Analysis
-
max time kernel
165s -
max time network
193s -
platform
windows7_x64 -
resource
win7-20220331-en -
submitted
29-03-2022 23:53
Static task
static1
Behavioral task
behavioral1
Sample
9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe
Resource
win7-20220331-en
Behavioral task
behavioral2
Sample
9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe
Resource
win10v2004-20220331-en
General
-
Target
9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe
-
Size
78KB
-
MD5
05137374d9702441ed3cf31896d32e55
-
SHA1
3429cee50a686ca29a72cd1ecbc06f4708b31e73
-
SHA256
9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d
-
SHA512
62ed902ee373da8ca290d3d0d67176c34f26b78af39f4c524417b3f732ec0732ce560c0b67c01527b5f757cb0e0c3213f9f41cebf3db4fb81a1ed91e9445cefc
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp89AA.tmp.exepid process 1512 tmp89AA.tmp.exe -
Deletes itself 1 IoCs
Processes:
tmp89AA.tmp.exepid process 1512 tmp89AA.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exepid process 1788 9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe 1788 9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp89AA.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmp89AA.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exetmp89AA.tmp.exedescription pid process Token: SeDebugPrivilege 1788 9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe Token: SeDebugPrivilege 1512 tmp89AA.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exevbc.exedescription pid process target process PID 1788 wrote to memory of 964 1788 9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe vbc.exe PID 1788 wrote to memory of 964 1788 9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe vbc.exe PID 1788 wrote to memory of 964 1788 9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe vbc.exe PID 1788 wrote to memory of 964 1788 9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe vbc.exe PID 964 wrote to memory of 2040 964 vbc.exe cvtres.exe PID 964 wrote to memory of 2040 964 vbc.exe cvtres.exe PID 964 wrote to memory of 2040 964 vbc.exe cvtres.exe PID 964 wrote to memory of 2040 964 vbc.exe cvtres.exe PID 1788 wrote to memory of 1512 1788 9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe tmp89AA.tmp.exe PID 1788 wrote to memory of 1512 1788 9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe tmp89AA.tmp.exe PID 1788 wrote to memory of 1512 1788 9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe tmp89AA.tmp.exe PID 1788 wrote to memory of 1512 1788 9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe tmp89AA.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe"C:\Users\Admin\AppData\Local\Temp\9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gwmogpka.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B02.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8B01.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp89AA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp89AA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9a94a6b4d97d18b5e854b60308c6a5bf5929ed8feed786218e82d7b12a67a05d.exe2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES8B02.tmpFilesize
1KB
MD59987c42501545334c9a53e1e189ad652
SHA15cd108c24dc0209ea6ac782511cb63a7ec4ffd0b
SHA2562b36c6e3e91f8c0ccdd3618ff66eb39dce009fabd95a713e223b10af732b6209
SHA512716ed50845b6caeee5815d190816192015537db43e2c25e76197deca199236948688322f5d4fa525d8c68b92b3342b45dcf890dae2f162bd0c99ca18376a7027
-
C:\Users\Admin\AppData\Local\Temp\gwmogpka.0.vbFilesize
14KB
MD53d54a6068241a564988ab6d953a2c717
SHA1257ff3b6bd86f0d4e6de77a18777ab360229ebd9
SHA25628e4f826d6e1ed6370f1ebdbb804ffb6c7a3ce6c5e0c321662e894957d222db4
SHA512831930ca73067aa7062bc466c2df17fea65a0205f417ee3bf535d0d42d035235821258758786f4377304921d0bdf528cad2da5e7616595ea386addb11827a5d5
-
C:\Users\Admin\AppData\Local\Temp\gwmogpka.cmdlineFilesize
266B
MD59d6a64a50283c8e939e7bd981b155818
SHA1260187c0d889c6f613c78e182b1c42c5ae65f54e
SHA25668ac14d7b77081df6c23718a1d6173a20cc3ed16b096221b1f3ab241178ff20e
SHA512f954099fe9f6b7ec21e408ad3e3efe8e2c4f2175909693e37d170d140df9a7ad12b416370e04903acf1fc5d12a8e5018b926624f66ed8c8fb479c65669b444bf
-
C:\Users\Admin\AppData\Local\Temp\tmp89AA.tmp.exeFilesize
78KB
MD5af85052d174be76ce298a217d1bdad07
SHA170bcdc4776e387a11f497a5c5dc2f816131be93d
SHA256df0c78697278da5844fc66f708b29b98a50f3e8f5b2584ac1f9d61849e545787
SHA5125f0ae17f12650b72a5c78684343ee94c8142596ec279fd1d22cd012bd29bff1e0ff433819e13242bc5c482617a6ad42dc8587b1adebb12c5274b9f50a7b661c8
-
C:\Users\Admin\AppData\Local\Temp\tmp89AA.tmp.exeFilesize
78KB
MD5af85052d174be76ce298a217d1bdad07
SHA170bcdc4776e387a11f497a5c5dc2f816131be93d
SHA256df0c78697278da5844fc66f708b29b98a50f3e8f5b2584ac1f9d61849e545787
SHA5125f0ae17f12650b72a5c78684343ee94c8142596ec279fd1d22cd012bd29bff1e0ff433819e13242bc5c482617a6ad42dc8587b1adebb12c5274b9f50a7b661c8
-
C:\Users\Admin\AppData\Local\Temp\vbc8B01.tmpFilesize
660B
MD55bcadb9144efb7681d756396f51eed38
SHA1f6022e4829c6e675986e4af39ea09c63d0a1c0ca
SHA2561c3ffb5fb5772a41de6e7b734a8633b9579ba65e18dbd9a7f1d64bad63343085
SHA51253a3bb39acffd4abe2d93b18e702583e9ad5654aa79062f99edc66bb0ddefe8a72768b73c99bb39c1ecfd1749eaf893b900ca51004fa865de8176bea50eac857
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107
-
\Users\Admin\AppData\Local\Temp\tmp89AA.tmp.exeFilesize
78KB
MD5af85052d174be76ce298a217d1bdad07
SHA170bcdc4776e387a11f497a5c5dc2f816131be93d
SHA256df0c78697278da5844fc66f708b29b98a50f3e8f5b2584ac1f9d61849e545787
SHA5125f0ae17f12650b72a5c78684343ee94c8142596ec279fd1d22cd012bd29bff1e0ff433819e13242bc5c482617a6ad42dc8587b1adebb12c5274b9f50a7b661c8
-
\Users\Admin\AppData\Local\Temp\tmp89AA.tmp.exeFilesize
78KB
MD5af85052d174be76ce298a217d1bdad07
SHA170bcdc4776e387a11f497a5c5dc2f816131be93d
SHA256df0c78697278da5844fc66f708b29b98a50f3e8f5b2584ac1f9d61849e545787
SHA5125f0ae17f12650b72a5c78684343ee94c8142596ec279fd1d22cd012bd29bff1e0ff433819e13242bc5c482617a6ad42dc8587b1adebb12c5274b9f50a7b661c8
-
memory/964-55-0x0000000000000000-mapping.dmp
-
memory/1512-66-0x0000000000000000-mapping.dmp
-
memory/1512-69-0x0000000074400000-0x00000000749AB000-memory.dmpFilesize
5.7MB
-
memory/1512-70-0x0000000000155000-0x0000000000166000-memory.dmpFilesize
68KB
-
memory/1788-54-0x00000000755F1000-0x00000000755F3000-memory.dmpFilesize
8KB
-
memory/1788-58-0x00000000749B0000-0x0000000074F5B000-memory.dmpFilesize
5.7MB
-
memory/2040-60-0x0000000000000000-mapping.dmp