Analysis
-
max time kernel
186s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-05-2022 12:40
Static task
static1
Behavioral task
behavioral1
Sample
08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exe
Resource
win10v2004-20220414-en
General
-
Target
08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exe
-
Size
78KB
-
MD5
00a165f92e1ef3491ca5470c4a52ad0e
-
SHA1
1151a21145e1dbfd84cc19df4568e9b87ffe86f0
-
SHA256
08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24
-
SHA512
550d917976cdc913cdafd934a5e06f7117fc1e6ae88d5c7b4b88cf2509ee1e607ae997562ceed1f5556bbfd0346dbc05a793139f64c405efbda40b7b9b194a57
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
tmp4EFB.tmp.exepid process 2068 tmp4EFB.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp4EFB.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp4EFB.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exetmp4EFB.tmp.exedescription pid process Token: SeDebugPrivilege 3592 08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exe Token: SeDebugPrivilege 2068 tmp4EFB.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exevbc.exedescription pid process target process PID 3592 wrote to memory of 2796 3592 08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exe vbc.exe PID 3592 wrote to memory of 2796 3592 08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exe vbc.exe PID 3592 wrote to memory of 2796 3592 08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exe vbc.exe PID 2796 wrote to memory of 8 2796 vbc.exe cvtres.exe PID 2796 wrote to memory of 8 2796 vbc.exe cvtres.exe PID 2796 wrote to memory of 8 2796 vbc.exe cvtres.exe PID 3592 wrote to memory of 2068 3592 08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exe tmp4EFB.tmp.exe PID 3592 wrote to memory of 2068 3592 08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exe tmp4EFB.tmp.exe PID 3592 wrote to memory of 2068 3592 08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exe tmp4EFB.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exe"C:\Users\Admin\AppData\Local\Temp\08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bqy7j7qx.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES51BA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc60DDA171CC47E88EAACA84F63066F3.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp4EFB.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4EFB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\08be913146b17ed08d074486acc94d835545d1a488478c67f6fbcd4cf7d03e24.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES51BA.tmpFilesize
1KB
MD59109b194f753438e9a3e7e0491bcd96d
SHA19e8f4e072e891ad39e26b18f534cdb52335285d1
SHA25668faa72118beb72f4aaf8cf13bc471adf1f248560001e02c6d0087f2da6bfe1c
SHA5122dcdea1763aa679e98f1f095e6c96846710b6856fb8e2b28bdcb69b4b13dbb3ea53dd1327d590ba772093e0a336674c11993dccdec066f12e4d38e2ef453e3d0
-
C:\Users\Admin\AppData\Local\Temp\bqy7j7qx.0.vbFilesize
15KB
MD57e573796fba956082a3393947be64c04
SHA17ad0b94ddb172210125e552afc0e1a701773b44e
SHA2561d3d27d2340d484a5ef31cc0a6cb0386fe7e6531dd93488d059fd032ca56383a
SHA5129fcaa6452d91db33250dae405fed59362a34ff2c0bd69febe84d0a51727484b35412a7e761eed7de9762f62d6676fbf1cd17cb984ca3b96a6a2defcb38b2988d
-
C:\Users\Admin\AppData\Local\Temp\bqy7j7qx.cmdlineFilesize
266B
MD5f72c527553e7d1512141d6fb996ae4b4
SHA101144b9d3ab906fab6b2c70dc5e16c7deb6a09fd
SHA256a1a2571f102665f2645e993e9e856a92da47a46eb2cbe68eccb4743823581ef0
SHA512a9c880d8e65ada32499dce834098a469acfff20762e4ff4029d1abae833d4f87e4f0cbeef419f7ddd95b64ca8069f75eee0e1bdae56a57a1e677eb901f402555
-
C:\Users\Admin\AppData\Local\Temp\tmp4EFB.tmp.exeFilesize
78KB
MD5bb248e41e1510606d75b83a828cfcb5a
SHA15afbbe65dc1ef56642abcfa940173e4a309499b3
SHA25686a1886e22603e6d2c1e365b4365ed2ab96b321b9825383bb670e820f82304a6
SHA512965cefb5601919f3022a40b59cac1cdf8b68905084d826863bf83c4ef8879fb497e8763f389a400e66a21c01dae99f9c5d2f4aa79774cd0c4eac4dad5767fbed
-
C:\Users\Admin\AppData\Local\Temp\tmp4EFB.tmp.exeFilesize
78KB
MD5bb248e41e1510606d75b83a828cfcb5a
SHA15afbbe65dc1ef56642abcfa940173e4a309499b3
SHA25686a1886e22603e6d2c1e365b4365ed2ab96b321b9825383bb670e820f82304a6
SHA512965cefb5601919f3022a40b59cac1cdf8b68905084d826863bf83c4ef8879fb497e8763f389a400e66a21c01dae99f9c5d2f4aa79774cd0c4eac4dad5767fbed
-
C:\Users\Admin\AppData\Local\Temp\vbc60DDA171CC47E88EAACA84F63066F3.TMPFilesize
660B
MD57a2de09864add07088b671a32d773c32
SHA18c8125b7f54af0835c8b314d894c1a7a1615e6cc
SHA256f6c40045c488ca56769fbc2721cf7ce12d359f92c1d78255005d0f8ac4a74975
SHA5123a8d2c6bbe598c24f86cc10ffb9428172feb1b10c7f9e11eb99b39c1632d8d7875a1f96c2d84b5afc44cd1da5c072bd6fe1e0b9e402ca6425cfcec84eca1745d
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
memory/8-135-0x0000000000000000-mapping.dmp
-
memory/2068-139-0x0000000000000000-mapping.dmp
-
memory/2068-141-0x0000000074A70000-0x0000000075021000-memory.dmpFilesize
5.7MB
-
memory/2796-131-0x0000000000000000-mapping.dmp
-
memory/3592-130-0x0000000074A70000-0x0000000075021000-memory.dmpFilesize
5.7MB