Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220331-en -
submitted
29-03-2022 23:36
Static task
static1
Behavioral task
behavioral1
Sample
9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe
Resource
win7-20220331-en
Behavioral task
behavioral2
Sample
9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe
Resource
win10v2004-20220331-en
General
-
Target
9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe
-
Size
78KB
-
MD5
02f5520d2b448f25ad85e4ad4f0ea9e9
-
SHA1
c4db23e93244ec18847354ea2d2787ff65dfdd8e
-
SHA256
9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826
-
SHA512
d9d661af0f54c0d8c6949992474b29ba172199adf926b9018e3aeb213205ecf44613f86e93d031786d29012e80e78cf8cbc4de6034d5d0c45a87de5ef2c25945
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmpF799.tmp.exepid process 1552 tmpF799.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exepid process 2032 9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe 2032 9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmpF799.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmpF799.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exetmpF799.tmp.exedescription pid process Token: SeDebugPrivilege 2032 9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe Token: SeDebugPrivilege 1552 tmpF799.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exevbc.exedescription pid process target process PID 2032 wrote to memory of 1640 2032 9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe vbc.exe PID 2032 wrote to memory of 1640 2032 9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe vbc.exe PID 2032 wrote to memory of 1640 2032 9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe vbc.exe PID 2032 wrote to memory of 1640 2032 9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe vbc.exe PID 1640 wrote to memory of 1264 1640 vbc.exe cvtres.exe PID 1640 wrote to memory of 1264 1640 vbc.exe cvtres.exe PID 1640 wrote to memory of 1264 1640 vbc.exe cvtres.exe PID 1640 wrote to memory of 1264 1640 vbc.exe cvtres.exe PID 2032 wrote to memory of 1552 2032 9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe tmpF799.tmp.exe PID 2032 wrote to memory of 1552 2032 9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe tmpF799.tmp.exe PID 2032 wrote to memory of 1552 2032 9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe tmpF799.tmp.exe PID 2032 wrote to memory of 1552 2032 9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe tmpF799.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe"C:\Users\Admin\AppData\Local\Temp\9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_7z8sric.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF910.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF900.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpF799.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF799.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9cf2f829f97acb5859464a3130fb2ecd9eeb03006ba17d0f6f3e3305d19e5826.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESF910.tmpFilesize
1KB
MD5fd7052a286701a005b656eb194689f17
SHA1de7610ca784ad4954fa0eb5e36190b87ecef438f
SHA2567c7ba993e0468995341a6724138654dce8b34f6e8fd760b8019affa19b30be79
SHA51286f4c5d4247e5267e76e54a53618e7c967f8f116f0caab3179f6a6cb6c2857c60e283ca07733505a8b61f33cc6916b83238b2d287dece85cf7245e11e72321ae
-
C:\Users\Admin\AppData\Local\Temp\_7z8sric.0.vbFilesize
15KB
MD5cc9c046c0018ae86d18fd3cdb82f24b9
SHA11c8ab8e2f6e9d431e2f690e1e677c7a9f0fb44fa
SHA25609317cfd32afae94eff91468485eb4753ca452a9356128e459f7fef886f40fe8
SHA5122e547dc82485e6f7900839307da91b5959f8db40074bb9c35989c0b72a1f69949c8140e09f55190d694224f4728f7353168705059e49722af7b5a9f2bbff11ce
-
C:\Users\Admin\AppData\Local\Temp\_7z8sric.cmdlineFilesize
266B
MD56462458b831d199130042c36f74d8dda
SHA122a7b5326f6e4638f064a66f05df34e0b420b03e
SHA256521ad8734bcd3e7091df7ea91fab85014a5d0f6946f80d71cf07502e31f470e8
SHA5129e3d919ad607ec438f6b79e5b0ccf8510269d82524cb8df0e2c270085a57de5d4ef6b5488ddff87992ee17e83e83a0bcfbc86b223503c46422cce6bcdb98d68a
-
C:\Users\Admin\AppData\Local\Temp\tmpF799.tmp.exeFilesize
78KB
MD5bc23e5d4b63614adedde8172478a13fd
SHA1662be9903457e6671b3e9bb45b7666c7fcfd6ce7
SHA256e747f33779d45c4cc40096cddeaa926bcac419eb72c6aa62fbc0893109ca9ceb
SHA51245bacc8485771435b9b7c63c4d24c7df314c5cc40f5585957d77b70c7d19216a16859367a42aa2e91803c0472ee13f3f7cff63fc4b34d929afa10f16350713af
-
C:\Users\Admin\AppData\Local\Temp\tmpF799.tmp.exeFilesize
78KB
MD5bc23e5d4b63614adedde8172478a13fd
SHA1662be9903457e6671b3e9bb45b7666c7fcfd6ce7
SHA256e747f33779d45c4cc40096cddeaa926bcac419eb72c6aa62fbc0893109ca9ceb
SHA51245bacc8485771435b9b7c63c4d24c7df314c5cc40f5585957d77b70c7d19216a16859367a42aa2e91803c0472ee13f3f7cff63fc4b34d929afa10f16350713af
-
C:\Users\Admin\AppData\Local\Temp\vbcF900.tmpFilesize
660B
MD54d85e65e7d1aa532ef98abdde096404d
SHA1c449c2c2032671303b238ed3e2629880d506205f
SHA256af56a23cb98bf35d94bde928a864b0a2eed1c5d085f97de3195a518bf0db8f02
SHA5125b6ed74a9a59cf132ee0cba2f2e4bf1f231362b7e70a13f1734e7ef2bf31be69b00810cd71585d382a16b055f7a57fdfd3526122619c32f023d808ce6157d14f
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107
-
\Users\Admin\AppData\Local\Temp\tmpF799.tmp.exeFilesize
78KB
MD5bc23e5d4b63614adedde8172478a13fd
SHA1662be9903457e6671b3e9bb45b7666c7fcfd6ce7
SHA256e747f33779d45c4cc40096cddeaa926bcac419eb72c6aa62fbc0893109ca9ceb
SHA51245bacc8485771435b9b7c63c4d24c7df314c5cc40f5585957d77b70c7d19216a16859367a42aa2e91803c0472ee13f3f7cff63fc4b34d929afa10f16350713af
-
\Users\Admin\AppData\Local\Temp\tmpF799.tmp.exeFilesize
78KB
MD5bc23e5d4b63614adedde8172478a13fd
SHA1662be9903457e6671b3e9bb45b7666c7fcfd6ce7
SHA256e747f33779d45c4cc40096cddeaa926bcac419eb72c6aa62fbc0893109ca9ceb
SHA51245bacc8485771435b9b7c63c4d24c7df314c5cc40f5585957d77b70c7d19216a16859367a42aa2e91803c0472ee13f3f7cff63fc4b34d929afa10f16350713af
-
memory/1264-59-0x0000000000000000-mapping.dmp
-
memory/1552-65-0x0000000000000000-mapping.dmp
-
memory/1552-69-0x00000000746E0000-0x0000000074C8B000-memory.dmpFilesize
5.7MB
-
memory/1552-70-0x0000000002235000-0x0000000002246000-memory.dmpFilesize
68KB
-
memory/1640-55-0x0000000000000000-mapping.dmp
-
memory/2032-54-0x0000000076141000-0x0000000076143000-memory.dmpFilesize
8KB
-
memory/2032-68-0x00000000746E0000-0x0000000074C8B000-memory.dmpFilesize
5.7MB