Analysis
-
max time kernel
189s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-05-2022 00:49
Static task
static1
Behavioral task
behavioral1
Sample
eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe
Resource
win10v2004-20220414-en
General
-
Target
eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe
-
Size
78KB
-
MD5
22925b7ae382e5821f8706641672eabf
-
SHA1
694980b0dfe105ff8fa89f6899605f83d6f05771
-
SHA256
eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049
-
SHA512
c678ddd737f8b27df377eab594ce2d65d0ac026dcba3446fc51b1dd89a7df8066de96ca13cc5d1e595113380c94ba49662087a3bb313d106add1d5b9dc26f819
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
tmpCC29.tmp.exepid process 2096 tmpCC29.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmpCC29.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\"" tmpCC29.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exetmpCC29.tmp.exedescription pid process Token: SeDebugPrivilege 4020 eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe Token: SeDebugPrivilege 2096 tmpCC29.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exevbc.exedescription pid process target process PID 4020 wrote to memory of 2156 4020 eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe vbc.exe PID 4020 wrote to memory of 2156 4020 eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe vbc.exe PID 4020 wrote to memory of 2156 4020 eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe vbc.exe PID 2156 wrote to memory of 2652 2156 vbc.exe cvtres.exe PID 2156 wrote to memory of 2652 2156 vbc.exe cvtres.exe PID 2156 wrote to memory of 2652 2156 vbc.exe cvtres.exe PID 4020 wrote to memory of 2096 4020 eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe tmpCC29.tmp.exe PID 4020 wrote to memory of 2096 4020 eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe tmpCC29.tmp.exe PID 4020 wrote to memory of 2096 4020 eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe tmpCC29.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe"C:\Users\Admin\AppData\Local\Temp\eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xehhyhgu.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE3D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc807DA5D354F04228BFB8503C85472BC9.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpCC29.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCC29.tmp.exe" C:\Users\Admin\AppData\Local\Temp\eda8ef8c47cbee5abb06772acb1ec0f9054bf0d905f55b4b55c92b376d83d049.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESCE3D.tmpFilesize
1KB
MD5237fa6bb60c11a2a0f3139558825c4fa
SHA19d947fa70e949e66c155a7c9c078a3aa1a114cf5
SHA25676576a122e8224d18a57d445e32edc91bfb56e086f1d0591a94f5d6a82b76878
SHA51289d3a305cdcdce46ee697ec385af035a29966b5accf6735169b4f79bdf589c73c890ce886c35759db13396c6e5d3cc3f141ffa262055d38282516ff7c0d89df4
-
C:\Users\Admin\AppData\Local\Temp\tmpCC29.tmp.exeFilesize
78KB
MD59ac90888a5b5aaa027a61c768e345b41
SHA160142c327b877337d8653baf05fe5a5450ca9727
SHA25658d5c2c7d9c5cf7b9140f4313cef5679e499aab953febf2b33734ca292a61c82
SHA512127a3eaf2cea5cadfe9857fdbc53643790f8725012c6aa9d69442f70ee36a83541c8f9eb75b8ec626323e428d3292257ab373eacfe2e00928da6d93991df3766
-
C:\Users\Admin\AppData\Local\Temp\tmpCC29.tmp.exeFilesize
78KB
MD59ac90888a5b5aaa027a61c768e345b41
SHA160142c327b877337d8653baf05fe5a5450ca9727
SHA25658d5c2c7d9c5cf7b9140f4313cef5679e499aab953febf2b33734ca292a61c82
SHA512127a3eaf2cea5cadfe9857fdbc53643790f8725012c6aa9d69442f70ee36a83541c8f9eb75b8ec626323e428d3292257ab373eacfe2e00928da6d93991df3766
-
C:\Users\Admin\AppData\Local\Temp\vbc807DA5D354F04228BFB8503C85472BC9.TMPFilesize
660B
MD57fa54457c444313e825ff1f45abe8a84
SHA17e3ba071a99a195ed125fca10dfc918cb966f455
SHA256eb198ef3f4352ec74c3a45a58fbe917da9a97784ad49b4364778bb1520f7db8e
SHA5125958543e8b78bb3f98512e8cee461d0a5a6ad4b8d15b5e72daab17ef6e7a2f94f384353bdf9d7dbe808c1acf1e8586d37563f93d97e003f23c8ff153fb2e2bf5
-
C:\Users\Admin\AppData\Local\Temp\xehhyhgu.0.vbFilesize
15KB
MD512291703f69a177b3e9b0f2acd57c4d9
SHA14b16e45407858ebc4b4c8ddf33139263b2d4dc90
SHA256a2a941ff8c395c1eb75c500d332c3c83d0b7fa1c5c1b01c353baa2147ee38844
SHA512c53e8020eb52ba2821b3556a699ee699b5648e6a6d5d7bac5165b46a21d891972a9df5af707083405f7249cf4b1bcc26129523e30bc58a4a6aa8a37390a3ceea
-
C:\Users\Admin\AppData\Local\Temp\xehhyhgu.cmdlineFilesize
266B
MD53152cc764e9f2c9609d7a32b28ba5191
SHA1fec2eff3712caad3fd81584b4c4f75aeb40700bd
SHA2567d009b296a2f6014af87cdbd8380163b402cab0797d7c46c8562b83015d26502
SHA5122b2c1354317c1a1107955574328b199fe6fec9ba9332f351c3abbccfb09ec588bc33ace2b656977fd1ba3151a4486a9e84f9bea665c4b66289fb99931844514c
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD58b25b4d931908b4c77ce6c3d5b9a2910
SHA188b65fd9733484c8f8147dad9d0896918c7e37c7
SHA25679c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e
SHA5126d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d
-
memory/2096-139-0x0000000000000000-mapping.dmp
-
memory/2096-141-0x0000000074F00000-0x00000000754B1000-memory.dmpFilesize
5.7MB
-
memory/2096-142-0x0000000074F00000-0x00000000754B1000-memory.dmpFilesize
5.7MB
-
memory/2156-131-0x0000000000000000-mapping.dmp
-
memory/2652-135-0x0000000000000000-mapping.dmp
-
memory/4020-130-0x0000000074F00000-0x00000000754B1000-memory.dmpFilesize
5.7MB