a3fdcbaefa444db31c41231fe362e46
SHA512fe3c6c91e47e0b935042ea00b1cbc50129c9f096642412d7f68257ed4f31fefeeab1d5cb8e51c2af3f2aa212708b1c2272d86f7d855c228b616b213e05802b53
-
C:\Users\Admin\AppData\Local\Temp\tmp8A54.tmp.exeMD5
387a86d366dde8ec42ff8a8416a2197a
SHA1ed64e75c87eac03b2ec4a3505261b7f0d8760b14
SHA256d985674ad482d289da2819c5c9c722777a3fdcbaefa444db31c41231fe362e46
SHA512fe3c6c91e47e0b935042ea00b1cbc50129c9f096642412d7f68257ed4f31fefeeab1d5cb8e51c2af3f2aa212708b1c2272d86f7d855c228b616b213e05802b53
-
C:\Users\Admin\AppData\Local\Temp\vbcB76B2E4B635547FF9CF8AB1DC113EC2.TMPMD5
4026604773f1ed9d748c28cf5f39430d
SHA15977d4b52403bd41989b62964b34c32ff272b869
SHA2565f7e9c93b30ebd23356736628c0f6152b05ea0c3049cef76268a58fe733b797d
SHA5129df5346db274199b8a07990cb802c2914f2d8302a973a3dd95ecfd1a1641027937d5e3ff1d9e4cff44f07bdaa3968d27c641e4be8d94b073675d5f187ce6d096
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesMD5
4f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107
-
memory/708-7-0x0000000000000000-mapping.dmp
-
memory/1812-2-0x00000000023D0000-0x00000000023D1000-memory.dmpFilesize
4KB
-
memory/3128-12-0x0000000000000000-mapping.dmp
-
memory/3128-14-0x00000000005D0000-0x00000000005D1000-memory.dmpFilesize
4KB
-
memory/3128-15-0x00000000005D3000-0x00000000005D5000-memory.dmpFilesize
8KB
-
memory/3840-11-0x0000000002480000-0x0000000002481000-memory.dmpFilesize
4KB
-
memory/3840-3-0x0000000000000000-mapping.dmp