Analysis
-
max time kernel
187s -
max time network
222s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
10-05-2022 19:44
Static task
static1
Behavioral task
behavioral1
Sample
eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe
Resource
win10v2004-20220414-en
General
-
Target
eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe
-
Size
78KB
-
MD5
015b121254c946730c35060c7677e4f9
-
SHA1
f085f06f9034fee0f222dc3b173c1a5b1cd10b60
-
SHA256
eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7
-
SHA512
7563d7410cdc80f2cb63c4c4d45c8636141af2f5ab870e17fb0c0f8ebed0032943c9144b0132da29390252d3a190baec8560ba350b73068dddddd04d35cf3a7d
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
tmp5CC6.tmp.exepid process 1136 tmp5CC6.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp5CC6.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp5CC6.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exetmp5CC6.tmp.exedescription pid process Token: SeDebugPrivilege 3412 eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe Token: SeDebugPrivilege 1136 tmp5CC6.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exevbc.exedescription pid process target process PID 3412 wrote to memory of 376 3412 eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe vbc.exe PID 3412 wrote to memory of 376 3412 eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe vbc.exe PID 3412 wrote to memory of 376 3412 eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe vbc.exe PID 376 wrote to memory of 1580 376 vbc.exe cvtres.exe PID 376 wrote to memory of 1580 376 vbc.exe cvtres.exe PID 376 wrote to memory of 1580 376 vbc.exe cvtres.exe PID 3412 wrote to memory of 1136 3412 eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe tmp5CC6.tmp.exe PID 3412 wrote to memory of 1136 3412 eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe tmp5CC6.tmp.exe PID 3412 wrote to memory of 1136 3412 eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe tmp5CC6.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe"C:\Users\Admin\AppData\Local\Temp\eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0izt6o61.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES64F4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc545750FC1DD04479AC14F65CEF6D53D8.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp5CC6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5CC6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\eb059bb4bd68829a4fc5c3b695f0990b9c187e53b38efa7ab149fe6f6629adc7.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0izt6o61.0.vbFilesize
14KB
MD54b6a3bb824537a024f610ae976e968c1
SHA187b6f542f86fb16525210eab75e301848c3cabff
SHA25680a90b0e192103ba3f639a5d60cba38292433582856b909fe6f6838fc1eb5409
SHA512bd774ff45601505fed02839b41c478ac611af94ff325a703131fe6096097d7772e3f2c63abaa878cb0802aeeea2f0f6186705ae8762d52065643b703f81071a6
-
C:\Users\Admin\AppData\Local\Temp\0izt6o61.cmdlineFilesize
266B
MD5cfc4fd3ea1ca7017225f9283b284c802
SHA14f32bc25b3229403d8255522f9b634fed9f0721e
SHA256b837af97ed846082567a932f406923e39325f7466dd386e1fb07c0c9ef2b694b
SHA5125e9e3ab09cc3f1477266e000d326011d4f436cf88a6f73c4630586f90a760391274c9826a143e808ab47436ae0668da7a352b6dd9c8650a925fc0ed56344605e
-
C:\Users\Admin\AppData\Local\Temp\RES64F4.tmpFilesize
1KB
MD5f1ab9a9472f6d28dac20239700ba2ae7
SHA144af10458b865a0c74185c72d0b5724f9b53e2e1
SHA256ea9a7ad694342d5399aafcc28a86698de1b70902ee4e55a75270a0a51b64314a
SHA512b0a844148272823c54d05445800c5f84d0647f37d23ccfdb0bd25fb155aec9af0c642699f6d2df62abc2ca706937355c525c428163ba17cebe95ee26360d8e54
-
C:\Users\Admin\AppData\Local\Temp\tmp5CC6.tmp.exeFilesize
78KB
MD55cdd52b358306575777bc250dc7e820a
SHA105a3d1bbc30b6367e65bebb027994da77a335074
SHA2568045c512f4d45ee4e283592e63c0c946db23deff0a8a5e9b58a1cb5e062b1bb7
SHA512554d9ba79131e6e9352042d16a7bde43cb8f123f24b69ea9f0ba58b5aa5e7d18a7d209b2e6e781d07c7747a40345864f9453b465393fb85142949fae16c2af50
-
C:\Users\Admin\AppData\Local\Temp\tmp5CC6.tmp.exeFilesize
78KB
MD55cdd52b358306575777bc250dc7e820a
SHA105a3d1bbc30b6367e65bebb027994da77a335074
SHA2568045c512f4d45ee4e283592e63c0c946db23deff0a8a5e9b58a1cb5e062b1bb7
SHA512554d9ba79131e6e9352042d16a7bde43cb8f123f24b69ea9f0ba58b5aa5e7d18a7d209b2e6e781d07c7747a40345864f9453b465393fb85142949fae16c2af50
-
C:\Users\Admin\AppData\Local\Temp\vbc545750FC1DD04479AC14F65CEF6D53D8.TMPFilesize
660B
MD58a7b963bb496162997126dcbaaf8af3c
SHA1418c1c93cd8d015d5c68bff9e78abdb8b6f4194f
SHA256d5d6fb1f9555e8a3e61e6b10cb942c6f5a2e3a7e34d5ccd03828010eda1bee60
SHA5122dcf05a0cd2db331aed162b2e188bbe33cdfa6712161edbc46f2fa311eefd09c22378bfbeb366048485d0a5a0efd9adc1d97445b0483b315f4513731ce22ed40
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
memory/376-131-0x0000000000000000-mapping.dmp
-
memory/1136-139-0x0000000000000000-mapping.dmp
-
memory/1136-141-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB
-
memory/1580-135-0x0000000000000000-mapping.dmp
-
memory/3412-130-0x0000000074DB0000-0x0000000075361000-memory.dmpFilesize
5.7MB