3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd

max time kernel150s
max time network149s
platformwindows10_x64
resourcewin10v20201028
submitted28-02-2021 07:08

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe

Filesize

78KB

Completed

28-02-2021 07:10

Score

10^/10

MD5

b7522739be3b41f898204a82bebbf202

SHA1

350d9490d8839b357882a2777e9dbf51ebcf4006

SHA256

3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd

Defense Evasion

Discovery

Persistence

MetamorpherRAT

Description

Metamorpherrat is a hacking tool that has been around for a while since 2013.

Tags

trojan rat stealer metamorpherrat
Executes dropped EXE
tmp861E.tmp.exe

Reported IOCs

pid process

2280 tmp861E.tmp.exe
Deletes itself
tmp861E.tmp.exe

Reported IOCs

pid process

2280 tmp861E.tmp.exe
Uses the VBS compiler for execution

TTPs

Scripting

pid	process
2280	tmp861E.tmp.exe

pid	process
2280	tmp861E.tmp.exe

Adds Run key to start application

tmp861E.tmp.exe

TTPs

Registry Run Keys / Startup FolderModify Registry

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp861E.tmp.exe

Enumerates physical storage devices

Description

Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs

System Information Discovery

Suspicious use of AdjustPrivilegeToken

3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exetmp861E.tmp.exe

Reported IOCs

description	pid	process
Token: SeDebugPrivilege	744	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe
Token: SeDebugPrivilege	2280	tmp861E.tmp.exe

Suspicious use of WriteProcessMemory

3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exevbc.exe

Reported IOCs

description	pid	process	target process
PID 744 wrote to memory of 628	744	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe	vbc.exe
PID 744 wrote to memory of 628	744	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe	vbc.exe
PID 744 wrote to memory of 628	744	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe	vbc.exe
PID 628 wrote to memory of 1320	628	vbc.exe	cvtres.exe
PID 628 wrote to memory of 1320	628	vbc.exe	cvtres.exe
PID 628 wrote to memory of 1320	628	vbc.exe	cvtres.exe
PID 744 wrote to memory of 2280	744	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe	tmp861E.tmp.exe
PID 744 wrote to memory of 2280	744	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe	tmp861E.tmp.exe
PID 744 wrote to memory of 2280	744	3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe	tmp861E.tmp.exe

C:\Users\Admin\AppData\Local\Temp\3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe

"C:\Users\Admin\AppData\Local\Temp\3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe"

Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:744

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zk8gwomo.cmdline"

Suspicious use of WriteProcessMemory

PID:628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89B7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc616DA83934A34135AE1575B31F22542E.TMP"

PID:1320

C:\Users\Admin\AppData\Local\Temp\tmp861E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp861E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd.exe

Executes dropped EXE
Deletes itself
Adds Run key to start application
Suspicious use of AdjustPrivilegeToken

PID:2280

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\Temp\RES89B7.tmp
MD5
b68f6c81742ed49f8bbfd5ff0881f758

SHA1
95cb681a7d1a9caa0e898f3efa55f1fb88eef7a5

SHA256
1088a1f884d6927f4fff3d78780838b81ce772b98b89ec39435f33e5fc78162c

SHA512
5d89d77fa4661a7d789e30b090736010c2ebd88208661eeee422391251d2532aff86a4122d788f364c7923a57735050d6d757ff9b1df8d5dd8eb464b6d09dda5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp861E.tmp.exe
MD5
028e972b292b01f092dcd748a5092b88

SHA1
52c9779da19287e5453f006ec123ab6877aaef16

SHA256
3a7202692ab4fe7472de26cfffb165317dc74186af74992663dc717a3bc574bb

SHA512
fa2ece5aec549ba9fbc18a7417053f14f40b4456660b4a5aa02c90f7b9cf87fc07c01ecda24a56482bf2613ec99baba9d71e949018a538dcb3fb218768bf7048

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp861E.tmp.exe
MD5
028e972b292b01f092dcd748a5092b88

SHA1
52c9779da19287e5453f006ec123ab6877aaef16

SHA256
3a7202692ab4fe7472de26cfffb165317dc74186af74992663dc717a3bc574bb

SHA512
fa2ece5aec549ba9fbc18a7417053f14f40b4456660b4a5aa02c90f7b9cf87fc07c01ecda24a56482bf2613ec99baba9d71e949018a538dcb3fb218768bf7048

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc616DA83934A34135AE1575B31F22542E.TMP
MD5
376ef97d4353e713fc4c04db35a627db

SHA1
16a76c33852e419678becba8f840b923ec073a3e

SHA256
f8358eb909f4b8688d3504752548e672d7b0e40e9b39373ed9a339c847c6c65a

SHA512
6d4deedfc942f0e52036047ec362029231a9790e5a45add5bea5a4cc6d0d0362b1c39a5c557c16106b11ec1b527d95e908acf799af0b7e746bf4db1f473bf50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
C:\Users\Admin\AppData\Local\Temp\zk8gwomo.0.vb
MD5
cbfff9a01e74cee08ea0247debc22db5

SHA1
45cd38be7d36e9f7cabd9ffb385434c7716eb673

SHA256
8f8fc8c03c4d60dbc66786563b6819fcb7dc4c03006708cefcddba3b3ade8711

SHA512
bf8468a4c4bb2196476b3772ade2bd7078367cbd0dcd75c641182a7cf26383debc22ce22cfbcf6af4749cc201e80fa6cccd339ca20953c337605c661ee5ce8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zk8gwomo.cmdline
MD5
56a5e4713df50af21992b5c1420c35e9

SHA1
cc8270ce33326e7a44f9de6b0495f892b379ab36

SHA256
51f32d2d155522e3b7b6907c4c75fc10912752629369ebd73707f1b5d7b32be0

SHA512
6ab49467d0e1a9f690f344cd51bc714f958adc84cf7ddba8b790b5459000ceeabc01645344aef5c9e8c2cf6d030281d723ceb45a78b6c6d42724682cc897087e

Download Submit
memory/628-5-0x0000000002380000-0x0000000002381000-memory.dmp

Download
memory/628-3-0x0000000000000000-mapping.dmp

Download
memory/744-2-0x0000000002550000-0x0000000002551000-memory.dmp

Download
memory/1320-8-0x0000000000000000-mapping.dmp

Download
memory/2280-12-0x0000000000000000-mapping.dmp

Download
memory/2280-14-0x0000000002910000-0x0000000002911000-memory.dmp

Download
memory/2280-15-0x0000000002913000-0x0000000002915000-memory.dmp

Download

3f5c2aacc7134dc7a7d78f4731c01db691be30d2989274f33f1b56e4090820cd

Filter: none

Description

Tags

Reported IOCs

Reported IOCs

TTPs

Tags

TTPs

Reported IOCs

Description

TTPs

Reported IOCs

Reported IOCs

Title