Analysis
-
max time kernel
202s -
max time network
260s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-05-2022 03:12
Static task
static1
Behavioral task
behavioral1
Sample
ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe
Resource
win10v2004-20220414-en
General
-
Target
ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe
-
Size
78KB
-
MD5
06af9b765f0971d34da6cee01bb0dfd3
-
SHA1
d418e6d883263be3253b8e7884b3481ee9e362ba
-
SHA256
ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48
-
SHA512
3d20ef5897663c30fc0669fc0f1498d9b7f9fee5a1ab002022a03140e9075797eb8c4108777f22888d44004dc914601a71066592ae9b1a3c52b03bab0959f285
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
tmpD254.tmp.exepid process 2720 tmpD254.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmpD254.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmpD254.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exetmpD254.tmp.exedescription pid process Token: SeDebugPrivilege 556 ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe Token: SeDebugPrivilege 2720 tmpD254.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exevbc.exedescription pid process target process PID 556 wrote to memory of 5116 556 ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe vbc.exe PID 556 wrote to memory of 5116 556 ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe vbc.exe PID 556 wrote to memory of 5116 556 ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe vbc.exe PID 5116 wrote to memory of 1668 5116 vbc.exe cvtres.exe PID 5116 wrote to memory of 1668 5116 vbc.exe cvtres.exe PID 5116 wrote to memory of 1668 5116 vbc.exe cvtres.exe PID 556 wrote to memory of 2720 556 ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe tmpD254.tmp.exe PID 556 wrote to memory of 2720 556 ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe tmpD254.tmp.exe PID 556 wrote to memory of 2720 556 ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe tmpD254.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe"C:\Users\Admin\AppData\Local\Temp\ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p0fidx5o.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD551.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE63B9C76BD7141959E9B52BEAF1DBEC6.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpD254.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD254.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ba0d2916dfa7f5be3b4698d5d1688d8e05e50b0ffe102a41a21d104ac1ba5f48.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESD551.tmpFilesize
1KB
MD5e644193ebe9860fb2c4774ce9995d897
SHA12b3e8cc6114d3f7ca37198e6afe7199cd7b80441
SHA256b5651bc87e7f3cea10dda208d631aa970a371e069aaeaaa3ea278a2e983886aa
SHA51200fbba05826f886223885646d1a2cea9303b01c3573929acc8bdf2d4d9858ce6b5b12c0b84a265c084fb9f8b592a1413f77b0bde115f6d8ffd2c0aac371f5e73
-
C:\Users\Admin\AppData\Local\Temp\p0fidx5o.0.vbFilesize
14KB
MD5a2f503133a375d28ff810981b3311692
SHA104ddc806f64cd8673a2c2c6849600f3b48e1ad21
SHA256983eb971eda6e79816e868d52e9cdde1916a28125ac63b792c78bf8d0e03fb6a
SHA512cf7c30bc37eb31f58e9bbf834803189c51a4bb50eac4df9b4c5c51f6a1794698580abfd06bdb6f51138c47f057cafe71e5466678dfd87951783e9380b6c46b1d
-
C:\Users\Admin\AppData\Local\Temp\p0fidx5o.cmdlineFilesize
266B
MD51d44ad30fd4795af0c546ea936232e04
SHA1c2dffc15caaadd3468d312d51535ac7e544983fe
SHA2560562b5076f36e2c4cf767b102ae3fb35b1ac2abeb284c22aa7bb2882fe7ef567
SHA512043093d0e936ed66a75aba522e780c00e3689a74fb3544541b468de6dfc108cedda8a2e83a1e9c1a091a9cc75ab3405a4e34ab9714adb6e8f57a93fe649ad8e3
-
C:\Users\Admin\AppData\Local\Temp\tmpD254.tmp.exeFilesize
78KB
MD56fe65429cbbd3e2526e40411a223843b
SHA1ce36b861cc27eb46043eacf82117a544782fe2cb
SHA256b4524f452e4ab4223664ea3c39ea58cf903fcbffcc9efbe69f69cce20af48705
SHA5121ded9b4089dc7bfdc2ff43d8cbe812844a2303c6dee67af579c731c96d0766749e6beb73bd2182a0f186eb8c48b888ee9902c618c3bf4be7720ef558323d87e7
-
C:\Users\Admin\AppData\Local\Temp\tmpD254.tmp.exeFilesize
78KB
MD56fe65429cbbd3e2526e40411a223843b
SHA1ce36b861cc27eb46043eacf82117a544782fe2cb
SHA256b4524f452e4ab4223664ea3c39ea58cf903fcbffcc9efbe69f69cce20af48705
SHA5121ded9b4089dc7bfdc2ff43d8cbe812844a2303c6dee67af579c731c96d0766749e6beb73bd2182a0f186eb8c48b888ee9902c618c3bf4be7720ef558323d87e7
-
C:\Users\Admin\AppData\Local\Temp\vbcE63B9C76BD7141959E9B52BEAF1DBEC6.TMPFilesize
660B
MD505cb98539520e291fa8c7e8bb73a36f0
SHA11b02e928a9fa8a0b073c96bbc806497a57aedc76
SHA256164600fe26fedd641b52d0ec4a604b6e0fdfa33cffc05f068b08ecccc01e5cad
SHA51207eea38c910af4a196c0624e12748a754e8aa9e90ab38857537d76bbf65bce699eab4689638d111887b7cc17fef78d32228428fc1751907cce06c724831acc9a
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
memory/556-130-0x0000000074890000-0x0000000074E41000-memory.dmpFilesize
5.7MB
-
memory/1668-135-0x0000000000000000-mapping.dmp
-
memory/2720-139-0x0000000000000000-mapping.dmp
-
memory/2720-141-0x0000000074890000-0x0000000074E41000-memory.dmpFilesize
5.7MB
-
memory/5116-131-0x0000000000000000-mapping.dmp