Analysis
-
max time kernel
1799s -
max time network
1802s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
06-06-2022 21:27
Static task
static1
Behavioral task
behavioral1
Sample
6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe
Resource
win10v2004-20220414-en
General
-
Target
6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe
-
Size
78KB
-
MD5
0e8bd026f56f21cbd8a899387f20524a
-
SHA1
8b344cee89d25bb000d0f6d2f396c0d6507467e4
-
SHA256
6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5
-
SHA512
faec15a510ddbb64162a58ce477afe806c6ddb35a91815580bf39092b9a6dde4d2da94c5b9c853d81c445a5bd8e8f37e614bb59330cd0bba3504729ec259b001
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
tmp7469.tmp.exepid process 1384 tmp7469.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp7469.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp7469.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exetmp7469.tmp.exedescription pid process Token: SeDebugPrivilege 2124 6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe Token: SeDebugPrivilege 1384 tmp7469.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exevbc.exedescription pid process target process PID 2124 wrote to memory of 2304 2124 6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe vbc.exe PID 2124 wrote to memory of 2304 2124 6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe vbc.exe PID 2124 wrote to memory of 2304 2124 6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe vbc.exe PID 2304 wrote to memory of 3440 2304 vbc.exe cvtres.exe PID 2304 wrote to memory of 3440 2304 vbc.exe cvtres.exe PID 2304 wrote to memory of 3440 2304 vbc.exe cvtres.exe PID 2124 wrote to memory of 1384 2124 6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe tmp7469.tmp.exe PID 2124 wrote to memory of 1384 2124 6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe tmp7469.tmp.exe PID 2124 wrote to memory of 1384 2124 6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe tmp7469.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe"C:\Users\Admin\AppData\Local\Temp\6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ddnbryaw.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75E0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB0F8A63A1A714DDD9E77359348E426D.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp7469.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7469.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6db98acd3d7aaa9e99096eb3dfc27b9d8c5d79b8eccc3b8d72e28de70f89dff5.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES75E0.tmpFilesize
1KB
MD5cc874c263576f12e6cc8689fa0685b3f
SHA18839e3266cf4c7baf9aa7caeb093e810f880718e
SHA256a7171061f1c809ab6f6cf01bd530b1053745196f49191124890401d2a3e9459e
SHA5126c398d32d2092ecf23cdb67abfd01e4ffd59da1c1055d3f473b849eccee1ff3f2e3fec89bb88d1197936bb49ad905c1b06cdb5720e598b3a491b1a208a319718
-
C:\Users\Admin\AppData\Local\Temp\ddnbryaw.0.vbFilesize
15KB
MD5424bc92dcf7a405fdc61a50952bfd315
SHA1804e72908c71c1b769dca3dca1383e08e714a4cf
SHA2565aadfc15750fa9d7ebb080fac299b23f1af87ab6122d465d94c332dd0ff7b11c
SHA51203942c40a189aa7864694b53b4131a705fcd773304735e656f6def7fce21033093172b162b923bf6189c818b315b29b4f9fc0dbcfe69de0695ea86d0b0f6337c
-
C:\Users\Admin\AppData\Local\Temp\ddnbryaw.cmdlineFilesize
266B
MD541dc26521e3a7585ea32388ba4e7b924
SHA1463fa87dcd9bdea80c929c7b6779de9703e6d1d9
SHA256f847a9ed93383ccb23544c8e035651a52c98e2a003821b21e3c9e610556e8190
SHA5123d3c2b91d92038e77bc6c303afeea1a93c376a6e869504e1b3f8523226a6476550c1efcc3bd21e4ef371c056f80c1694dfda55c6630af4d0d28f8da3c08af56a
-
C:\Users\Admin\AppData\Local\Temp\tmp7469.tmp.exeFilesize
78KB
MD501377b5141f064785e8ad872c88e3aa8
SHA198433a23c523ac6833370483d5353f446670b47d
SHA256fa5131937157372be70ee99308bb8796be7188f226eca644093b3d2f24b8fecb
SHA512332db2cc26c0a4ffb60990bb865aa3e01dc617b7ee5e6f23ea9c8037fd036a8f6500b3c0bfb7f909fc028f4224283f605e27182d1963686ab425fdd69a80d872
-
C:\Users\Admin\AppData\Local\Temp\tmp7469.tmp.exeFilesize
78KB
MD501377b5141f064785e8ad872c88e3aa8
SHA198433a23c523ac6833370483d5353f446670b47d
SHA256fa5131937157372be70ee99308bb8796be7188f226eca644093b3d2f24b8fecb
SHA512332db2cc26c0a4ffb60990bb865aa3e01dc617b7ee5e6f23ea9c8037fd036a8f6500b3c0bfb7f909fc028f4224283f605e27182d1963686ab425fdd69a80d872
-
C:\Users\Admin\AppData\Local\Temp\vbcB0F8A63A1A714DDD9E77359348E426D.TMPFilesize
660B
MD559f4e66f086e5084f0cd08c396d14212
SHA14b6b4dab6ab93f3119fde5ee4f3c914e133270da
SHA256aa156ff2561e4f07546fb5e0c4ab0ab55d8c94c2bf85944da02ffb5aa8529480
SHA512fafe051c2e2492bb0a3505102b32d1dd11317757e4821a8ce6791ca0500170d3a607be492a6ffbb16bc114a86ff32f897e7050995dfb2bbb923a2a41292b8488
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
memory/1384-139-0x0000000000000000-mapping.dmp
-
memory/1384-142-0x0000000074F00000-0x00000000754B1000-memory.dmpFilesize
5.7MB
-
memory/1384-143-0x0000000074F00000-0x00000000754B1000-memory.dmpFilesize
5.7MB
-
memory/2124-130-0x0000000074F00000-0x00000000754B1000-memory.dmpFilesize
5.7MB
-
memory/2124-141-0x0000000074F00000-0x00000000754B1000-memory.dmpFilesize
5.7MB
-
memory/2304-131-0x0000000000000000-mapping.dmp
-
memory/3440-135-0x0000000000000000-mapping.dmp