Analysis
-
max time kernel
156s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-05-2022 23:02
Static task
static1
Behavioral task
behavioral1
Sample
2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe
Resource
win10v2004-20220414-en
General
-
Target
2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe
-
Size
78KB
-
MD5
02f5b7afb2fcd2301daa10fcb64e7998
-
SHA1
a1641dcd6cd0d2b7f9c2a8b52917deb3b340a61e
-
SHA256
2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc
-
SHA512
7c7d05b7380829caf16a95174f1d0e4433e23ac24c4b822e02349c3a8f53e7e91981e7186bbe8e72173b4cf3cdcfdf8e22dc899c59f632c78ec04b6c038bcea7
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
tmp9933.tmp.exepid process 3136 tmp9933.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp9933.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmp9933.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exetmp9933.tmp.exedescription pid process Token: SeDebugPrivilege 4636 2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe Token: SeDebugPrivilege 3136 tmp9933.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exevbc.exedescription pid process target process PID 4636 wrote to memory of 4548 4636 2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe vbc.exe PID 4636 wrote to memory of 4548 4636 2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe vbc.exe PID 4636 wrote to memory of 4548 4636 2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe vbc.exe PID 4548 wrote to memory of 4384 4548 vbc.exe cvtres.exe PID 4548 wrote to memory of 4384 4548 vbc.exe cvtres.exe PID 4548 wrote to memory of 4384 4548 vbc.exe cvtres.exe PID 4636 wrote to memory of 3136 4636 2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe tmp9933.tmp.exe PID 4636 wrote to memory of 3136 4636 2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe tmp9933.tmp.exe PID 4636 wrote to memory of 3136 4636 2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe tmp9933.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe"C:\Users\Admin\AppData\Local\Temp\2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hnoc0bs9.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA103.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc349133FE20B34C11BC13DF2622C029BE.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp9933.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9933.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2809a452352da889eeed994581bfebd27e17189f363349a968437be67340dfbc.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESA103.tmpFilesize
1KB
MD5a8e12d8e0af017b6e7c440ffd4281ec7
SHA1c9ded4b64e8502207c9d3e1e9ebcca6fc991496d
SHA2563a8a7580c57e9baf0709c6c3720eff84d4a805d38d56adcec80ced10b8206cca
SHA51288ba5e8bfee48f7f13af044a314b25881a40d04de73f2c4771a859dcf52ec4e1d0e9418609845f2a506d261f73934e865da18a11a3c0a9d4327167f63d8c658f
-
C:\Users\Admin\AppData\Local\Temp\hnoc0bs9.0.vbFilesize
15KB
MD53a5d894464d19567ee03f2bb83563c0d
SHA1dcbbe10de4633de96eb1692587503b6b88d00de4
SHA256d3554091ef19764a1698173edc5b96cabee14313de1b57b94f40b9bfc7c56ab2
SHA5125d2e21c073b0eef4c578cea7aafadb6189457f3fc42880a459e181132887440778de559de020918a9040475d831405aa6df9c12e424fc19e75f3ca1b26676b8f
-
C:\Users\Admin\AppData\Local\Temp\hnoc0bs9.cmdlineFilesize
266B
MD501159aeb0927fed263462635235ff399
SHA103dca062e0dd3c371aae6ab3a83efba0f0f61ccc
SHA256db91bd69a02995a62a071cc86485c6b62689bd2c095a25d3fffbb639c63183ac
SHA512b2c7b2cd225148f3dedb9d304ad30495fb16e6d6cb25f88f60a21f319a5f9f4029e280a0e70c2654bc337143754587a6e56db07dcfa812dc7a8a9f60c50f8982
-
C:\Users\Admin\AppData\Local\Temp\tmp9933.tmp.exeFilesize
78KB
MD5405cec994ee599499f58516253d31b70
SHA1116411536bb198572cb6a27e26c1003ba2d63c01
SHA256b817d807de07fb75e6214ba4b44725ae2463127d1ef1eaba05727e63b4332546
SHA5126dc400e21a784e7ff347cd916d1de88670e3a31c40dbbfeb13ae0af6533379589e3cf3dc2288104fbbc9bbbd454eae447ff2a7002518402698f9956830ae1ec5
-
C:\Users\Admin\AppData\Local\Temp\tmp9933.tmp.exeFilesize
78KB
MD5405cec994ee599499f58516253d31b70
SHA1116411536bb198572cb6a27e26c1003ba2d63c01
SHA256b817d807de07fb75e6214ba4b44725ae2463127d1ef1eaba05727e63b4332546
SHA5126dc400e21a784e7ff347cd916d1de88670e3a31c40dbbfeb13ae0af6533379589e3cf3dc2288104fbbc9bbbd454eae447ff2a7002518402698f9956830ae1ec5
-
C:\Users\Admin\AppData\Local\Temp\vbc349133FE20B34C11BC13DF2622C029BE.TMPFilesize
660B
MD53421fa6b4239de530eeb762dea535b6f
SHA18a99eb144657440ddf300203563b8f8191b52afa
SHA2560a57e75cb883d5c26e04e7dd6b863ff424a62078b100cf386bf0d464907a4bba
SHA512cbcc0d8b9f8b2cf18c2ece7510b45f371e2d361f86b3289d907bccfc4bfbe6ccb4ac90833a1823d407a8cfb1eca816a35bb26e7789970878c5f2cb1ab6f2ef94
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107
-
memory/3136-139-0x0000000000000000-mapping.dmp
-
memory/3136-141-0x00000000754D0000-0x0000000075A81000-memory.dmpFilesize
5.7MB
-
memory/4384-135-0x0000000000000000-mapping.dmp
-
memory/4548-131-0x0000000000000000-mapping.dmp
-
memory/4636-130-0x00000000754D0000-0x0000000075A81000-memory.dmpFilesize
5.7MB