Analysis
-
max time kernel
174s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-05-2022 16:46
Static task
static1
Behavioral task
behavioral1
Sample
5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe
Resource
win10v2004-20220414-en
General
-
Target
5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe
-
Size
78KB
-
MD5
03e7554116590a34c071d2c7954df17d
-
SHA1
d4b801e0f7427bf55e2440b59139cb4365a54e62
-
SHA256
5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3
-
SHA512
148aa862f433bfc3f006e596a7d273546d389a9740a738a0abf11d152b0437fb1ed474854ac1904e740c7441670f170235b8f00eabd7ee57bf688c47fb963c40
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
tmp54F6.tmp.exepid process 2436 tmp54F6.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp54F6.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp54F6.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exetmp54F6.tmp.exedescription pid process Token: SeDebugPrivilege 4744 5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe Token: SeDebugPrivilege 2436 tmp54F6.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exevbc.exedescription pid process target process PID 4744 wrote to memory of 2748 4744 5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe vbc.exe PID 4744 wrote to memory of 2748 4744 5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe vbc.exe PID 4744 wrote to memory of 2748 4744 5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe vbc.exe PID 2748 wrote to memory of 4784 2748 vbc.exe cvtres.exe PID 2748 wrote to memory of 4784 2748 vbc.exe cvtres.exe PID 2748 wrote to memory of 4784 2748 vbc.exe cvtres.exe PID 4744 wrote to memory of 2436 4744 5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe tmp54F6.tmp.exe PID 4744 wrote to memory of 2436 4744 5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe tmp54F6.tmp.exe PID 4744 wrote to memory of 2436 4744 5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe tmp54F6.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe"C:\Users\Admin\AppData\Local\Temp\5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m989ugl0.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56F9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4B79C337F7074378ACC68D56E4E362DE.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp54F6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp54F6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5731b6f1e4ff3229cfb784ce7c75054f7d312e0e5c2d0c14d2f11a78b8146ab3.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES56F9.tmpFilesize
1KB
MD57c747f277dbef0ebd047ef775484c595
SHA1ac44022964c21bdad113994f698b02df56a180e6
SHA2563213c8afa2e1d656f68bd1f115e1862bf043c051d41b3c2aac024b31d099805e
SHA512e1a10021685357fdf60dd502396fe1332d72589238acc57016acdfecdc33c198d35bbd104d0a9c13578ac29fd70bddef12d5a15d44f724a18fdcecd43dc8a1c1
-
C:\Users\Admin\AppData\Local\Temp\m989ugl0.0.vbFilesize
14KB
MD5a18f896d3b6a3b8f147a1a118cecb4ff
SHA1db7e598421df2ba0f7bee80fd600a0c44f1d2029
SHA25673888c7f0571ec60b35db19b5ff704fcdb417021ba3774d50cabbc2e7a4d004a
SHA512b8d2db2c49c749740c04a16ac0ddc50f47cbf18488e06ab97d2229dfee0307a4da8b23325382a1f81be7aa313be2804a2cffbddbfd0e071e3cc93de3f5f55e9e
-
C:\Users\Admin\AppData\Local\Temp\m989ugl0.cmdlineFilesize
266B
MD52afa2791744ae3e9ad13a135e55c6867
SHA1f425d25452aa53254ab74c8ffc3a32d85c2f2cc6
SHA256137a8c0f89a97f739a45d115c12f2222ddfadc6e32f55511fb305d1e79254667
SHA51289b80f3eb00ad00fd9beae5e25a3c3c111c6e995db29bed4edb65a9b125a10f7e2ea4c9574d2b9d129c49943f2dd97b31823e8a878785ead66a6ddfd6aedecc2
-
C:\Users\Admin\AppData\Local\Temp\tmp54F6.tmp.exeFilesize
78KB
MD581bc607a96252701d0112556251824c5
SHA147324271e42f59f83f4d863154ebf9cfb18969f8
SHA256bbe3966bbe87aca1342a1ddbcc94df4ff2d1a33c8bceac06b215c70bda27bd64
SHA5128a3b2dec2ecb08a36f446787399354595ecd9746de092f3ad35286de0fbc60a020d3f3393b5f285e4a6f31321d7cf6ee9826e4a35931a4e0dd82ed336e6f20b6
-
C:\Users\Admin\AppData\Local\Temp\tmp54F6.tmp.exeFilesize
78KB
MD581bc607a96252701d0112556251824c5
SHA147324271e42f59f83f4d863154ebf9cfb18969f8
SHA256bbe3966bbe87aca1342a1ddbcc94df4ff2d1a33c8bceac06b215c70bda27bd64
SHA5128a3b2dec2ecb08a36f446787399354595ecd9746de092f3ad35286de0fbc60a020d3f3393b5f285e4a6f31321d7cf6ee9826e4a35931a4e0dd82ed336e6f20b6
-
C:\Users\Admin\AppData\Local\Temp\vbc4B79C337F7074378ACC68D56E4E362DE.TMPFilesize
660B
MD5d5f7c360c2693b77b738191564938838
SHA19afa515ae22d5780bb623fcb45974a3fc281440e
SHA256aa2f46b7984d4947c2d25ffa917b68c35b6441fdd5a04b0d86b350806870507a
SHA51242c111408bcffeead22db06e10494e4c10cf8dfbb51b5a6bc2e15ffc81c2474030b23592763b044c416ef88f25e05b1aea56a133b5e32497c5850ed9d3c98b0a
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
memory/2436-139-0x0000000000000000-mapping.dmp
-
memory/2436-141-0x0000000075360000-0x0000000075911000-memory.dmpFilesize
5.7MB
-
memory/2748-131-0x0000000000000000-mapping.dmp
-
memory/4744-130-0x0000000075360000-0x0000000075911000-memory.dmpFilesize
5.7MB
-
memory/4784-135-0x0000000000000000-mapping.dmp