0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810

max time kernel130s
max time network139s
platformwindows7_x64
resourcewin7v20201028
submitted28-02-2021 07:09

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe

Filesize

78KB

Completed

28-02-2021 07:11

Score

10^/10

MD5

9b4497259f9f858244023de231400892

SHA1

08600ea0e22ae8e5168ec56a359d75ae2cf9b413

SHA256

0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810

Defense Evasion

Discovery

Persistence

MetamorpherRAT

Description

Metamorpherrat is a hacking tool that has been around for a while since 2013.

Tags

trojan rat stealer metamorpherrat
Executes dropped EXE
tmp2BD1.tmp.exe

Reported IOCs

pid process

1968 tmp2BD1.tmp.exe
Deletes itself
tmp2BD1.tmp.exe

Reported IOCs

pid process

1968 tmp2BD1.tmp.exe

pid	process
1968	tmp2BD1.tmp.exe

pid	process
1968	tmp2BD1.tmp.exe

Loads dropped DLL

0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe

Reported IOCs

pid	process
1724	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe
1724	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe

Uses the VBS compiler for execution

TTPs

Scripting

Adds Run key to start application

tmp2BD1.tmp.exe

TTPs

Registry Run Keys / Startup FolderModify Registry

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp2BD1.tmp.exe

Enumerates physical storage devices

Description

Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs

System Information Discovery

Suspicious use of AdjustPrivilegeToken

0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exetmp2BD1.tmp.exe

Reported IOCs

description	pid	process
Token: SeDebugPrivilege	1724	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe
Token: SeDebugPrivilege	1968	tmp2BD1.tmp.exe

Suspicious use of WriteProcessMemory

0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exevbc.exe

Reported IOCs

description	pid	process	target process
PID 1724 wrote to memory of 1900	1724	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe	vbc.exe
PID 1724 wrote to memory of 1900	1724	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe	vbc.exe
PID 1724 wrote to memory of 1900	1724	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe	vbc.exe
PID 1724 wrote to memory of 1900	1724	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe	vbc.exe
PID 1900 wrote to memory of 1172	1900	vbc.exe	cvtres.exe
PID 1900 wrote to memory of 1172	1900	vbc.exe	cvtres.exe
PID 1900 wrote to memory of 1172	1900	vbc.exe	cvtres.exe
PID 1900 wrote to memory of 1172	1900	vbc.exe	cvtres.exe
PID 1724 wrote to memory of 1968	1724	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe	tmp2BD1.tmp.exe
PID 1724 wrote to memory of 1968	1724	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe	tmp2BD1.tmp.exe
PID 1724 wrote to memory of 1968	1724	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe	tmp2BD1.tmp.exe
PID 1724 wrote to memory of 1968	1724	0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe	tmp2BD1.tmp.exe

C:\Users\Admin\AppData\Local\Temp\0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe

"C:\Users\Admin\AppData\Local\Temp\0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe"

Loads dropped DLL
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:1724

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ck5jwbqb.cmdline"

Suspicious use of WriteProcessMemory

PID:1900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D58.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2D57.tmp"

PID:1172

C:\Users\Admin\AppData\Local\Temp\tmp2BD1.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp2BD1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810.exe

Executes dropped EXE
Deletes itself
Adds Run key to start application
Suspicious use of AdjustPrivilegeToken

PID:1968

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\Temp\RES2D58.tmp
MD5
a6c08b890d32d7db8d871d26bb4df0dc

SHA1
a18632fe19a6229ac5963ca78d81e0e87c375b2c

SHA256
2639f0319f8557b0025c127539134ca90f565140f20a7afc8733c96a194ca69b

SHA512
b64ca6da3f8ec3cb8d0413ca3bd79d96cd23a855e30d01e1f52625b6e3adcbc0ce2897f8a86afee4025e30b8a9a4d72895bcf4e2d05dab7d366f38ced2172ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ck5jwbqb.0.vb
MD5
c1b7849fc94d6f6507eb6676137e2eb1

SHA1
6084e0066a8c3929fe1dd43f2ba107b3a37cc141

SHA256
e3088e183274a2cb5af6eb314a1a13208b307842c6579578e91c7d2f5c6ebd22

SHA512
5a8f4fb536ad6599c5c45d553d2bb015bf047f490cdfca528a9af9f87b6671366fa3a330c7a9ab6d58155bed2d99a7447e3bad394f612efef7efbd4c5c247b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\ck5jwbqb.cmdline
MD5
295ae4f3e7f7495720992cbfa73a9d2f

