07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8

max time kernel150s
max time network152s
platformwindows7_x64
resourcewin7v20201028
submitted28-02-2021 07:08

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe

Filesize

78KB

Completed

28-02-2021 07:11

Score

10^/10

MD5

ec1f806b2ca57c3c03be303890c6fd65

SHA1

7d48e0cb19d60dfe2a3a04aef63c57482a024c97

SHA256

07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8

Defense Evasion

Discovery

Persistence

MetamorpherRAT

Description

Metamorpherrat is a hacking tool that has been around for a while since 2013.

Tags

trojan rat stealer metamorpherrat
Executes dropped EXE
tmp2E8F.tmp.exe

Reported IOCs

pid process

760 tmp2E8F.tmp.exe
Deletes itself
tmp2E8F.tmp.exe

Reported IOCs

pid process

760 tmp2E8F.tmp.exe

pid	process
760	tmp2E8F.tmp.exe

pid	process
760	tmp2E8F.tmp.exe

Loads dropped DLL

07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe

Reported IOCs

pid	process
1968	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe
1968	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe

Uses the VBS compiler for execution

TTPs

Scripting

Adds Run key to start application

tmp2E8F.tmp.exe

TTPs

Registry Run Keys / Startup FolderModify Registry

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\""	tmp2E8F.tmp.exe

Enumerates physical storage devices

Description

Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs

System Information Discovery

Suspicious use of AdjustPrivilegeToken

07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exetmp2E8F.tmp.exe

Reported IOCs

description	pid	process
Token: SeDebugPrivilege	1968	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe
Token: SeDebugPrivilege	760	tmp2E8F.tmp.exe

Suspicious use of WriteProcessMemory

07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exevbc.exe

Reported IOCs

description	pid	process	target process
PID 1968 wrote to memory of 1932	1968	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe	vbc.exe
PID 1968 wrote to memory of 1932	1968	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe	vbc.exe
PID 1968 wrote to memory of 1932	1968	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe	vbc.exe
PID 1968 wrote to memory of 1932	1968	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe	vbc.exe
PID 1932 wrote to memory of 1704	1932	vbc.exe	cvtres.exe
PID 1932 wrote to memory of 1704	1932	vbc.exe	cvtres.exe
PID 1932 wrote to memory of 1704	1932	vbc.exe	cvtres.exe
PID 1932 wrote to memory of 1704	1932	vbc.exe	cvtres.exe
PID 1968 wrote to memory of 760	1968	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe	tmp2E8F.tmp.exe
PID 1968 wrote to memory of 760	1968	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe	tmp2E8F.tmp.exe
PID 1968 wrote to memory of 760	1968	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe	tmp2E8F.tmp.exe
PID 1968 wrote to memory of 760	1968	07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe	tmp2E8F.tmp.exe

C:\Users\Admin\AppData\Local\Temp\07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe

"C:\Users\Admin\AppData\Local\Temp\07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe"

Loads dropped DLL
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:1968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2r1isa_y.cmdline"

Suspicious use of WriteProcessMemory

PID:1932

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3035.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3034.tmp"

PID:1704

C:\Users\Admin\AppData\Local\Temp\tmp2E8F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2E8F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8.exe

Executes dropped EXE
Deletes itself
Adds Run key to start application
Suspicious use of AdjustPrivilegeToken

PID:760

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\Temp\2r1isa_y.0.vb
MD5
6092d0095dcfcf393ac4d4b70e17aa98

SHA1
1b9b507375b75ab61452891e6ebe3ef5c87a76ea

SHA256
bb91af829ac9047a100bc7fbafaef6c927463ff20e9c52e22e8392b5a90a162c

SHA512
b9603cefca23ca1df8a6094b679dc3fc8802315cd95d2a9756745dec1dbe11d5b88806f1284ddcd5e0c8898045e9164d5a6e7a963ae12cc2757df3d89a70a3f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2r1isa_y.cmdline
MD5
a298fdc9c62e44c91ed41e4505da5a17

SHA1
dbb6289bf74f229eb0b121505fc78a3282df7c95

SHA256
b51c56094f8b5261c5b7a2c9a88d36764b4d5d1eb71df81ff793928b792d1575

SHA512
5e2e194a63a9c0f0b3706d416f3eb44d3a2d2246261e33656fd605714d6c55d2bb2fab9e653fa0cc5dab4d6da1390ce69b6d0a99c2757b032694b8188b810a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3035.tmp
MD5
8a769eb80ef4228d683e19762431062c

