Analysis
-
max time kernel
203s -
max time network
212s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-05-2022 02:32
Static task
static1
Behavioral task
behavioral1
Sample
b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe
Resource
win10v2004-20220414-en
General
-
Target
b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe
-
Size
78KB
-
MD5
128cc2228ba32b1ed2512226a5e7bf99
-
SHA1
16cd4a058914b612774135eaa4ef1dab80007e7e
-
SHA256
b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a
-
SHA512
1c6de9732892c2e24f0afed86cf5230ee731eeae82fde731053019f19ebaa3f745a7f8b558b786e44a3e656b7094e59ef7212226b1509c29ae4bb9479e3f2500
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
tmpDC85.tmp.exepid process 1160 tmpDC85.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmpDC85.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmpDC85.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exetmpDC85.tmp.exedescription pid process Token: SeDebugPrivilege 1984 b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe Token: SeDebugPrivilege 1160 tmpDC85.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exevbc.exedescription pid process target process PID 1984 wrote to memory of 4020 1984 b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe vbc.exe PID 1984 wrote to memory of 4020 1984 b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe vbc.exe PID 1984 wrote to memory of 4020 1984 b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe vbc.exe PID 4020 wrote to memory of 5088 4020 vbc.exe cvtres.exe PID 4020 wrote to memory of 5088 4020 vbc.exe cvtres.exe PID 4020 wrote to memory of 5088 4020 vbc.exe cvtres.exe PID 1984 wrote to memory of 1160 1984 b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe tmpDC85.tmp.exe PID 1984 wrote to memory of 1160 1984 b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe tmpDC85.tmp.exe PID 1984 wrote to memory of 1160 1984 b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe tmpDC85.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe"C:\Users\Admin\AppData\Local\Temp\b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_gnctypp.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDFC1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFAA5B045ACF440358B9EC8BC1D54BA7.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpDC85.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDC85.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b50f14b550182671a71951f118c140a98cbd5a1b98dd5fd9a3f31b82667e861a.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESDFC1.tmpFilesize
1KB
MD5906a2d2a7ba0b1ae3c4b466f52549635
SHA1e211fb69310f86a16d4067828226f6151c855183
SHA256701c387d11abe6b827cd184f9f074720ea23b4c919d070ecddd64041f7a59945
SHA512f5807cd25c8151ad47933c51a21dfbb8eb6188c25a8e46ad3587228acc47575ece065d75a50279d565cf24d1fd71a6d9970b7332e505a0a876451ec91fb607f3
-
C:\Users\Admin\AppData\Local\Temp\_gnctypp.0.vbFilesize
14KB
MD547f8576f731c7aec0b2a10f1dc2efd98
SHA1414dbc7c76b1fc590b02612f775334e9498c591b
SHA2565568407695c2404f97bffff697326487876c655775bf471f7867909af137a619
SHA5126c655d6b1e51c00a081ff77ddae0bae5664e7fda3def915d340164563907e170d7d660235a05fce1374099cfc1d023bf966cc0b295b171ace1d8b4212aef67d4
-
C:\Users\Admin\AppData\Local\Temp\_gnctypp.cmdlineFilesize
266B
MD5115fc5a72e689c98c5cd60b87bea1903
SHA1b7fbaeada4a25429441f5af472c7b243ecd29adc
SHA256455a6a9c6389bb640c72785637ec50cb8ca2a77ffdf5739a514e487df30e5c06
SHA512d8b08d0159366c63b14b58872eb6a032e21b7c154b96a46fa04901e329b6e50bd0eb273437357c7fb1f414a79cda1fbd9680e31fe72153eb4c2c0a1ef4c0e854
-
C:\Users\Admin\AppData\Local\Temp\tmpDC85.tmp.exeFilesize
78KB
MD52835a19bc49f8ca9ef22cde20a12b8ac
SHA18d545feb7c439704bea41f424bbd6d06fb4619ef
SHA2568cc5bd85e4fe725efa3069a9154e9220ff78a805d5823dd6f5dc1809d9da1167
SHA512c1905eb3d62bb292041896812b312bab8cb869379a6bd331f1aea8128bf31b62e1ba598037fe75f53e081e1e8ad7478186ca8a94bde312097f4b12c3bb35383a
-
C:\Users\Admin\AppData\Local\Temp\tmpDC85.tmp.exeFilesize
78KB
MD52835a19bc49f8ca9ef22cde20a12b8ac
SHA18d545feb7c439704bea41f424bbd6d06fb4619ef
SHA2568cc5bd85e4fe725efa3069a9154e9220ff78a805d5823dd6f5dc1809d9da1167
SHA512c1905eb3d62bb292041896812b312bab8cb869379a6bd331f1aea8128bf31b62e1ba598037fe75f53e081e1e8ad7478186ca8a94bde312097f4b12c3bb35383a
-
C:\Users\Admin\AppData\Local\Temp\vbcFAA5B045ACF440358B9EC8BC1D54BA7.TMPFilesize
660B
MD5f46806aff23de3e1f542d059962b9434
SHA187536980471798f2d0a41887ff757269f37b3dfd
SHA256e942d9f7613b00985e0801529f4fb6f9f3f536d3c1c5ad1dfff062ab4388900b
SHA5127083a8d4aafaeca95e9103600681bcb9cb0035a398fe07ef50147e417fa7fa61987ce43685323dc1b90f3d9f9c606a24e00b7d5027eded0300b08a8d42276c0d
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
memory/1160-139-0x0000000000000000-mapping.dmp
-
memory/1160-141-0x00000000749D0000-0x0000000074F81000-memory.dmpFilesize
5.7MB
-
memory/1984-130-0x00000000749D0000-0x0000000074F81000-memory.dmpFilesize
5.7MB
-
memory/4020-131-0x0000000000000000-mapping.dmp
-
memory/5088-135-0x0000000000000000-mapping.dmp