SHA1
0848b8684018ab8f30970d7876aa6dd57db0ed96

SHA256
00d7a97565c63140c012329d3708449ae441e07965b486a01f025b381ee7ec02

SHA512
fb3e9eda08ef420cb0610adcf759634ad39d1454a62eed30acc93b31ede893ee4455a7f754afa683084fb31e5c63a6b2ca0cc01efed5f0bd4a67320f28834069

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2BD1.tmp.exe
MD5
72283dd285a869236839befa4a4f6783

SHA1
f59b7cdd846b9d67ff1904a959065c9de37c1ee9

SHA256
b6f8a26583ef9215656d1c0c2bb797e6858a4a316ecd1f0a68ca82ae8b3ebafd

SHA512
8de24706a393bd9fc9908377f18d5bf384ad8827f393a25f8cdfd96ce37cce053b96095ebde7e534a510db3da8721a18a798fa1e152ad46f459196bffcd95aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2BD1.tmp.exe
MD5
72283dd285a869236839befa4a4f6783

SHA1
f59b7cdd846b9d67ff1904a959065c9de37c1ee9

SHA256
b6f8a26583ef9215656d1c0c2bb797e6858a4a316ecd1f0a68ca82ae8b3ebafd

SHA512
8de24706a393bd9fc9908377f18d5bf384ad8827f393a25f8cdfd96ce37cce053b96095ebde7e534a510db3da8721a18a798fa1e152ad46f459196bffcd95aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2D57.tmp
MD5
26fa5c1f118555393f5ad1c4d48762d0

SHA1
d7c42746042b724244d642511a7d4bb8b7706fca

SHA256
153f2fbddb37ab6c58e0d7ab0792d9c66bb047c72a7bc14428f72df9a84d1ccf

SHA512
25ef13621b88e9a74797601b6106c12d77120eed492a9d9c102a94db74a924c9d9faa48f242cbcd3120a30436443d6ac2c51fca166115ce68fa9a5276ea579af

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
\Users\Admin\AppData\Local\Temp\tmp2BD1.tmp.exe
MD5
72283dd285a869236839befa4a4f6783

SHA1
f59b7cdd846b9d67ff1904a959065c9de37c1ee9

SHA256
b6f8a26583ef9215656d1c0c2bb797e6858a4a316ecd1f0a68ca82ae8b3ebafd

SHA512
8de24706a393bd9fc9908377f18d5bf384ad8827f393a25f8cdfd96ce37cce053b96095ebde7e534a510db3da8721a18a798fa1e152ad46f459196bffcd95aa8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp2BD1.tmp.exe
MD5
72283dd285a869236839befa4a4f6783

SHA1
f59b7cdd846b9d67ff1904a959065c9de37c1ee9

SHA256
b6f8a26583ef9215656d1c0c2bb797e6858a4a316ecd1f0a68ca82ae8b3ebafd

SHA512
8de24706a393bd9fc9908377f18d5bf384ad8827f393a25f8cdfd96ce37cce053b96095ebde7e534a510db3da8721a18a798fa1e152ad46f459196bffcd95aa8

Download Submit
memory/1172-7-0x0000000000000000-mapping.dmp

Download
memory/1724-11-0x00000000005E0000-0x00000000005E1000-memory.dmp

Download
memory/1724-2-0x00000000761E1000-0x00000000761E3000-memory.dmp

Download
memory/1900-12-0x0000000001D60000-0x0000000001D61000-memory.dmp

Download
memory/1900-3-0x0000000000000000-mapping.dmp

Download
memory/1968-15-0x0000000000000000-mapping.dmp

Download
memory/1968-18-0x0000000001F10000-0x0000000001F11000-memory.dmp

Download
memory/1968-19-0x0000000001F15000-0x0000000001F26000-memory.dmp

Download

0048bbede90d7a4f6e980d38e7ddcfaf3fa4a87a1ac37cfd1b121e970d6c2810

Filter: none

Description

Tags

Reported IOCs

Reported IOCs

Reported IOCs

TTPs

Tags

TTPs

Reported IOCs

Description

TTPs

Reported IOCs

Reported IOCs

Title