Analysis
-
max time kernel
4294209s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
29-03-2022 15:59
Static task
static1
Behavioral task
behavioral1
Sample
dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe
Resource
win10v2004-en-20220113
General
-
Target
dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe
-
Size
78KB
-
MD5
0202f350251abbbae1a2740143ba261b
-
SHA1
3c9a4e171a1d1e8e2ef8ae3494edc498a6930144
-
SHA256
dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48
-
SHA512
b419e5b15b3d74b95b255d9e8ef37b1e96f1a4bdaf27b9c70f0e8777d9dfcf352c46a7b419dd99f846bd416110bd1dd6c047d2ca9ea7130fe6ca24955b16523e
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp513C.tmp.exepid process 1792 tmp513C.tmp.exe -
Deletes itself 1 IoCs
Processes:
tmp513C.tmp.exepid process 1792 tmp513C.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exepid process 1624 dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe 1624 dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp513C.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmp513C.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exetmp513C.tmp.exedescription pid process Token: SeDebugPrivilege 1624 dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe Token: SeDebugPrivilege 1792 tmp513C.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exevbc.exedescription pid process target process PID 1624 wrote to memory of 1548 1624 dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe vbc.exe PID 1624 wrote to memory of 1548 1624 dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe vbc.exe PID 1624 wrote to memory of 1548 1624 dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe vbc.exe PID 1624 wrote to memory of 1548 1624 dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe vbc.exe PID 1548 wrote to memory of 1088 1548 vbc.exe cvtres.exe PID 1548 wrote to memory of 1088 1548 vbc.exe cvtres.exe PID 1548 wrote to memory of 1088 1548 vbc.exe cvtres.exe PID 1548 wrote to memory of 1088 1548 vbc.exe cvtres.exe PID 1624 wrote to memory of 1792 1624 dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe tmp513C.tmp.exe PID 1624 wrote to memory of 1792 1624 dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe tmp513C.tmp.exe PID 1624 wrote to memory of 1792 1624 dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe tmp513C.tmp.exe PID 1624 wrote to memory of 1792 1624 dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe tmp513C.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe"C:\Users\Admin\AppData\Local\Temp\dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0fx85wf4.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5330.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc531F.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp513C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp513C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\dbeefb0673d31018362461178d2004149c37817d6302cbcd43dde722b8888d48.exe2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0fx85wf4.0.vbFilesize
14KB
MD5e89197c39388e53a02a95ed8079f0beb
SHA157e301c5a122cf5faef6b924530c2f7688d2d336
SHA25670da5f720a460d9a627788dda802d2881b74ff76e2689e11e2c7dff04ef782c7
SHA512d5398e5943d823069859c3091781a1d1ee35be6f3110f9ac8fe3f5fdb1076f25b7a43e04b0abbfe4245846d561392d48f29fd0f9380fd339d293f68b1a1e47a2
-
C:\Users\Admin\AppData\Local\Temp\0fx85wf4.cmdlineFilesize
266B
MD53a68a3a0ec610b61c6b67f33aeeb894d
SHA16de65d3e957d079b7b8875cdceb80f645c3024ca
SHA256ae9574a0bef833a30050446da8552b76234350547be783b5ab01596384c97762
SHA512c8bb13f3177d94a94f0352467e12f192769b3f8e2c77a816f905c45e2b17426f3853383f454dfceb7837c393d5fe9c2da26addbb98b053fd9b9ada3c7707b71e
-
C:\Users\Admin\AppData\Local\Temp\RES5330.tmpFilesize
1KB
MD50e96ffdb616f7d3467d3ec51e07809ac
SHA1582b4b2e95e8a100ce9028c72de947b884368225
SHA2567fd72127505a0ade91bd4fba075a0e1c02e1a6db31d69947b8365e1b9fbf8676
SHA5129affad22aaae74bacf338c994197cc2d328050aae79ec0c1f17bc5a419b6ac22e90c06b30429b0bd3604d05daf360d7c3ff81b16887bb50e4c00556baceede3c
-
C:\Users\Admin\AppData\Local\Temp\tmp513C.tmp.exeFilesize
78KB
MD5b27de2518a6977dc9a16102c746b5a39
SHA13a3cfa1c4569a713e598e53fd84ad7c2e88c1779
SHA25692265a77bf578e8e10c375e4bcb9b8b3984736fdde37ecb5a78e4b6b65390416
SHA51221ec652eb52d4d490f869b89f42c80ac159a6a5a8a3453dd8acad7c05f5e159d6134ba749d449ff688c1b40469fe670d90bb7ab655b9dbb17654dd1ff2d820d0
-
C:\Users\Admin\AppData\Local\Temp\tmp513C.tmp.exeFilesize
78KB
MD5b27de2518a6977dc9a16102c746b5a39
SHA13a3cfa1c4569a713e598e53fd84ad7c2e88c1779
SHA25692265a77bf578e8e10c375e4bcb9b8b3984736fdde37ecb5a78e4b6b65390416
SHA51221ec652eb52d4d490f869b89f42c80ac159a6a5a8a3453dd8acad7c05f5e159d6134ba749d449ff688c1b40469fe670d90bb7ab655b9dbb17654dd1ff2d820d0
-
C:\Users\Admin\AppData\Local\Temp\vbc531F.tmpFilesize
660B
MD5a723fdee471a2f77c6e89741fb56501a
SHA1b7831f260f5493ccc4f721489d068aaab7cff66d
SHA256990cc0f9eadd23c08ed25b607da608214b378483779a4243e98b17bb6de538e4
SHA5125c459c817f31d2e1ee3885112e67dd23bb614b099859eb44e4999b27fc10fdd0ec8f32271b2b1bf0f113c5b94cfe672939e175bf18f2b1ad41cf16efbb53ca93
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c
-
\Users\Admin\AppData\Local\Temp\tmp513C.tmp.exeFilesize
78KB
MD5b27de2518a6977dc9a16102c746b5a39
SHA13a3cfa1c4569a713e598e53fd84ad7c2e88c1779
SHA25692265a77bf578e8e10c375e4bcb9b8b3984736fdde37ecb5a78e4b6b65390416
SHA51221ec652eb52d4d490f869b89f42c80ac159a6a5a8a3453dd8acad7c05f5e159d6134ba749d449ff688c1b40469fe670d90bb7ab655b9dbb17654dd1ff2d820d0
-
\Users\Admin\AppData\Local\Temp\tmp513C.tmp.exeFilesize
78KB
MD5b27de2518a6977dc9a16102c746b5a39
SHA13a3cfa1c4569a713e598e53fd84ad7c2e88c1779
SHA25692265a77bf578e8e10c375e4bcb9b8b3984736fdde37ecb5a78e4b6b65390416
SHA51221ec652eb52d4d490f869b89f42c80ac159a6a5a8a3453dd8acad7c05f5e159d6134ba749d449ff688c1b40469fe670d90bb7ab655b9dbb17654dd1ff2d820d0
-
memory/1088-60-0x0000000000000000-mapping.dmp
-
memory/1548-56-0x0000000000000000-mapping.dmp
-
memory/1624-54-0x00000000755A1000-0x00000000755A3000-memory.dmpFilesize
8KB
-
memory/1624-55-0x0000000074680000-0x0000000074C2B000-memory.dmpFilesize
5.7MB
-
memory/1792-66-0x0000000000000000-mapping.dmp
-
memory/1792-69-0x00000000740D0000-0x000000007467B000-memory.dmpFilesize
5.7MB
-
memory/1792-70-0x00000000022B5000-0x00000000022C6000-memory.dmpFilesize
68KB