Analysis
-
max time kernel
227s -
max time network
234s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-05-2022 21:44
Static task
static1
Behavioral task
behavioral1
Sample
cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe
Resource
win10v2004-20220414-en
General
-
Target
cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe
-
Size
78KB
-
MD5
03e747b5e88513e21319eeaa1126b81e
-
SHA1
b05e3fbf5b3711eba03abd4660ec94e1acc11a17
-
SHA256
cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695
-
SHA512
d368b1800287d189a8ed49c420721d25eaf72e1b441281dd1881e4e7defdb2d602b277c3cb98dad04028e3ae6da94ff73b136e00616d3dd31eefeaae21c29732
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
tmpBA57.tmp.exepid process 4936 tmpBA57.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmpBA57.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmpBA57.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exetmpBA57.tmp.exedescription pid process Token: SeDebugPrivilege 2096 cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe Token: SeDebugPrivilege 4936 tmpBA57.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exevbc.exedescription pid process target process PID 2096 wrote to memory of 4812 2096 cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe vbc.exe PID 2096 wrote to memory of 4812 2096 cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe vbc.exe PID 2096 wrote to memory of 4812 2096 cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe vbc.exe PID 4812 wrote to memory of 388 4812 vbc.exe cvtres.exe PID 4812 wrote to memory of 388 4812 vbc.exe cvtres.exe PID 4812 wrote to memory of 388 4812 vbc.exe cvtres.exe PID 2096 wrote to memory of 4936 2096 cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe tmpBA57.tmp.exe PID 2096 wrote to memory of 4936 2096 cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe tmpBA57.tmp.exe PID 2096 wrote to memory of 4936 2096 cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe tmpBA57.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe"C:\Users\Admin\AppData\Local\Temp\cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m3ngq3jt.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD16.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc111DDB2E9C4744F58DA97558FDAB93BE.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpBA57.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBA57.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cb153e3513d0616e98b05e7c7aa141a07d5551b8f4dd8b97fa43ce64d2468695.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESBD16.tmpFilesize
1KB
MD592ee7b12094adb9a8d518468d1b738ca
SHA18a7f69f34fb7d6769dac045ecc33f66ce8f7276a
SHA256086e13d532573a26ba1267498fa841642b8bc56174796a853c6914f5c792cfaf
SHA512f653eb72fd7fc86bb7668ad2de5c0ff5cd88706cef5d66b7320242d867fcbd5a13887e981bc8f8d0e04ba3d1fdb8720ff8eb74557044e73a26c521ad0a106f8d
-
C:\Users\Admin\AppData\Local\Temp\m3ngq3jt.0.vbFilesize
15KB
MD554d2043bcd351f7d78646b22812f5645
SHA13793ad2be82ba295d6de1af2cfe2b2fcd0e95ec7
SHA2567cdcbd1e79dfa4db755e3227d1a061ea296ca32b6a0b99aadceb1500af8be9b8
SHA5126ec4fe7717bccf01070c1e1eba96ecc545952100222765556c464b90538800288cba4060efbbf8177293ce0b27734ef5622f077f3c06ad7cc797cff671f47e56
-
C:\Users\Admin\AppData\Local\Temp\m3ngq3jt.cmdlineFilesize
266B
MD5b9d73effbdd95f9dab5fef0c96bcf9e5
SHA12d5e15e2a5d4084766452be835d22e342c7be1ca
SHA2561b93655cfae108fe9f46f32a37aef49504c78ba9f3a784011b325bcfd3763de7
SHA512a3e5efa0a56571b20ff62ba6a3ec0e84b57d03042d20b5df3d9035d3b1abee216a5134c25ed927dfa5b12b34007df51750bb60ab9b0dde5e1bbb04eaa8a6e6e7
-
C:\Users\Admin\AppData\Local\Temp\tmpBA57.tmp.exeFilesize
78KB
MD54e2fda90338ae61af76e4725d2b10eba
SHA19e747db62afae7c5e4379bc26715142b94138dc8
SHA2560d6074af25a192c6f675ca01a38387bddbd36a42e7d13e7f834cdf47322a4cb2
SHA5122dd3b798293a5b7b4f3fe0e1460ce8117eb8afc50cd33accdeb72bc86e8781300fa5c62e45462ec5753505053ad3e663765cd57b1dc044353a7ccd1672d1b76b
-
C:\Users\Admin\AppData\Local\Temp\tmpBA57.tmp.exeFilesize
78KB
MD54e2fda90338ae61af76e4725d2b10eba
SHA19e747db62afae7c5e4379bc26715142b94138dc8
SHA2560d6074af25a192c6f675ca01a38387bddbd36a42e7d13e7f834cdf47322a4cb2
SHA5122dd3b798293a5b7b4f3fe0e1460ce8117eb8afc50cd33accdeb72bc86e8781300fa5c62e45462ec5753505053ad3e663765cd57b1dc044353a7ccd1672d1b76b
-
C:\Users\Admin\AppData\Local\Temp\vbc111DDB2E9C4744F58DA97558FDAB93BE.TMPFilesize
660B
MD551bcdec07267225b4b9dc709a6be4f5b
SHA1f5fe02cf17e7588e51293da297fb0239d15fafc5
SHA256e8d6463a2cf0eac94716b1938016993add9ea0a36be6cad3b6e65226f3af5030
SHA5129d86e00426e735d6c4357846b746bf46e883a3ece214276e5204d2199449d15e95c187ed7eb8a860162f77d2b63bcdde1b683d369f2614e056c427067dee8112
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
memory/388-135-0x0000000000000000-mapping.dmp
-
memory/2096-130-0x0000000075210000-0x00000000757C1000-memory.dmpFilesize
5.7MB
-
memory/4812-131-0x0000000000000000-mapping.dmp
-
memory/4936-139-0x0000000000000000-mapping.dmp
-
memory/4936-141-0x0000000075210000-0x00000000757C1000-memory.dmpFilesize
5.7MB