Analysis
-
max time kernel
4294225s -
max time network
179s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
26-03-2022 14:44
Static task
static1
Behavioral task
behavioral1
Sample
337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe
Resource
win10v2004-en-20220113
General
-
Target
337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe
-
Size
78KB
-
MD5
04e454128c1c477e2914a1c7dc1a17bf
-
SHA1
e889def714072b3953bc7929e920ce445ba46609
-
SHA256
337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d
-
SHA512
99ee57634d2b19a6dbc560e24ef31ceebe1df74ce2b8c462391cf62698d8e2192822c8e96c34ed21d842b7a494657c156760c78faf093b649c0fa00d1da1f9c2
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp7E25.tmp.exepid process 1032 tmp7E25.tmp.exe -
Deletes itself 1 IoCs
Processes:
tmp7E25.tmp.exepid process 1032 tmp7E25.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exepid process 1216 337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe 1216 337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exedescription pid process Token: SeDebugPrivilege 1216 337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exevbc.exedescription pid process target process PID 1216 wrote to memory of 992 1216 337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe vbc.exe PID 1216 wrote to memory of 992 1216 337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe vbc.exe PID 1216 wrote to memory of 992 1216 337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe vbc.exe PID 1216 wrote to memory of 992 1216 337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe vbc.exe PID 992 wrote to memory of 1660 992 vbc.exe cvtres.exe PID 992 wrote to memory of 1660 992 vbc.exe cvtres.exe PID 992 wrote to memory of 1660 992 vbc.exe cvtres.exe PID 992 wrote to memory of 1660 992 vbc.exe cvtres.exe PID 1216 wrote to memory of 1032 1216 337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe tmp7E25.tmp.exe PID 1216 wrote to memory of 1032 1216 337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe tmp7E25.tmp.exe PID 1216 wrote to memory of 1032 1216 337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe tmp7E25.tmp.exe PID 1216 wrote to memory of 1032 1216 337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe tmp7E25.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe"C:\Users\Admin\AppData\Local\Temp\337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n_jz4mef.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F7D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7F7C.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp7E25.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7E25.tmp.exe" C:\Users\Admin\AppData\Local\Temp\337fa2559752079970ee968b831192008aa875dd55d4368b9f63e94e7a22b86d.exe2⤵
- Executes dropped EXE
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES7F7D.tmpFilesize
1KB
MD5c9bc2c0f1b16d6898dc400fffc1c0b93
SHA1edaa493d9bedaf7bfec8c727e3e81047869f6dd5
SHA256d03888ba45646c0cc9595f6ac03ea7edaf5a917df2df106eb79107c17a573d5a
SHA512485665e57987bdb2bf9217b5f74e062749212bb6359ccf93e67996f8d6c9e03b0d0f90603fb8ff972c98b9ae3c7f0e420fe93feafa49dc8ee96650c0ac7532cb
-
C:\Users\Admin\AppData\Local\Temp\n_jz4mef.0.vbFilesize
15KB
MD5c5a0a3107a597f98bdf34887ce5ad36a
SHA1cf8152bcf9863dfa16dc2bb2f9a5f1ace7a9cfe7
SHA256e8ae451d9c670aa76f50032996d1520edb2ab0b889eafd0706a9f29e417306f2
SHA51279d60b2ff022258a927e7235d4724142c0c79c83202de385a0bb8ee6e09e4271ece0d7bd600966b58b9975d48637eb0db72b4f38a876c39e634a61e08c870428
-
C:\Users\Admin\AppData\Local\Temp\n_jz4mef.cmdlineFilesize
266B
MD5583d5b4e83406bf8016714e01d51a6d8
SHA18a82756f0399ca9dd8ab488b9f56e0abcf34635f
SHA256a3822c8579eb2f9095a06d1f9ca2d49a376608c526565a888a897bb31a8a04bc
SHA512adca7e18176a7fb0f1bfb32d7ca1e0e45629904bfa2f7c0fa62c85c909ef2c48de336ce1f108781d7884e18da32ebcb0abc19a2a07ef70f043b50e903a634e2f
-
C:\Users\Admin\AppData\Local\Temp\tmp7E25.tmp.exeFilesize
78KB
MD5d91f038eaa69859c56be8230e1bdc86d
SHA14e6a425307a7975fab9651e77893cf42f2c1a24a
SHA2563e47851bf287ccb68be0ff382ad6e1f1dd38887fe9e0180f9f9c06916ced39ad
SHA51288e9a3b327c4f36c9ec058219fc8b9725791c07ac164b0e78c126a1384d455a84df38b1966d1290e775a18b3a76ba8a8fb0d37f9b3d2828c489cdb3d831e4d45
-
C:\Users\Admin\AppData\Local\Temp\tmp7E25.tmp.exeFilesize
78KB
MD5d91f038eaa69859c56be8230e1bdc86d
SHA14e6a425307a7975fab9651e77893cf42f2c1a24a
SHA2563e47851bf287ccb68be0ff382ad6e1f1dd38887fe9e0180f9f9c06916ced39ad
SHA51288e9a3b327c4f36c9ec058219fc8b9725791c07ac164b0e78c126a1384d455a84df38b1966d1290e775a18b3a76ba8a8fb0d37f9b3d2828c489cdb3d831e4d45
-
C:\Users\Admin\AppData\Local\Temp\vbc7F7C.tmpFilesize
660B
MD5f3fcaea832fcd79ba0ead100076535bb
SHA1916bf91d857352838a873d8df4a659e0eb0a8886
SHA256bd63af8195746222e569b59dabcdfa3a687062d87a93381bd8b20a417a78b058
SHA512a2a3007e1e80b367cf1fc6947e68f40b7f9366cd5c3aac74d4e478b816c7328b663124be6d90f9a8847e9da975e471345d64afa9ea60ac9e7c8020855f785abd
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7
-
\Users\Admin\AppData\Local\Temp\tmp7E25.tmp.exeFilesize
78KB
MD5d91f038eaa69859c56be8230e1bdc86d
SHA14e6a425307a7975fab9651e77893cf42f2c1a24a
SHA2563e47851bf287ccb68be0ff382ad6e1f1dd38887fe9e0180f9f9c06916ced39ad
SHA51288e9a3b327c4f36c9ec058219fc8b9725791c07ac164b0e78c126a1384d455a84df38b1966d1290e775a18b3a76ba8a8fb0d37f9b3d2828c489cdb3d831e4d45
-
\Users\Admin\AppData\Local\Temp\tmp7E25.tmp.exeFilesize
78KB
MD5d91f038eaa69859c56be8230e1bdc86d
SHA14e6a425307a7975fab9651e77893cf42f2c1a24a
SHA2563e47851bf287ccb68be0ff382ad6e1f1dd38887fe9e0180f9f9c06916ced39ad
SHA51288e9a3b327c4f36c9ec058219fc8b9725791c07ac164b0e78c126a1384d455a84df38b1966d1290e775a18b3a76ba8a8fb0d37f9b3d2828c489cdb3d831e4d45
-
memory/992-55-0x0000000000000000-mapping.dmp
-
memory/1032-65-0x0000000000000000-mapping.dmp
-
memory/1032-69-0x00000000745C0000-0x0000000074B6B000-memory.dmpFilesize
5.7MB
-
memory/1032-70-0x0000000000AD5000-0x0000000000AE6000-memory.dmpFilesize
68KB
-
memory/1216-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmpFilesize
8KB
-
memory/1216-66-0x0000000074630000-0x0000000074BDB000-memory.dmpFilesize
5.7MB
-
memory/1660-59-0x0000000000000000-mapping.dmp