Overview

overview

10

Static

static

3f5c2aacc7...cd.exe

windows7_x64

8

3f5c2aacc7...cd.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    28-02-2021 07:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe

  • Size

    78KB

  • MD5

    b7522739be3b41f898204a82bebbf202

  • SHA1

    350d9490d8839b357882a2777e9dbf51ebcf4006

  • SHA256

    3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd

  • SHA512

    e3de9441f58a7c120db5e86962abae6755bff93614d0a674e52ed23324f1f791435d69b1e0552c011388c89c5a6b5e64adbf05f9386bc560faa62daaa9b6e926

Score
10/10
metamorpherratpersistenceratstealertrojan

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

    trojanratstealermetamorpherrat
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe
    "C:\Users\Admin\AppData\Local\Temp\3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:744
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zk8gwomo.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:628
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89B7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc616DA83934A34135AE1575B31F22542E.TMP"
        3⤵
          PID:1320
      • C:\Users\Admin\AppData\Local\Temp\tmp861E.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp861E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe
        2⤵
        • Executes dropped EXE
        • Deletes itself
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        PID:2280

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/628-5-0x0000000002380000-0x0000000002381000-memory.dmp

      Filesize

      4KB

      Download

    • memory/744-2-0x0000000002550000-0x0000000002551000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2280-14-0x0000000002910000-0x0000000002911000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2280-15-0x0000000002913000-0x0000000002915000-memory.dmp

      Filesize

      8KB

      Download