Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-05-2022 15:02
Static task
static1
Behavioral task
behavioral1
Sample
8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe
Resource
win10v2004-20220414-en
General
-
Target
8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe
-
Size
78KB
-
MD5
04d5e9376838e75f62c1e3f72036dcd4
-
SHA1
dc3c1eebe560105197c9c94a3f317a966381ce59
-
SHA256
8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4
-
SHA512
de87d6a909b0e0e1a8ab8452f0bb652918ca2dfdfea31be65dbbc9871e7418b3cbc43f352979512b726a684bc3fe1de291ee2176f25b610277f7f931f377b8a6
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
tmp8AA1.tmp.exepid process 3160 tmp8AA1.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exetmp8AA1.tmp.exedescription pid process Token: SeDebugPrivilege 4148 8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe Token: SeDebugPrivilege 3160 tmp8AA1.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exevbc.exedescription pid process target process PID 4148 wrote to memory of 2488 4148 8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe vbc.exe PID 4148 wrote to memory of 2488 4148 8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe vbc.exe PID 4148 wrote to memory of 2488 4148 8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe vbc.exe PID 2488 wrote to memory of 3112 2488 vbc.exe cvtres.exe PID 2488 wrote to memory of 3112 2488 vbc.exe cvtres.exe PID 2488 wrote to memory of 3112 2488 vbc.exe cvtres.exe PID 4148 wrote to memory of 3160 4148 8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe tmp8AA1.tmp.exe PID 4148 wrote to memory of 3160 4148 8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe tmp8AA1.tmp.exe PID 4148 wrote to memory of 3160 4148 8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe tmp8AA1.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe"C:\Users\Admin\AppData\Local\Temp\8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7kbfityx.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92A0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc14927EA26B14466DB927234940AE6788.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp8AA1.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8AA1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8ab7d77b0a9fb27d107f98811aa26aa32606df3e9c2868cb207fa33e8a05c8e4.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7kbfityx.0.vbFilesize
15KB
MD59655e0392b89058e061706fb024b61dc
SHA1fd17c81b1d8c3a6a74e655851fa2a535e08866d3
SHA2562acea73a45fcbd3096f5d89d5335329bcff023733728669166bc2dc382647efe
SHA512f3cde532ed3b457107120cfa15a30e5117c7903952a4e73c4dba9209f4e8492f1aee117e38b2c6b4df473ddf22d3002608acabcee42dfff5c1e450677e989ab4
-
C:\Users\Admin\AppData\Local\Temp\7kbfityx.cmdlineFilesize
266B
MD5eaed9507297c045fc8f2e7724b267e4d
SHA137d62ee85cf108c54ab6887d742cbe0bc7edf1e8
SHA2566c64b0839f73c314e0a7b4b367aa880a2b64f04df9929230229204e5408ffec8
SHA512fed5a89d9125a311b651e216a545d066ac02c9205d3226d1f0e1a54bd362f5e92e2df22cdd4bb56d4a687ac1759579ebf2ebfc0d1f77207d1e67f49ee19ec867
-
C:\Users\Admin\AppData\Local\Temp\RES92A0.tmpFilesize
1KB
MD574f4fda313460ef5cbaf367842e70a2e
SHA1b90bbec6d1c4359066bdefe85d2ba9e05c092248
SHA256e5684574cb019922513bfe2f3c1b1725571e652f42835e4d48bb62a14f61ce86
SHA5124504bb076949ab58c25287124158940f86f316d2e8ece7ebbb002dc4b9f3e8d18e05cbadf2651d28365a7b27f1637009559078037b9c95be47282e7ca248b4c7
-
C:\Users\Admin\AppData\Local\Temp\tmp8AA1.tmp.exeFilesize
78KB
MD5f46400b31efd81ba39f09223cc4233c6
SHA1ead411f7976ef1ca81447735e8d1ac0bbad72c95
SHA256c272aadce3eaa1bf4ad7a8e4db12e6ae8232ce0627751e7fbcbc0c629a7444b2
SHA512d23aed759acda594ca40d36fb6c5bdf5139bcca4492c85fd6b9455e71fba516a5e19b94f976a32765ee92aed9a12d3468c1a2d641c981f3e80f2f3691c4471be
-
C:\Users\Admin\AppData\Local\Temp\tmp8AA1.tmp.exeFilesize
78KB
MD5f46400b31efd81ba39f09223cc4233c6
SHA1ead411f7976ef1ca81447735e8d1ac0bbad72c95
SHA256c272aadce3eaa1bf4ad7a8e4db12e6ae8232ce0627751e7fbcbc0c629a7444b2
SHA512d23aed759acda594ca40d36fb6c5bdf5139bcca4492c85fd6b9455e71fba516a5e19b94f976a32765ee92aed9a12d3468c1a2d641c981f3e80f2f3691c4471be
-
C:\Users\Admin\AppData\Local\Temp\vbc14927EA26B14466DB927234940AE6788.TMPFilesize
660B
MD549606d191dc96b5eee60a549a7891138
SHA134c7b206f4f4f44cfe8b3abbad093503fb2fa5c4
SHA256f01d7647e530c0c520dc972d15b9a475f4a3dac4941fd5133616c9e7a833c636
SHA51268c8a36270baf3af6cbf8e4afbabd4cac13f0f4af9047cb6aef629ef7f736574539801bf3bb604051904443e777b121e1d9f8cdad0176485cd3cd32ec75a6bfd
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7
-
memory/2488-130-0x0000000000000000-mapping.dmp
-
memory/3112-135-0x0000000000000000-mapping.dmp
-
memory/3160-139-0x0000000000000000-mapping.dmp
-
memory/3160-141-0x00000000749A0000-0x0000000074F51000-memory.dmpFilesize
5.7MB
-
memory/4148-131-0x00000000749A0000-0x0000000074F51000-memory.dmpFilesize
5.7MB