Analysis
-
max time kernel
4294210s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
26-03-2022 07:23
Static task
static1
Behavioral task
behavioral1
Sample
ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe
Resource
win10v2004-en-20220113
General
-
Target
ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe
-
Size
78KB
-
MD5
00fd8f3d1b855717213460550c2f09f9
-
SHA1
d4475c42754dcf04d648741efe6bb195978bbcbd
-
SHA256
ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962
-
SHA512
5497ef18c6973c2e1b3eaa85270f5739069cf23e05d21a0de2e2fabc8c19fcc59b3dfc1ee0dc293d441da8fdec35ca9656d3df328f8804ef6a8b73f8ccb354de
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
tmp4682.tmp.exepid process 1468 tmp4682.tmp.exe -
Deletes itself 1 IoCs
Processes:
tmp4682.tmp.exepid process 1468 tmp4682.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exepid process 1844 ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe 1844 ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp4682.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmp4682.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exetmp4682.tmp.exedescription pid process Token: SeDebugPrivilege 1844 ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe Token: SeDebugPrivilege 1468 tmp4682.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exevbc.exedescription pid process target process PID 1844 wrote to memory of 2020 1844 ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe vbc.exe PID 1844 wrote to memory of 2020 1844 ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe vbc.exe PID 1844 wrote to memory of 2020 1844 ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe vbc.exe PID 1844 wrote to memory of 2020 1844 ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe vbc.exe PID 2020 wrote to memory of 1208 2020 vbc.exe cvtres.exe PID 2020 wrote to memory of 1208 2020 vbc.exe cvtres.exe PID 2020 wrote to memory of 1208 2020 vbc.exe cvtres.exe PID 2020 wrote to memory of 1208 2020 vbc.exe cvtres.exe PID 1844 wrote to memory of 1468 1844 ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe tmp4682.tmp.exe PID 1844 wrote to memory of 1468 1844 ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe tmp4682.tmp.exe PID 1844 wrote to memory of 1468 1844 ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe tmp4682.tmp.exe PID 1844 wrote to memory of 1468 1844 ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe tmp4682.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe"C:\Users\Admin\AppData\Local\Temp\ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jonphqse.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES47CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc47CA.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp4682.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4682.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ba05cff99c9c900d8210f793e76f76bf0f0b25d077f45ee32ddf4d56b78b9962.exe2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES47CB.tmpMD5
a9a553d28a38af4877e8739549655a71
SHA1c38cf2c1305f6c2e0445521924dd7074686bfc2d
SHA25647eef426a66802f92bca9a6761fbd24742b3cbf60efe20f7bbd59a7cafe3198a
SHA512f5d2bed99a1bdcfcacaf41ecaf01a3c1049052a017f2e8cabad1d2b25bee036291e8c33050328d6c0526c259e5367c832f119433da2f51f92e75218b18be878d
-
C:\Users\Admin\AppData\Local\Temp\jonphqse.0.vbMD5
e0abfb42fb57daceb7ed0f7e42c23b73
SHA178b3ce95938f6d9e26d79309902b829749f9e3f6
SHA256ddf4fda73f5b711fb44aab8ee4e5af395e85faaf6efdc8bd88b77bfdacd69073
SHA51291b28e238eb603ea393d0f4ab6a2f69e03424d8eb0b692769b8d5779721ed1c54edb170c1a70c809339e15af576863cf6842fd07c9ff29da501c116ba069a1d8
-
C:\Users\Admin\AppData\Local\Temp\jonphqse.cmdlineMD5
2c9979bcfe67c0b2351c33489c61cf65
SHA1dc54ac8ef605be9b6570f25a80fab8f07badf562
SHA25695a8e5c5973cc94bbb5aa1df9320000450b8572fa21a2e8f45cd9d3c22700dd5
SHA51299d8379741013916938ceadd5b89f088cb0bf1a6efb11682ad420b286d78d634e771aed2780a117f2b564d9d7e4376029518d524026a9f05f4b53765535eef7d
-
C:\Users\Admin\AppData\Local\Temp\tmp4682.tmp.exeMD5
45f7d273826a2f77b46090cc94895577
SHA15e662b8859898cce615c5128e4534fbadc00e990
SHA2565dcfaae3c55603d72fb5668f74efd5fe1eeb95549bfb923c5b0eb4d44b9390c6
SHA5126fe2ab85f97858a9365c7cfe5d5e380e275d4aab0256cdb3cefb71ffd64f605d4ec817959288b78c459a77b3901fd04f4ce48b38d8bf216ae747aa0606812c77
-
C:\Users\Admin\AppData\Local\Temp\tmp4682.tmp.exeMD5
45f7d273826a2f77b46090cc94895577
SHA15e662b8859898cce615c5128e4534fbadc00e990
SHA2565dcfaae3c55603d72fb5668f74efd5fe1eeb95549bfb923c5b0eb4d44b9390c6
SHA5126fe2ab85f97858a9365c7cfe5d5e380e275d4aab0256cdb3cefb71ffd64f605d4ec817959288b78c459a77b3901fd04f4ce48b38d8bf216ae747aa0606812c77
-
C:\Users\Admin\AppData\Local\Temp\vbc47CA.tmpMD5
05551a7d7f030349cf38b4c522224b35
SHA172717f2bc5c661bdff4bfb8529d183aa96740585
SHA2568020bd0425ec872f6e24e5689e018ec99819f79417c95352a71100fb0fa8d3b2
SHA5121f5b61c01d6276167158ccc19045ab5d9953074f5a1d377329a16aaf6c6dfe4e816c50fb86a7f9efb6181560a98a8d0a0421808fcd2ab8071f06e13221c98224
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesMD5
4f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107
-
\Users\Admin\AppData\Local\Temp\tmp4682.tmp.exeMD5
45f7d273826a2f77b46090cc94895577
SHA15e662b8859898cce615c5128e4534fbadc00e990
SHA2565dcfaae3c55603d72fb5668f74efd5fe1eeb95549bfb923c5b0eb4d44b9390c6
SHA5126fe2ab85f97858a9365c7cfe5d5e380e275d4aab0256cdb3cefb71ffd64f605d4ec817959288b78c459a77b3901fd04f4ce48b38d8bf216ae747aa0606812c77
-
\Users\Admin\AppData\Local\Temp\tmp4682.tmp.exeMD5
45f7d273826a2f77b46090cc94895577
SHA15e662b8859898cce615c5128e4534fbadc00e990
SHA2565dcfaae3c55603d72fb5668f74efd5fe1eeb95549bfb923c5b0eb4d44b9390c6
SHA5126fe2ab85f97858a9365c7cfe5d5e380e275d4aab0256cdb3cefb71ffd64f605d4ec817959288b78c459a77b3901fd04f4ce48b38d8bf216ae747aa0606812c77
-
memory/1208-59-0x0000000000000000-mapping.dmp
-
memory/1468-66-0x0000000000000000-mapping.dmp
-
memory/1468-69-0x0000000074F00000-0x00000000754AB000-memory.dmpFilesize
5.7MB
-
memory/1468-70-0x0000000001E85000-0x0000000001E96000-memory.dmpFilesize
68KB
-
memory/1844-54-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/1844-63-0x0000000074F40000-0x00000000754EB000-memory.dmpFilesize
5.7MB
-
memory/2020-55-0x0000000000000000-mapping.dmp