Analysis
-
max time kernel
163s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
09-05-2022 00:14
Static task
static1
Behavioral task
behavioral1
Sample
0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe
Resource
win10v2004-20220414-en
General
-
Target
0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe
-
Size
78KB
-
MD5
049706e8f7a0c6b01a311664a87d2e36
-
SHA1
3cfb3a3d7601c6f47699da99f8d50069489934e0
-
SHA256
0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf
-
SHA512
88dbbbeb8b2f982fff0d91266e9e61bac07b8bb7ae1ad0dfb0af7bb81ee16387c6a55cc4512c48a10d1a8d695c53d8c012315c18eda37f66ce4d876349245588
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
tmp8E07.tmp.exepid process 1884 tmp8E07.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp8E07.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp8E07.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exetmp8E07.tmp.exedescription pid process Token: SeDebugPrivilege 3484 0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe Token: SeDebugPrivilege 1884 tmp8E07.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exevbc.exedescription pid process target process PID 3484 wrote to memory of 1216 3484 0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe vbc.exe PID 3484 wrote to memory of 1216 3484 0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe vbc.exe PID 3484 wrote to memory of 1216 3484 0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe vbc.exe PID 1216 wrote to memory of 2284 1216 vbc.exe cvtres.exe PID 1216 wrote to memory of 2284 1216 vbc.exe cvtres.exe PID 1216 wrote to memory of 2284 1216 vbc.exe cvtres.exe PID 3484 wrote to memory of 1884 3484 0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe tmp8E07.tmp.exe PID 3484 wrote to memory of 1884 3484 0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe tmp8E07.tmp.exe PID 3484 wrote to memory of 1884 3484 0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe tmp8E07.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe"C:\Users\Admin\AppData\Local\Temp\0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aly4uv5d.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFF2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1846BC4EEF1541F7AB4CCEC09C98A0EC.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp8E07.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8E07.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0f88ee7284475cc452ae1ad91f042d0cee8599d5617227878f4f87e2af8a9ddf.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESCFF2.tmpFilesize
1KB
MD543d3849f18c69753bbb1b4c784178a84
SHA10d0411c257a0438df36d718dd897b94c92b47998
SHA2565f45df4f9e0abb24a14e9cbb390a1832a9252298d3c74ecc5b8b580f5d7a59ef
SHA512fd0aea077ad2a2ee2602e3a7f75cea4f4ee0a70c2b6c08dc5ce949e64ea4637773cb61279051720b18da9c1dff84e3ca6cf2ac427e46d4e5468d54f2bec468ef
-
C:\Users\Admin\AppData\Local\Temp\aly4uv5d.0.vbFilesize
14KB
MD55bab3f0a5c0d27a9d6cc65a017a46658
SHA11bac1a95521f370ad5c3686263b21f90c60e8bf6
SHA256f383ae825695ff5c02112ddd1fb6d9fdadceafdcd63475b452319a61a835f24c
SHA51224f622aa48c3e490e29730d6cc59046a831923ca3e8ae43198d09ba472426f084024f12ebb96f5dd20d61cd3fac351bd950955b99b498e9edd70f87cdca1480e
-
C:\Users\Admin\AppData\Local\Temp\aly4uv5d.cmdlineFilesize
266B
MD52dd95eb8db469878647508bc137e3b69
SHA1b8fb4e1f0d35f856ecf1c24a62092d9ef5ab0b26
SHA256db41c1da4828221fd72ea603cfa21ec06769913adb2b6088914491f193ce9c79
SHA51294c1fc31ef5b9ba94799e9ec5747ec776747c06269341bbd17fcdd9f5c244a4f75e16f79ae452445bb3e1557c0b702163a9b36794224a8a3c299441ee2c5d1c9
-
C:\Users\Admin\AppData\Local\Temp\tmp8E07.tmp.exeFilesize
78KB
MD59680eb83e4b18e173b391c82c46c0df8
SHA19302fa92bfdf6bac2759a714ecbd58f7001447bd
SHA256a471a2e9d32f3cc965a3c97f588d275a08dbb080b9fd2ca762c57c4c7e6aa0be
SHA512f3a19e27a3749bd518c60a8a650d14ed716118e2ac8b91925833840ab17c76a2270683945a6d1415b26a09a16b2129e85377fd72e813fc6c17643f5c225857e6
-
C:\Users\Admin\AppData\Local\Temp\tmp8E07.tmp.exeFilesize
78KB
MD59680eb83e4b18e173b391c82c46c0df8
SHA19302fa92bfdf6bac2759a714ecbd58f7001447bd
SHA256a471a2e9d32f3cc965a3c97f588d275a08dbb080b9fd2ca762c57c4c7e6aa0be
SHA512f3a19e27a3749bd518c60a8a650d14ed716118e2ac8b91925833840ab17c76a2270683945a6d1415b26a09a16b2129e85377fd72e813fc6c17643f5c225857e6
-
C:\Users\Admin\AppData\Local\Temp\vbc1846BC4EEF1541F7AB4CCEC09C98A0EC.TMPFilesize
660B
MD53c421d172f9ffd4b565b1ee9e927f26c
SHA1eb16123160baadadac89d16752518a7ceb18bef4
SHA2562d3c72aaceae239fb4fd1499ba984474c23f897dd16e0de6e4ee0bab2ff95fa2
SHA51260ec3abbfa831b5a8e8566f8923b6b7f28ce88285b5321d56d217be0b1dd7235119077da0339358d7b1964c4e58dfb742a12a79d0fabd412b21d3aed6c13d18a
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
memory/1216-131-0x0000000000000000-mapping.dmp
-
memory/1884-139-0x0000000000000000-mapping.dmp
-
memory/1884-141-0x0000000075470000-0x0000000075A21000-memory.dmpFilesize
5.7MB
-
memory/2284-135-0x0000000000000000-mapping.dmp
-
memory/3484-130-0x0000000075470000-0x0000000075A21000-memory.dmpFilesize
5.7MB