Analysis
-
max time kernel
163s -
max time network
178s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-05-2022 17:43
Static task
static1
Behavioral task
behavioral1
Sample
bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe
Resource
win10v2004-20220414-en
General
-
Target
bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe
-
Size
78KB
-
MD5
0076c31673c59cad62f795210aaa96e2
-
SHA1
a819bcca450431310dae5423110c9d227f167327
-
SHA256
bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886
-
SHA512
cd5ae8b97052e259417b497136bf6da4b3806261d08d78a783fdc530ef09e2777c6360d2756df44dcd6a24978b3dba540a59bea645da57321d9c69335bf8bd9f
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
tmp7447.tmp.exepid process 992 tmp7447.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exepid process 1812 bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe 1812 bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exedescription pid process Token: SeDebugPrivilege 1812 bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exevbc.exedescription pid process target process PID 1812 wrote to memory of 1460 1812 bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe vbc.exe PID 1812 wrote to memory of 1460 1812 bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe vbc.exe PID 1812 wrote to memory of 1460 1812 bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe vbc.exe PID 1812 wrote to memory of 1460 1812 bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe vbc.exe PID 1460 wrote to memory of 2020 1460 vbc.exe cvtres.exe PID 1460 wrote to memory of 2020 1460 vbc.exe cvtres.exe PID 1460 wrote to memory of 2020 1460 vbc.exe cvtres.exe PID 1460 wrote to memory of 2020 1460 vbc.exe cvtres.exe PID 1812 wrote to memory of 992 1812 bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe tmp7447.tmp.exe PID 1812 wrote to memory of 992 1812 bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe tmp7447.tmp.exe PID 1812 wrote to memory of 992 1812 bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe tmp7447.tmp.exe PID 1812 wrote to memory of 992 1812 bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe tmp7447.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe"C:\Users\Admin\AppData\Local\Temp\bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p4xycyrm.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7570.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc756F.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp7447.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7447.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES7570.tmpFilesize
1KB
MD52ef9c99625921c94af995b3e6716b68a
SHA16936de384c047af13c3abfe6a4c9b8ef734eba65
SHA256cf8015ff2d5bbaed9057a1a2376db1b28edac8e94f98e9f432b22af24ff1afc9
SHA5125d16d0aab967cd934745f65f7f78e597b09ae1801e877ce840120586168d3a2239f7df77ad638b8cc996469ec8fa06cfc02d87fb0e29d0262d58e57ba4ccb018
-
C:\Users\Admin\AppData\Local\Temp\p4xycyrm.0.vbFilesize
15KB
MD5bf705e82df738fd1b50b155c8c725328
SHA198484a65f2c4c9bfdde441f36d296b53b22db047
SHA256758175194dba8fe564a1fa58ab6cd7d0f30b646dc38c6e4788847be3df90f3f6
SHA512bbc688498bdd6fd9350d717a7ab0d2d5d7b0cf6f079692cf3039a921ab1661e6ec880b49c279109baedf66c8dce1539c8860daf8b7068dfc08e9bbcb6c98344a
-
C:\Users\Admin\AppData\Local\Temp\p4xycyrm.cmdlineFilesize
266B
MD52e21525a1a494c253ffb6a90811e693e
SHA18a2ed68f6cf6f73be008698d568adb2426cd2edc
SHA256dd6fbca8101a83ea881d1e11f4e0464fa2d050186b4d7378cb45d49bd69274f3
SHA51265f5cfe75e7237dc62c754833df7b370fcc6bc62d281aec9d82e06579d7143bc312924773957ce18bc16512f1acaff1fe4936fda0e18c9faca8f63639dd39630
-
C:\Users\Admin\AppData\Local\Temp\tmp7447.tmp.exeFilesize
78KB
MD5473bbc00333621e1d98d6e5d94cff0f4
SHA13f98b2cc3168d4b1d48ef5185d1b90dc951b5926
SHA2563d16c5e8f93e8efcf011bb8a9c7a86d36842cae79db9c4e86e38930c3df9f2a1
SHA51206bad3fdf87099595cbe849954be96db6bd69c38529510c71f5441139b6a5a0ff9a230a59dac79531556a2536f2bf657311b452974ce94165b1899009afe7cd7
-
C:\Users\Admin\AppData\Local\Temp\tmp7447.tmp.exeFilesize
78KB
MD5473bbc00333621e1d98d6e5d94cff0f4
SHA13f98b2cc3168d4b1d48ef5185d1b90dc951b5926
SHA2563d16c5e8f93e8efcf011bb8a9c7a86d36842cae79db9c4e86e38930c3df9f2a1
SHA51206bad3fdf87099595cbe849954be96db6bd69c38529510c71f5441139b6a5a0ff9a230a59dac79531556a2536f2bf657311b452974ce94165b1899009afe7cd7
-
C:\Users\Admin\AppData\Local\Temp\vbc756F.tmpFilesize
660B
MD5d2767a9523a9210470b67add1eb05c62
SHA1099cf314b375faa20f2296d68d770e4d45a3b2c3
SHA256078ed8f851f1d06b9fef6f91c57af7c14b636e3471020a991141634a90117e99
SHA5122379d22683c45b515f5d3349855b5aae34137db81d719bba52194dc92c8af6c7a86636db464aff545d8b8779b21ebe8e1aaa583d12dd11dade2713569a6f33bb
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7
-
\Users\Admin\AppData\Local\Temp\tmp7447.tmp.exeFilesize
78KB
MD5473bbc00333621e1d98d6e5d94cff0f4
SHA13f98b2cc3168d4b1d48ef5185d1b90dc951b5926
SHA2563d16c5e8f93e8efcf011bb8a9c7a86d36842cae79db9c4e86e38930c3df9f2a1
SHA51206bad3fdf87099595cbe849954be96db6bd69c38529510c71f5441139b6a5a0ff9a230a59dac79531556a2536f2bf657311b452974ce94165b1899009afe7cd7
-
\Users\Admin\AppData\Local\Temp\tmp7447.tmp.exeFilesize
78KB
MD5473bbc00333621e1d98d6e5d94cff0f4
SHA13f98b2cc3168d4b1d48ef5185d1b90dc951b5926
SHA2563d16c5e8f93e8efcf011bb8a9c7a86d36842cae79db9c4e86e38930c3df9f2a1
SHA51206bad3fdf87099595cbe849954be96db6bd69c38529510c71f5441139b6a5a0ff9a230a59dac79531556a2536f2bf657311b452974ce94165b1899009afe7cd7
-
memory/992-65-0x0000000000000000-mapping.dmp
-
memory/992-69-0x0000000074860000-0x0000000074E0B000-memory.dmpFilesize
5.7MB
-
memory/992-70-0x0000000002095000-0x00000000020A6000-memory.dmpFilesize
68KB
-
memory/1460-55-0x0000000000000000-mapping.dmp
-
memory/1812-54-0x00000000763C1000-0x00000000763C3000-memory.dmpFilesize
8KB
-
memory/1812-68-0x0000000074860000-0x0000000074E0B000-memory.dmpFilesize
5.7MB
-
memory/2020-59-0x0000000000000000-mapping.dmp