SHA1
27566ac3291180acbcc95febbdd7e7779070d741

SHA256
d638c25b58acbadb490ce4bed02dba3ef62fe9f0dafd0825fff87d63772bfd76

SHA512
3e99144b95410011499c47b19f9fa476ad55ce6580362f7ef3cc4ea978fd6da4f3069fbbb417cbdb0667ea1474f1757d0038824983a7e15b7f081aa3a2651d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2E8F.tmp.exe
MD5
ab7a1d32e88854ee9c7dd834ea3e95db

SHA1
e1cea5f0d7d9f9cd64424679b345d912819615e5

SHA256
0d549241c1134b2e698dcd29e5917a3150884945834d37d9672d25d3c1a26d36

SHA512
55d84b4545ccd69f565bb7072c599fc6dfef071982303cc694c94ea8c4dde1dce81af460ddbbd87c8c3d21073f8e73cc0e2863be91e412cb7d616fd659a92c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2E8F.tmp.exe
MD5
ab7a1d32e88854ee9c7dd834ea3e95db

SHA1
e1cea5f0d7d9f9cd64424679b345d912819615e5

SHA256
0d549241c1134b2e698dcd29e5917a3150884945834d37d9672d25d3c1a26d36

SHA512
55d84b4545ccd69f565bb7072c599fc6dfef071982303cc694c94ea8c4dde1dce81af460ddbbd87c8c3d21073f8e73cc0e2863be91e412cb7d616fd659a92c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3034.tmp
MD5
423d2a2a25e154d49869fa5828ef80d4

SHA1
54c5b17a3fae95cc152978be3ec32d4d762a2509

SHA256
b086c3d35cbc19f023bcc6b3ac809a5ca318493aee765d9c2b2c799026c3d25f

SHA512
3b8e1114c57939b49b0864f18b80cb56e73d4397902b0fbdcda1fffc4b37970e87cca50b5dc65a7ab945bb6ef75457bc31f3739f30900ab9e2959f51015e9bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
MD5
097dd7d3902f824a3960ad33401b539f

SHA1
4e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f

SHA256
e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f

SHA512
bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4

Download Submit
\Users\Admin\AppData\Local\Temp\tmp2E8F.tmp.exe
MD5
ab7a1d32e88854ee9c7dd834ea3e95db

SHA1
e1cea5f0d7d9f9cd64424679b345d912819615e5

SHA256
0d549241c1134b2e698dcd29e5917a3150884945834d37d9672d25d3c1a26d36

SHA512
55d84b4545ccd69f565bb7072c599fc6dfef071982303cc694c94ea8c4dde1dce81af460ddbbd87c8c3d21073f8e73cc0e2863be91e412cb7d616fd659a92c57

Download Submit
\Users\Admin\AppData\Local\Temp\tmp2E8F.tmp.exe
MD5
ab7a1d32e88854ee9c7dd834ea3e95db

SHA1
e1cea5f0d7d9f9cd64424679b345d912819615e5

SHA256
0d549241c1134b2e698dcd29e5917a3150884945834d37d9672d25d3c1a26d36

SHA512
55d84b4545ccd69f565bb7072c599fc6dfef071982303cc694c94ea8c4dde1dce81af460ddbbd87c8c3d21073f8e73cc0e2863be91e412cb7d616fd659a92c57

Download Submit
memory/760-14-0x0000000000000000-mapping.dmp

Download
memory/760-18-0x0000000000480000-0x0000000000481000-memory.dmp

Download
memory/760-19-0x0000000000485000-0x0000000000496000-memory.dmp

Download
memory/1704-8-0x0000000000000000-mapping.dmp

Download
memory/1932-4-0x0000000000000000-mapping.dmp

Download
memory/1932-17-0x0000000002120000-0x0000000002121000-memory.dmp

Download
memory/1968-3-0x00000000006A0000-0x00000000006A1000-memory.dmp

Download
memory/1968-2-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Download

07ac68fef8d90307874918f85d499b48ea2007b51f0bd404b5a35ba97a6c7dd8

Filter: none

Description

Tags

Reported IOCs

Reported IOCs

Reported IOCs

TTPs

Tags

TTPs

Reported IOCs

Description

TTPs

Reported IOCs

Reported IOCs

Title