Analysis
-
max time kernel
4294218s -
max time network
164s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
26-03-2022 07:43
Static task
static1
Behavioral task
behavioral1
Sample
4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe
Resource
win10v2004-en-20220113
General
-
Target
4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe
-
Size
78KB
-
MD5
00831c7277e51a7a3e765c58f685914d
-
SHA1
ca2d1a0ddbd19a14ae31bf3a7132e1874fa2980f
-
SHA256
4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e
-
SHA512
4fb8f37453152c5dd9f795c5908da8ca9445682f52c7a77c369ecd3b1200fba673eb803993c939e8169d6340929307c42fa139016ca62ec44ad4e79e0bb1e85c
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp62E8.tmp.exepid process 1812 tmp62E8.tmp.exe -
Deletes itself 1 IoCs
Processes:
tmp62E8.tmp.exepid process 1812 tmp62E8.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exepid process 1568 4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe 1568 4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp62E8.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\"" tmp62E8.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exetmp62E8.tmp.exedescription pid process Token: SeDebugPrivilege 1568 4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe Token: SeDebugPrivilege 1812 tmp62E8.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exevbc.exedescription pid process target process PID 1568 wrote to memory of 1076 1568 4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe vbc.exe PID 1568 wrote to memory of 1076 1568 4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe vbc.exe PID 1568 wrote to memory of 1076 1568 4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe vbc.exe PID 1568 wrote to memory of 1076 1568 4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe vbc.exe PID 1076 wrote to memory of 1752 1076 vbc.exe cvtres.exe PID 1076 wrote to memory of 1752 1076 vbc.exe cvtres.exe PID 1076 wrote to memory of 1752 1076 vbc.exe cvtres.exe PID 1076 wrote to memory of 1752 1076 vbc.exe cvtres.exe PID 1568 wrote to memory of 1812 1568 4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe tmp62E8.tmp.exe PID 1568 wrote to memory of 1812 1568 4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe tmp62E8.tmp.exe PID 1568 wrote to memory of 1812 1568 4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe tmp62E8.tmp.exe PID 1568 wrote to memory of 1812 1568 4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe tmp62E8.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe"C:\Users\Admin\AppData\Local\Temp\4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jt_x4soz.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES645F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc644F.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp62E8.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp62E8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4a1926b9240938f7590d0e5a7afb995572a07b66b3512a117a306ae28e0f745e.exe2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES645F.tmpMD5
b04932225837b9fb8cb68ecdf6eb9bf6
SHA140914903b544e8b4ad030becacb4da28761b1e50
SHA2564acae9254df550c4831fee242c883aaeac2ebaa74d243a2e48eb818c045a026f
SHA512fe75e3d55141142fb59f2cbc7625c03f33a97b88aa8b38b9d8f8fa236f54b41ccdfb86aa54d0a798869cb7ac2942126da654f8d2159c48f93187a40bd849c45a
-
C:\Users\Admin\AppData\Local\Temp\jt_x4soz.0.vbMD5
ce86c599de05f57cce31e8fe1bed87cb
SHA114560e2b664a4cce550fb3c959133e72f85e20ff
SHA2561154e82a9af6b6f1a561915a09fe415f53c6985044e3a873de7c262fd9af33af
SHA51266100c62c8ea6093a60b7d51aa3eb378bdbfa8f579eab3f95a72a73df5d9325b76f38c9d7ccd395213247f543a1641a36382fe51bf09ce1be1af95452276a624
-
C:\Users\Admin\AppData\Local\Temp\jt_x4soz.cmdlineMD5
5dfb107cec41e2b4438246fa17212530
SHA11397a7ca4675d8ef451def4cc2c0c769d346f3ba
SHA256fa7a126b3cc6149abc876006c01b8022974bdb7287dda929c49021520170c667
SHA512934ac2b29cb49dc8f9ab01c376944d7cf03902bf75c9a70361b13cdfda5b176c13da6ba6e0e76bd026a17a5a294637dfadfb0a3a1fd58e9e29c240cf88c69f0d
-
C:\Users\Admin\AppData\Local\Temp\tmp62E8.tmp.exeMD5
cc773c8eba9e12da13dae12d89e84e0d
SHA1c6a5984b888e214c5f69ff4ed9698d34da97dd59
SHA256e1f67bf42673d897d85ccc9f071ffa96a0f22b88f3cf9500cf0f373640b249c9
SHA5125e4fa04195fae26eb2a473d0c9169be92c65ff928e4b335452d784468f43991ab83a0fd67548c09e542746ea7cb35da7c73b3ac68fba31eea14411197ba266df
-
C:\Users\Admin\AppData\Local\Temp\tmp62E8.tmp.exeMD5
cc773c8eba9e12da13dae12d89e84e0d
SHA1c6a5984b888e214c5f69ff4ed9698d34da97dd59
SHA256e1f67bf42673d897d85ccc9f071ffa96a0f22b88f3cf9500cf0f373640b249c9
SHA5125e4fa04195fae26eb2a473d0c9169be92c65ff928e4b335452d784468f43991ab83a0fd67548c09e542746ea7cb35da7c73b3ac68fba31eea14411197ba266df
-
C:\Users\Admin\AppData\Local\Temp\vbc644F.tmpMD5
d2e7e47f16c587209b522ac671d310a2
SHA1293ee556e9f02957c813aeb35f65ca38d11f574c
SHA2561f451ea45b805db12c96b455d43266e468606ef1cef9ceb4e35db3b1dabd3bd4
SHA51250411338981dd572abb019daabbe0076317f9dca72cef341fcaeea04a634d078ac4dc19cbef82894066a8699c4cc6a742aa94f8194a7bba219b57606f573ae1c
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesMD5
097dd7d3902f824a3960ad33401b539f
SHA14e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f
SHA256e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f
SHA512bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4
-
\Users\Admin\AppData\Local\Temp\tmp62E8.tmp.exeMD5
cc773c8eba9e12da13dae12d89e84e0d
SHA1c6a5984b888e214c5f69ff4ed9698d34da97dd59
SHA256e1f67bf42673d897d85ccc9f071ffa96a0f22b88f3cf9500cf0f373640b249c9
SHA5125e4fa04195fae26eb2a473d0c9169be92c65ff928e4b335452d784468f43991ab83a0fd67548c09e542746ea7cb35da7c73b3ac68fba31eea14411197ba266df
-
\Users\Admin\AppData\Local\Temp\tmp62E8.tmp.exeMD5
cc773c8eba9e12da13dae12d89e84e0d
SHA1c6a5984b888e214c5f69ff4ed9698d34da97dd59
SHA256e1f67bf42673d897d85ccc9f071ffa96a0f22b88f3cf9500cf0f373640b249c9
SHA5125e4fa04195fae26eb2a473d0c9169be92c65ff928e4b335452d784468f43991ab83a0fd67548c09e542746ea7cb35da7c73b3ac68fba31eea14411197ba266df
-
memory/1076-55-0x0000000000000000-mapping.dmp
-
memory/1568-58-0x0000000074A80000-0x000000007502B000-memory.dmpFilesize
5.7MB
-
memory/1568-54-0x0000000076851000-0x0000000076853000-memory.dmpFilesize
8KB
-
memory/1752-60-0x0000000000000000-mapping.dmp
-
memory/1812-66-0x0000000000000000-mapping.dmp
-
memory/1812-69-0x0000000074A10000-0x0000000074FBB000-memory.dmpFilesize
5.7MB
-
memory/1812-70-0x00000000001B5000-0x00000000001C6000-memory.dmpFilesize
68KB