Analysis
-
max time kernel
204s -
max time network
211s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-05-2022 21:39
Static task
static1
Behavioral task
behavioral1
Sample
8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe
Resource
win10v2004-20220414-en
General
-
Target
8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe
-
Size
78KB
-
MD5
01a27410a7f14cbe2069d62568a0df1c
-
SHA1
8e6badcd52ca775493b0c22bfb665af6a5fdc558
-
SHA256
8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed
-
SHA512
58047d6b8162e7f5a635887151345df459b76b15f4da387b00c766c517ca05888189f22a183ce20ca60c11df3d353f0a1651bfb725491dbc4df29b6559f12486
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
tmpDDB3.tmp.exepid process 1996 tmpDDB3.tmp.exe -
Deletes itself 1 IoCs
Processes:
tmpDDB3.tmp.exepid process 1996 tmpDDB3.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exepid process 1928 8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe 1928 8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmpDDB3.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmpDDB3.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exetmpDDB3.tmp.exedescription pid process Token: SeDebugPrivilege 1928 8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe Token: SeDebugPrivilege 1996 tmpDDB3.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exevbc.exedescription pid process target process PID 1928 wrote to memory of 812 1928 8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe vbc.exe PID 1928 wrote to memory of 812 1928 8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe vbc.exe PID 1928 wrote to memory of 812 1928 8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe vbc.exe PID 1928 wrote to memory of 812 1928 8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe vbc.exe PID 812 wrote to memory of 1100 812 vbc.exe cvtres.exe PID 812 wrote to memory of 1100 812 vbc.exe cvtres.exe PID 812 wrote to memory of 1100 812 vbc.exe cvtres.exe PID 812 wrote to memory of 1100 812 vbc.exe cvtres.exe PID 1928 wrote to memory of 1996 1928 8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe tmpDDB3.tmp.exe PID 1928 wrote to memory of 1996 1928 8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe tmpDDB3.tmp.exe PID 1928 wrote to memory of 1996 1928 8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe tmpDDB3.tmp.exe PID 1928 wrote to memory of 1996 1928 8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe tmpDDB3.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe"C:\Users\Admin\AppData\Local\Temp\8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wilynmgm.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE0C0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE0BF.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpDDB3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDDB3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8a2bfd97d0187adb855a07bd313a2c7ea57c96e53e51db154444405ed8c1ceed.exe2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESE0C0.tmpFilesize
1KB
MD51bcdf926acfca4773a17aa781498ff20
SHA172b4b0d39edc49bee70e8cb91594544ce235e86c
SHA25665d9d8836662b16f337048584dfa9934018008a0f99d3bd216db4060155ec7aa
SHA51282b2dc215e4cf7784854dfb80f72f992e48f27ce6f2c813d2086a306d78c401a76ee17666d94efab5939f0681c11643278bfce841b7259ab1163c25539d5ce9d
-
C:\Users\Admin\AppData\Local\Temp\tmpDDB3.tmp.exeFilesize
78KB
MD5eaf83340582ed00f20b993f4424c21f0
SHA16fb245290acb96538ae08e93ae950aa83ee08477
SHA256aefa8ffb180077e33d2f2da8bc0868c95f93f73c361743f284fd2664195a4143
SHA512601a5b474d46774b85dd9db5b97f2a5b5ee248b44e7aa699c9af9da22ffdde6c3e00ed9a9507489360acdc055301e83402c215520703a53a91a2062f037843f4
-
C:\Users\Admin\AppData\Local\Temp\tmpDDB3.tmp.exeFilesize
78KB
MD5eaf83340582ed00f20b993f4424c21f0
SHA16fb245290acb96538ae08e93ae950aa83ee08477
SHA256aefa8ffb180077e33d2f2da8bc0868c95f93f73c361743f284fd2664195a4143
SHA512601a5b474d46774b85dd9db5b97f2a5b5ee248b44e7aa699c9af9da22ffdde6c3e00ed9a9507489360acdc055301e83402c215520703a53a91a2062f037843f4
-
C:\Users\Admin\AppData\Local\Temp\vbcE0BF.tmpFilesize
660B
MD5f935a8e1a2b03df7fbe501f7c25b4e71
SHA18b235ff1f9d39fecff0f9c647e678c3196bd531e
SHA256a6c79c2b0d5bf837b626eb30e38526905c33044c85d849e4850fbdbe57767271
SHA5125165c8dd1076e8cb77a437f16152d0cd2e4287be4074a1665c2c4502bb63d411687d0ace8eed329b8226c381e562852eaf457970c7eae94548b68cd9f59190e1
-
C:\Users\Admin\AppData\Local\Temp\wilynmgm.0.vbFilesize
14KB
MD57c235572602cf5619f122cc5ad1b82d2
SHA130068c85129735aee52370eaa764c03e6c9fcc9c
SHA25693defb4bd4cff0241be380a67ac4c53b5415f2d407ccbb5cd089fb23391181ef
SHA5129ffac2d9ef8ac1c5a6b4d1e413ffe44ab114799c0439d2dba2bd2a0ff7ee2b7967295a3ba9601329b0305d8e1ef70632102a288354b9699be8f474969eb11e38
-
C:\Users\Admin\AppData\Local\Temp\wilynmgm.cmdlineFilesize
266B
MD5d0d3d31c578996caaddebd8f414c6e1c
SHA1d35b77c1b5ccfaf222d6059acbac228e7f2db064
SHA25621bbd0cfc92e3dbb3f09ca860f795609a4538a7173687902210c06d56437fcf6
SHA5122734a978b1c0211848b6977772acf0e739b0ce11b230bdc07226e168d7ad0d229d0af266a6c547f7944954754fbd4f5c00d413c549b397947df63c2e08bf12b9
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c
-
\Users\Admin\AppData\Local\Temp\tmpDDB3.tmp.exeFilesize
78KB
MD5eaf83340582ed00f20b993f4424c21f0
SHA16fb245290acb96538ae08e93ae950aa83ee08477
SHA256aefa8ffb180077e33d2f2da8bc0868c95f93f73c361743f284fd2664195a4143
SHA512601a5b474d46774b85dd9db5b97f2a5b5ee248b44e7aa699c9af9da22ffdde6c3e00ed9a9507489360acdc055301e83402c215520703a53a91a2062f037843f4
-
\Users\Admin\AppData\Local\Temp\tmpDDB3.tmp.exeFilesize
78KB
MD5eaf83340582ed00f20b993f4424c21f0
SHA16fb245290acb96538ae08e93ae950aa83ee08477
SHA256aefa8ffb180077e33d2f2da8bc0868c95f93f73c361743f284fd2664195a4143
SHA512601a5b474d46774b85dd9db5b97f2a5b5ee248b44e7aa699c9af9da22ffdde6c3e00ed9a9507489360acdc055301e83402c215520703a53a91a2062f037843f4
-
memory/812-55-0x0000000000000000-mapping.dmp
-
memory/1100-60-0x0000000000000000-mapping.dmp
-
memory/1928-57-0x0000000075000000-0x00000000755AB000-memory.dmpFilesize
5.7MB
-
memory/1928-54-0x0000000076851000-0x0000000076853000-memory.dmpFilesize
8KB
-
memory/1996-66-0x0000000000000000-mapping.dmp
-
memory/1996-69-0x0000000074F90000-0x000000007553B000-memory.dmpFilesize
5.7MB
-
memory/1996-70-0x0000000000A65000-0x0000000000A76000-memory.dmpFilesize
68KB