Analysis
-
max time kernel
184s -
max time network
197s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11-05-2022 01:39
Static task
static1
Behavioral task
behavioral1
Sample
348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe
Resource
win10v2004-20220414-en
General
-
Target
348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe
-
Size
78KB
-
MD5
0d9c2592b4c26d0442c9bd807979f66e
-
SHA1
af6180101e58fb4489c54fe8f78840a41e0e86fd
-
SHA256
348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806
-
SHA512
5000a9a5a30f4ff638b153ebff11c3143c6b2de35b368f4e17f4c76088906980fa1293b70aa58eb604597375b23720d2644ad26f5042f35fd9573f349ad097ec
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
tmp87ED.tmp.exepid process 4064 tmp87ED.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp87ED.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp87ED.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exetmp87ED.tmp.exedescription pid process Token: SeDebugPrivilege 2540 348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe Token: SeDebugPrivilege 4064 tmp87ED.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exevbc.exedescription pid process target process PID 2540 wrote to memory of 1568 2540 348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe vbc.exe PID 2540 wrote to memory of 1568 2540 348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe vbc.exe PID 2540 wrote to memory of 1568 2540 348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe vbc.exe PID 1568 wrote to memory of 4860 1568 vbc.exe cvtres.exe PID 1568 wrote to memory of 4860 1568 vbc.exe cvtres.exe PID 1568 wrote to memory of 4860 1568 vbc.exe cvtres.exe PID 2540 wrote to memory of 4064 2540 348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe tmp87ED.tmp.exe PID 2540 wrote to memory of 4064 2540 348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe tmp87ED.tmp.exe PID 2540 wrote to memory of 4064 2540 348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe tmp87ED.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe"C:\Users\Admin\AppData\Local\Temp\348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zhpizw2l.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B29.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB398E614C9D443FDB7DC45E961387F5.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp87ED.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp87ED.tmp.exe" C:\Users\Admin\AppData\Local\Temp\348b521395af11490ff6eeb05a8efb5637d6c9fa2c4051418db55dcd9d7d7806.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES8B29.tmpFilesize
1KB
MD5ed36eec5d8fb3dc637cb626988b1303b
SHA199cb2ef2bff6af90d04ae74b06de349f19cbc996
SHA2567e8a2cc1f557b86ae68f5e4a97237511aae7559e17e5ef0f425b71032cb45f1a
SHA512652ded81c5d3179e6e73f3be59627b2b1ea01dd5d4d6fc28faa287163921b973b843767f55893f459e128f2a8633b8165cccbef4148cf86b58c5da00db488044
-
C:\Users\Admin\AppData\Local\Temp\tmp87ED.tmp.exeFilesize
78KB
MD59a5da0fb6b6d98e06a3b7bd60ca5fc3e
SHA19793e0ee4d92ce5cd4c75434546d2a6ca44edb3b
SHA256df5a4af2a95f6d756b34e0cb3df0c77f136b8f23063af15d3fa3f50e6f9f28c5
SHA512916723a40e524460d0f69a0f1cc5bf0b15123212b2d96fc399206979e562fb8fa47eef182acc917120613d3743863f3fa08ad5717f44d83b7a0f4fec7b048a81
-
C:\Users\Admin\AppData\Local\Temp\tmp87ED.tmp.exeFilesize
78KB
MD59a5da0fb6b6d98e06a3b7bd60ca5fc3e
SHA19793e0ee4d92ce5cd4c75434546d2a6ca44edb3b
SHA256df5a4af2a95f6d756b34e0cb3df0c77f136b8f23063af15d3fa3f50e6f9f28c5
SHA512916723a40e524460d0f69a0f1cc5bf0b15123212b2d96fc399206979e562fb8fa47eef182acc917120613d3743863f3fa08ad5717f44d83b7a0f4fec7b048a81
-
C:\Users\Admin\AppData\Local\Temp\vbcB398E614C9D443FDB7DC45E961387F5.TMPFilesize
660B
MD5e6a84c9bc907afeee4703eb619a05466
SHA1a455bc47fa0f83b71ed12b43ca1bb62411a64b13
SHA25606cb5a77e1a523fef403a39763392f15136ad8012f0b1489403aad9af095033f
SHA512367c333494b69771c23153b2f3258d9d2b17f155e3684531192fb8e20d68e71bd63cd4a7d0bb597e8315a5411cc1cf20aa944a1c7b6979a3031f0051e924b51b
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
C:\Users\Admin\AppData\Local\Temp\zhpizw2l.0.vbFilesize
14KB
MD541f00fc7f82e5b1aacd6778373fbe009
SHA1f1c6d2e61b18e08204961fc747d067cca570c454
SHA2569f98f7f64c091e9c96c9738fcf0d1fdd02ab25a6a08b4887737274980660fb72
SHA512178c9d51825af92e184dae8cb104bfa83bc83431f0b88ba7712ac27242a376b7bf91061594879ffff22608c48a2ec0c1a7249f6567a7074124d9dc405cbe7456
-
C:\Users\Admin\AppData\Local\Temp\zhpizw2l.cmdlineFilesize
266B
MD52ceebbc8bb8862054212554cb246efbc
SHA1931f5f12ee485a3fb52952e5ed48c5933f3839b5
SHA256eef1e87c8b7bc9b39b92a515adfd9fa0da6b363d704dbf18cb130904c847923f
SHA512f3d9186ccf9d6daf82f1d0f08e5b0b2607b570e7225fa7c6b3fa5ffd4f8eb663f04524c6decbf90b69690016de7cf304624b7d03169692d73036924213a6f928
-
memory/1568-131-0x0000000000000000-mapping.dmp
-
memory/2540-130-0x00000000752A0000-0x0000000075851000-memory.dmpFilesize
5.7MB
-
memory/4064-139-0x0000000000000000-mapping.dmp
-
memory/4064-141-0x00000000752A0000-0x0000000075851000-memory.dmpFilesize
5.7MB
-
memory/4860-135-0x0000000000000000-mapping.dmp