Analysis
-
max time kernel
203s -
max time network
226s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-05-2022 12:03
Static task
static1
Behavioral task
behavioral1
Sample
712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe
Resource
win10v2004-20220414-en
General
-
Target
712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe
-
Size
78KB
-
MD5
047e2b220274efec3654b82f56552676
-
SHA1
3df7a72f37c4ad0b94ecfa4e83071cbcd6271235
-
SHA256
712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a
-
SHA512
7d3b0897b4be725ede778dd16f682a6886773a9eddc1847dfbd5ef177a8a627bf9c0d00acf83d0367c44a702ba8587708fdcef41b72628a6c1df6569b98a1b07
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
tmp99EE.tmp.exepid process 4508 tmp99EE.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp99EE.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp99EE.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exetmp99EE.tmp.exedescription pid process Token: SeDebugPrivilege 1724 712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe Token: SeDebugPrivilege 4508 tmp99EE.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exevbc.exedescription pid process target process PID 1724 wrote to memory of 2752 1724 712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe vbc.exe PID 1724 wrote to memory of 2752 1724 712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe vbc.exe PID 1724 wrote to memory of 2752 1724 712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe vbc.exe PID 2752 wrote to memory of 3780 2752 vbc.exe cvtres.exe PID 2752 wrote to memory of 3780 2752 vbc.exe cvtres.exe PID 2752 wrote to memory of 3780 2752 vbc.exe cvtres.exe PID 1724 wrote to memory of 4508 1724 712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe tmp99EE.tmp.exe PID 1724 wrote to memory of 4508 1724 712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe tmp99EE.tmp.exe PID 1724 wrote to memory of 4508 1724 712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe tmp99EE.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe"C:\Users\Admin\AppData\Local\Temp\712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sxd_eqmz.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3A2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5BCEFF19871F4DDABB25A75D11B460E1.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp99EE.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp99EE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\712561619bc576935f48a174bdc630cd1d08348714551c1edc1ac11578f2307a.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESA3A2.tmpFilesize
1KB
MD51cb89c1bec2a2f4a21b2e65fec57bd9c
SHA15042ec42e503727e1edf0025313eeba1964947d3
SHA256fd6e06979e9b20f7fa5b6d96df6d5c789f652e7ac26c4452a0311aafc482a043
SHA512ffb03ed574f63103160aaa41c14c14e91812f2ef1ed12701a346fe9665decf696116e163de43f1172e6303ed4fe98d75f7335f88fb5dfa10d3c9eb1d2aa59baa
-
C:\Users\Admin\AppData\Local\Temp\sxd_eqmz.0.vbFilesize
14KB
MD59be9dea38ca8aef887fe92306e1efeca
SHA17db4e1a640d70179c0e7bd03e8a454d7fa1c32d0
SHA256565b2b174f622dc6bf335324ec4c0b948e3c0f7e1541732f7b995c3129abc844
SHA51295da76ad6fd57ffc01767390b602bb13268c92ce626eecdca140812678141aa3eb6aed26e1df9e2ce3b9683e7c51cc36eff0c24c0acf9c8b73c5d09cda4ad1f5
-
C:\Users\Admin\AppData\Local\Temp\sxd_eqmz.cmdlineFilesize
266B
MD50f31cf36aa7999686faf52bae0e7c801
SHA164d9ceb0da7752c01e7a800aa561a376d6d5ea0d
SHA2565d288791dd97ed76801ade029cf051f0b043f141993e596f87f43b1f05d29655
SHA512202e3e90089fbd6877baeda2a4254932e0bcc9580a3008bbe890a5a15a5d2507a4343a9e108356693f2e8e77db42ffc127f0c308b024af0d7772da2cb4b6034c
-
C:\Users\Admin\AppData\Local\Temp\tmp99EE.tmp.exeFilesize
78KB
MD5d7a0b9c181436008892f2306c2040c16
SHA1e64a55e52cf6f1f93f65cda59fac228ddb87db55
SHA25641a53c618072c4798fa866ba35b760415cdfc9bb349c839db711feaa1a1056a1
SHA51235b3f14239c42dfe794985b603ed2c3e746eeb8ec8884321b5937bc49fb009367ac1d64f935864070dba7943c4484278d576ac76d7095f2b804e1221863ac120
-
C:\Users\Admin\AppData\Local\Temp\tmp99EE.tmp.exeFilesize
78KB
MD5d7a0b9c181436008892f2306c2040c16
SHA1e64a55e52cf6f1f93f65cda59fac228ddb87db55
SHA25641a53c618072c4798fa866ba35b760415cdfc9bb349c839db711feaa1a1056a1
SHA51235b3f14239c42dfe794985b603ed2c3e746eeb8ec8884321b5937bc49fb009367ac1d64f935864070dba7943c4484278d576ac76d7095f2b804e1221863ac120
-
C:\Users\Admin\AppData\Local\Temp\vbc5BCEFF19871F4DDABB25A75D11B460E1.TMPFilesize
660B
MD53f3d13797be8a3be66197ed3e6226ea8
SHA17c7792566bcfa6ce9d2b48e80ab009aff61ca305
SHA2563282798fd6deef84eeddeb4a3f28b55fe885eade40c4b62d771d45fd629e4494
SHA512b7a5e3857db3d064ea81f7aeca8f76445bf49d6d89f80e640b93107f85b94e4b9991a3a14ca72c9ff86ed1660c6bfbc1e63fcbbd5296d2f9a8bd7a19100a766d
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
memory/1724-130-0x00000000746A0000-0x0000000074C51000-memory.dmpFilesize
5.7MB
-
memory/2752-131-0x0000000000000000-mapping.dmp
-
memory/3780-135-0x0000000000000000-mapping.dmp
-
memory/4508-139-0x0000000000000000-mapping.dmp
-
memory/4508-141-0x00000000746A0000-0x0000000074C51000-memory.dmpFilesize
5.7MB