Analysis
-
max time kernel
166s -
max time network
203s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
09-05-2022 00:25
Static task
static1
Behavioral task
behavioral1
Sample
054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe
Resource
win10v2004-20220414-en
General
-
Target
054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe
-
Size
78KB
-
MD5
00a5cb539ee1e451fd035c658f8b3cec
-
SHA1
a0cd23c3c67d184c789203ef60ba8c6f45b38204
-
SHA256
054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a
-
SHA512
4dad74d7783123f125d4b0695c4b19019cd2f3b3a957c0983ed31ee009a7d94a2f87e860a3fe0f6c48fd72f1793101ec6e030dcf910eb8e46d3363bfafd7c8cd
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
tmpEE56.tmp.exepid process 1072 tmpEE56.tmp.exe -
Deletes itself 1 IoCs
Processes:
tmpEE56.tmp.exepid process 1072 tmpEE56.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exepid process 1352 054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe 1352 054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exedescription pid process Token: SeDebugPrivilege 1352 054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exevbc.exedescription pid process target process PID 1352 wrote to memory of 1304 1352 054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe vbc.exe PID 1352 wrote to memory of 1304 1352 054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe vbc.exe PID 1352 wrote to memory of 1304 1352 054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe vbc.exe PID 1352 wrote to memory of 1304 1352 054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe vbc.exe PID 1304 wrote to memory of 1096 1304 vbc.exe cvtres.exe PID 1304 wrote to memory of 1096 1304 vbc.exe cvtres.exe PID 1304 wrote to memory of 1096 1304 vbc.exe cvtres.exe PID 1304 wrote to memory of 1096 1304 vbc.exe cvtres.exe PID 1352 wrote to memory of 1072 1352 054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe tmpEE56.tmp.exe PID 1352 wrote to memory of 1072 1352 054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe tmpEE56.tmp.exe PID 1352 wrote to memory of 1072 1352 054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe tmpEE56.tmp.exe PID 1352 wrote to memory of 1072 1352 054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe tmpEE56.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe"C:\Users\Admin\AppData\Local\Temp\054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mj51ox4h.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF088.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF078.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpEE56.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpEE56.tmp.exe" C:\Users\Admin\AppData\Local\Temp\054d3c9da322f4be1535187db74d55702f0c04c45aa26ac455c6525f21b6283a.exe2⤵
- Executes dropped EXE
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESF088.tmpFilesize
1KB
MD55a59e0d7f01a7148de2747200bccd861
SHA155d02d69371831fad42372e18c93a4d43035d810
SHA2569ab70f394335bde512aa25d2d7f058084dd1d3d3952fcbd05dc159499fbcb7f0
SHA51235ee45932b432c50f9d12e80091909069bedbea775b25d35c4c25e05ddf812a22155da73c58b0d462139601deb4cbac02b5d28115a4162352175091f4e0ad197
-
C:\Users\Admin\AppData\Local\Temp\mj51ox4h.0.vbFilesize
14KB
MD517161e9d69e4b1765d24df9de720ebd8
SHA1412b48e90c436e9c30e14fe0494b0b63ac057a04
SHA256004c5d3809e124e0f220351a89ff9341d1bc82331874797d341a28e7894c6780
SHA51264b06de58e2e6afa098093866eae27667be7644f620bc176441f986eab37396a7e5294884d28c23a9411493b2d7aa85734bb72d721cf872b483d05cb1510ea78
-
C:\Users\Admin\AppData\Local\Temp\mj51ox4h.cmdlineFilesize
266B
MD5f42809a66635046849c9536b7294ac45
SHA1a073381ceb9c3a907b3454a1879b76c0d6a0051c
SHA2561e2278793197f73b584842af843d11bc02487dc5a5aec61cf972db16eaac9a0b
SHA51266cc94fd22b8bb26621253931a4bd377f69a428312f2d9f9e674c695cc15e9713dea223a585d36179ae2b4be519cb6e0e8e13b539db7b7caed918eddaf63dfaa
-
C:\Users\Admin\AppData\Local\Temp\tmpEE56.tmp.exeFilesize
78KB
MD598c7b85591c74500fb5647407bab264f
SHA1b8c944f4e3a1f5c3d7a2ffdad06789fc02b32af4
SHA25614fb117ffb7a9e21cfd682c87b108f55cb8c6e419b92d9c99cd54a6a295aa0ed
SHA5128cd020a8de1b7d59e6268473ecad0a118394fab755e6d9bcffaa3668b2782a9361d75bf7a4d7f2d8cfa65bca467beb1cf10ddac268a22a1083e5cecf59ba1e39
-
C:\Users\Admin\AppData\Local\Temp\tmpEE56.tmp.exeFilesize
78KB
MD598c7b85591c74500fb5647407bab264f
SHA1b8c944f4e3a1f5c3d7a2ffdad06789fc02b32af4
SHA25614fb117ffb7a9e21cfd682c87b108f55cb8c6e419b92d9c99cd54a6a295aa0ed
SHA5128cd020a8de1b7d59e6268473ecad0a118394fab755e6d9bcffaa3668b2782a9361d75bf7a4d7f2d8cfa65bca467beb1cf10ddac268a22a1083e5cecf59ba1e39
-
C:\Users\Admin\AppData\Local\Temp\vbcF078.tmpFilesize
660B
MD55c4c319f6f179079c3971ef986ac31a8
SHA1d12c1f9f6d303f0d02708e014251b2716c4d8af4
SHA25654408ca509ab037641869bd5cc4a4f80a080f764d4e09ca17a45246ef4bbe3d7
SHA5123926fca523d897fa830da8d5cd5d4669b506aa4015d86908cc38041c55582f8e8674ddd0b9858f7680988304f2d1de78c780aeaba7f5e8412fc2a49542a5cc78
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7
-
\Users\Admin\AppData\Local\Temp\tmpEE56.tmp.exeFilesize
78KB
MD598c7b85591c74500fb5647407bab264f
SHA1b8c944f4e3a1f5c3d7a2ffdad06789fc02b32af4
SHA25614fb117ffb7a9e21cfd682c87b108f55cb8c6e419b92d9c99cd54a6a295aa0ed
SHA5128cd020a8de1b7d59e6268473ecad0a118394fab755e6d9bcffaa3668b2782a9361d75bf7a4d7f2d8cfa65bca467beb1cf10ddac268a22a1083e5cecf59ba1e39
-
\Users\Admin\AppData\Local\Temp\tmpEE56.tmp.exeFilesize
78KB
MD598c7b85591c74500fb5647407bab264f
SHA1b8c944f4e3a1f5c3d7a2ffdad06789fc02b32af4
SHA25614fb117ffb7a9e21cfd682c87b108f55cb8c6e419b92d9c99cd54a6a295aa0ed
SHA5128cd020a8de1b7d59e6268473ecad0a118394fab755e6d9bcffaa3668b2782a9361d75bf7a4d7f2d8cfa65bca467beb1cf10ddac268a22a1083e5cecf59ba1e39
-
memory/1072-66-0x0000000000000000-mapping.dmp
-
memory/1072-69-0x0000000074170000-0x000000007471B000-memory.dmpFilesize
5.7MB
-
memory/1072-70-0x0000000000BC5000-0x0000000000BD6000-memory.dmpFilesize
68KB
-
memory/1096-60-0x0000000000000000-mapping.dmp
-
memory/1304-56-0x0000000000000000-mapping.dmp
-
memory/1352-55-0x00000000741E0000-0x000000007478B000-memory.dmpFilesize
5.7MB
-
memory/1352-54-0x0000000075C71000-0x0000000075C73000-memory.dmpFilesize
8KB