Analysis
-
max time kernel
190s -
max time network
230s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-05-2022 17:43
Static task
static1
Behavioral task
behavioral1
Sample
bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe
Resource
win10v2004-20220414-en
General
-
Target
bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe
-
Size
78KB
-
MD5
0076c31673c59cad62f795210aaa96e2
-
SHA1
a819bcca450431310dae5423110c9d227f167327
-
SHA256
bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886
-
SHA512
cd5ae8b97052e259417b497136bf6da4b3806261d08d78a783fdc530ef09e2777c6360d2756df44dcd6a24978b3dba540a59bea645da57321d9c69335bf8bd9f
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
tmpAC9B.tmp.exepid process 1032 tmpAC9B.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exetmpAC9B.tmp.exedescription pid process Token: SeDebugPrivilege 2276 bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe Token: SeDebugPrivilege 1032 tmpAC9B.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exevbc.exedescription pid process target process PID 2276 wrote to memory of 4132 2276 bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe vbc.exe PID 2276 wrote to memory of 4132 2276 bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe vbc.exe PID 2276 wrote to memory of 4132 2276 bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe vbc.exe PID 4132 wrote to memory of 2432 4132 vbc.exe cvtres.exe PID 4132 wrote to memory of 2432 4132 vbc.exe cvtres.exe PID 4132 wrote to memory of 2432 4132 vbc.exe cvtres.exe PID 2276 wrote to memory of 1032 2276 bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe tmpAC9B.tmp.exe PID 2276 wrote to memory of 1032 2276 bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe tmpAC9B.tmp.exe PID 2276 wrote to memory of 1032 2276 bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe tmpAC9B.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe"C:\Users\Admin\AppData\Local\Temp\bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rbcy9ps2.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD6E7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE16C0EE656FB4C3A86B0E9C4A9BBE41B.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpAC9B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAC9B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bbec4bc9ce41bd153e6645a7318ca4e7baee13ca39a6d952bfa08352f9666886.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESD6E7.tmpFilesize
1KB
MD512215bd92fe0fac8b21183c3ce78a342
SHA1d360100d7bc668fda089c8d6b57620b27c5639b5
SHA256701fabbd6cc3d58c908d6262111d84b406b319769af5ad8aed69b84bcd5e197c
SHA5126371e49a3685635dc56f833ad34625ed582ecd5e12ec594bbb65648f0b2c31a7f288836004ed44df8cf39550dcebaaeeef41b17cfdd40d0610d12b12cae3b7d2
-
C:\Users\Admin\AppData\Local\Temp\rbcy9ps2.0.vbFilesize
15KB
MD52409351c0467fe812fc5e9cd5cb46688
SHA1f0c54cbc5192ede23150155c77c63f7f677995a9
SHA25695c77ce0d00105f84c7ddc91d48485222339b824fe199b27fb5e045fb6c47c14
SHA51224332aee894ea3f671c56ebe5ea0c197ab78519b853bb55cbc8e9905d01d60c8cd84a0715faaa16cb345dcceaaa0ada5856daac4065327d2255ba441a79a4601
-
C:\Users\Admin\AppData\Local\Temp\rbcy9ps2.cmdlineFilesize
266B
MD5b250a7d3f8174dbfc26ff66fd3a40edf
SHA1f6413ecc513a62e8c3f795a3def92f5370341032
SHA2560a748d8e34e9ae3036a22c92e42d4094fa146d9d97f101abe8a65df994e2f4f5
SHA5126e67467f78ab10041ebe840dcbb030b2f50f27c2647bad547911ad2a1feba4cc06fddd5c89b5094f8e333fddbe0300f32389ba35b33eb226f783578763c7e5b5
-
C:\Users\Admin\AppData\Local\Temp\tmpAC9B.tmp.exeFilesize
78KB
MD525c69f002d0f935652713090d231eae1
SHA1e77ce76ccf7bd8ead886e28ce5145de74060244c
SHA2565fc378f159321c0f1fd05e5ed7ed8d056ad677ec18807788c1ab882baf795073
SHA51278264b8271af06e3351207a0b01ddf7493b010da64a275cfd90dd0961447fd1972fdb0c7364191dc0b7cb8442381ac3e544c4c51b63d5562b3c92b6f3e72e4cd
-
C:\Users\Admin\AppData\Local\Temp\tmpAC9B.tmp.exeFilesize
78KB
MD525c69f002d0f935652713090d231eae1
SHA1e77ce76ccf7bd8ead886e28ce5145de74060244c
SHA2565fc378f159321c0f1fd05e5ed7ed8d056ad677ec18807788c1ab882baf795073
SHA51278264b8271af06e3351207a0b01ddf7493b010da64a275cfd90dd0961447fd1972fdb0c7364191dc0b7cb8442381ac3e544c4c51b63d5562b3c92b6f3e72e4cd
-
C:\Users\Admin\AppData\Local\Temp\vbcE16C0EE656FB4C3A86B0E9C4A9BBE41B.TMPFilesize
660B
MD5962f4c63222a47b98a6f57b8e50473cb
SHA18626d33171228fcbcd2ec2f83ff189305a1b7b25
SHA256e519cc38a02fda17218421f2cabe61139075b8d88dce75b5bef74d9516834b17
SHA512eb8da20f69e8ab0c8d0e4744cd220c3849a3362a370d580be88b9d5e93ea9719ade4263862d06d67dcbe7c0417fc1e20b639b63ab0a5098c0f3819316cfe99c9
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7
-
memory/1032-139-0x0000000000000000-mapping.dmp
-
memory/1032-141-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB
-
memory/2276-130-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB
-
memory/2432-135-0x0000000000000000-mapping.dmp
-
memory/4132-131-0x0000000000000000-mapping.dmp