Analysis
-
max time kernel
115s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-05-2022 21:44
Static task
static1
Behavioral task
behavioral1
Sample
cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe
Resource
win10v2004-20220414-en
General
-
Target
cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe
-
Size
78KB
-
MD5
03e747b5e88513e21319eeaa1126b81e
-
SHA1
b05e3fbf5b3711eba03abd4660ec94e1acc11a17
-
SHA256
cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695
-
SHA512
d368b1800287d189a8ed49c420721d25eaf72e1b441281dd1881e4e7defdb2d602b277c3cb98dad04028e3ae6da94ff73b136e00616d3dd31eefeaae21c29732
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp85E3.tmp.exepid process 1756 tmp85E3.tmp.exe -
Deletes itself 1 IoCs
Processes:
tmp85E3.tmp.exepid process 1756 tmp85E3.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exepid process 240 cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe 240 cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exedescription pid process Token: SeDebugPrivilege 240 cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exevbc.exedescription pid process target process PID 240 wrote to memory of 1736 240 cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe vbc.exe PID 240 wrote to memory of 1736 240 cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe vbc.exe PID 240 wrote to memory of 1736 240 cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe vbc.exe PID 240 wrote to memory of 1736 240 cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe vbc.exe PID 1736 wrote to memory of 1320 1736 vbc.exe cvtres.exe PID 1736 wrote to memory of 1320 1736 vbc.exe cvtres.exe PID 1736 wrote to memory of 1320 1736 vbc.exe cvtres.exe PID 1736 wrote to memory of 1320 1736 vbc.exe cvtres.exe PID 240 wrote to memory of 1756 240 cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe tmp85E3.tmp.exe PID 240 wrote to memory of 1756 240 cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe tmp85E3.tmp.exe PID 240 wrote to memory of 1756 240 cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe tmp85E3.tmp.exe PID 240 wrote to memory of 1756 240 cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe tmp85E3.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe"C:\Users\Admin\AppData\Local\Temp\cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bluccib0.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC35.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEAFC.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp85E3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp85E3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe2⤵
- Executes dropped EXE
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESEC35.tmpFilesize
1KB
MD5439518105666b35ad5d7333add0b2c3f
SHA1b08356fdb084a43d685bd1e0d3f023350cf009a0
SHA256ee81b8f833a96e70b3a8bc5db239be016ee336ce4c86ec83fd989420d0854c3e
SHA5122073e47d8cb941e5ba1e89d2976262037ada1ec5ad6ff3654b7149eddd79edfab46a79ffc71d80db3ab463e7b61f4b962166f155706ad0a7af56e67b7124340f
-
C:\Users\Admin\AppData\Local\Temp\bluccib0.0.vbFilesize
15KB
MD51263ea86dc4913b273e9f6d205460cb5
SHA1d1e39922b3a1983008153fa2d7af104dbcda326a
SHA25671282e43f07034930b8157c80c08fb0b75dc7ce65ce533a1f1964f0177179ee7
SHA512e4fd4bd8166fedb4816a0a604fd72ebb86564841867a92b02b1eb207bab9f218565e8ccae33471e747d195efcaef4c3980672397604ecb245fcffc389b34ff23
-
C:\Users\Admin\AppData\Local\Temp\bluccib0.cmdlineFilesize
266B
MD54fd0b1ce98e7923f1ad93bc95db4e28c
SHA17f4bacf2de30ed18e03447d24fd6d98d83999815
SHA2569c3560ea977aba47f5db7defe8bdf1154e5f3ea09b69c6a20b3353ea4d2007bc
SHA512a5b0e21e9ba1e61c68942dcdf3438544e8197b269d628b0a158bdc7e7c9ed6335b4294695f56f96c7f43a468376923212f23d563e858e789f7180b94a89659ac
-
C:\Users\Admin\AppData\Local\Temp\tmp85E3.tmp.exeFilesize
78KB
MD59f2b228e84bcda1e423a28f08c7b509f
SHA1469d70fd3a7a6a3edae806475d3c47dcc5849490
SHA2567b6dcf3704278f303f5d7fa4370a7f5d53f380311f73bc0a890f0af942bafa1c
SHA5122122c740c7bd40d3589fbb0dedf3d4123188665e389687561695248d1e9a1abc02b8bed1a5c65557e7909881f0823d10fb2e72bfd290fde9f085332e76d30303
-
C:\Users\Admin\AppData\Local\Temp\tmp85E3.tmp.exeFilesize
78KB
MD59f2b228e84bcda1e423a28f08c7b509f
SHA1469d70fd3a7a6a3edae806475d3c47dcc5849490
SHA2567b6dcf3704278f303f5d7fa4370a7f5d53f380311f73bc0a890f0af942bafa1c
SHA5122122c740c7bd40d3589fbb0dedf3d4123188665e389687561695248d1e9a1abc02b8bed1a5c65557e7909881f0823d10fb2e72bfd290fde9f085332e76d30303
-
C:\Users\Admin\AppData\Local\Temp\vbcEAFC.tmpFilesize
660B
MD5053e93fd4bf05ad24e3a2abcf340af9f
SHA1345898b4fc46fb6a5efcfed6894e59263ff800a2
SHA256a0864347fc0d67f293545da94463ccd4378fa7227f6fded58b90f11d1f3ec246
SHA51210b882d884f1d4a9047591d0445f82e299bbf99a061ecbd13375cd6b51ade159344dbf1ccbb8007d5c03d982f58aebfbc7a5787ad7bbbec4e561bae66ef5431a
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
\Users\Admin\AppData\Local\Temp\tmp85E3.tmp.exeFilesize
78KB
MD59f2b228e84bcda1e423a28f08c7b509f
SHA1469d70fd3a7a6a3edae806475d3c47dcc5849490
SHA2567b6dcf3704278f303f5d7fa4370a7f5d53f380311f73bc0a890f0af942bafa1c
SHA5122122c740c7bd40d3589fbb0dedf3d4123188665e389687561695248d1e9a1abc02b8bed1a5c65557e7909881f0823d10fb2e72bfd290fde9f085332e76d30303
-
\Users\Admin\AppData\Local\Temp\tmp85E3.tmp.exeFilesize
78KB
MD59f2b228e84bcda1e423a28f08c7b509f
SHA1469d70fd3a7a6a3edae806475d3c47dcc5849490
SHA2567b6dcf3704278f303f5d7fa4370a7f5d53f380311f73bc0a890f0af942bafa1c
SHA5122122c740c7bd40d3589fbb0dedf3d4123188665e389687561695248d1e9a1abc02b8bed1a5c65557e7909881f0823d10fb2e72bfd290fde9f085332e76d30303
-
memory/240-55-0x00000000748C0000-0x0000000074E6B000-memory.dmpFilesize
5.7MB
-
memory/240-54-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/1320-60-0x0000000000000000-mapping.dmp
-
memory/1736-56-0x0000000000000000-mapping.dmp
-
memory/1756-66-0x0000000000000000-mapping.dmp
-
memory/1756-69-0x0000000074310000-0x00000000748BB000-memory.dmpFilesize
5.7MB