Analysis
-
max time kernel
1800s -
max time network
1803s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
06-06-2022 22:34
Static task
static1
Behavioral task
behavioral1
Sample
d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exe
Resource
win10v2004-20220414-en
General
-
Target
d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exe
-
Size
78KB
-
MD5
bca232d75b22ea2eb38d8875fdba585c
-
SHA1
1b0721050bf6d2d208deb945f7cac8ff28e5c35a
-
SHA256
d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6
-
SHA512
6f70e3c4fa7ee9ec8277c07d656e9be7bbdde8f302d844f56ab106ca176470d300af636bc07cdfb128f3e835d8155ccf7bd0525e09b2fd47982263817a1faf5f
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
tmp6602.tmp.exepid process 2244 tmp6602.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp6602.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp6602.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exetmp6602.tmp.exedescription pid process Token: SeDebugPrivilege 3136 d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exe Token: SeDebugPrivilege 2244 tmp6602.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exevbc.exedescription pid process target process PID 3136 wrote to memory of 4412 3136 d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exe vbc.exe PID 3136 wrote to memory of 4412 3136 d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exe vbc.exe PID 3136 wrote to memory of 4412 3136 d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exe vbc.exe PID 4412 wrote to memory of 4632 4412 vbc.exe cvtres.exe PID 4412 wrote to memory of 4632 4412 vbc.exe cvtres.exe PID 4412 wrote to memory of 4632 4412 vbc.exe cvtres.exe PID 3136 wrote to memory of 2244 3136 d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exe tmp6602.tmp.exe PID 3136 wrote to memory of 2244 3136 d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exe tmp6602.tmp.exe PID 3136 wrote to memory of 2244 3136 d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exe tmp6602.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exe"C:\Users\Admin\AppData\Local\Temp\d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\69enbh5g.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6798.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc548687F639A848898B9A8E54854046CF.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp6602.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6602.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d9812bb6700c46fe3194bcdc4ab101abf29cb318b7d2212b85d38ae910c23db6.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\69enbh5g.0.vbFilesize
15KB
MD52ffca42f0920b7aa3516c03a14080888
SHA1477491bcd39538155f60ae8af070b1f6643af914
SHA2561143d438220aba49762bfd105b85b22e542c7f02bb22530e29911403feafe7e2
SHA512def70fb5e7207fb439fa8425077c943ac4ba8e89045df11324a25e266d62d7c4705524c481f51195b5cf6ecab0ea963de57d592d610b8feee8563e8b45d63936
-
C:\Users\Admin\AppData\Local\Temp\69enbh5g.cmdlineFilesize
266B
MD50ff84085269e22e80a461499920b620f
SHA1e628bf596d98d8512c68e2e1d94d6d45838a3a63
SHA2567f6caeaf07171daf76f982e22f6f3e550c6c8227d2a52d65a60fcce4d83d6c1f
SHA51274e1fb00dfd22b5d8fc3bea39ccbb003119809ee5f555d87cb7a900bf36c78a07ad4fd520690b09ca143ad58e6691ed5ac1c3b27ef4e3a8ba0239086d50da541
-
C:\Users\Admin\AppData\Local\Temp\RES6798.tmpFilesize
1KB
MD58b1949a01230fc76fe98fdb20951e823
SHA1b3032eeaa9bcb1229906384854a50250a14c6f95
SHA2563c223ae341af4f2f23fb0dd3a9efe40e159e5069866ae9ac5a1cef90e4890c96
SHA51234690461d2f935e7f821026970987b42007acffbd1de33d12573c44803d28f13a80b8822f06b318bbb776e55154fd143c74e2e49e30e1b6180b5ff1bbbfb1ad9
-
C:\Users\Admin\AppData\Local\Temp\tmp6602.tmp.exeFilesize
78KB
MD55b09c90bb07c0b06450b6eaf16cc280d
SHA16448330e363c06bd60c0b1e9821ede0509c14026
SHA2561a52aa12231ff6c5eb50ffb5c0562938bbda70b5af6ba21eb2c9c0e44f5f3eae
SHA512153706685edc078f41499f6a8a8036f8bbee8abc8a5996af01a53c0e54220261fddd9d0c092d0941651ffe3400f65ece075952c96f171e0b49686784b5114f1b
-
C:\Users\Admin\AppData\Local\Temp\tmp6602.tmp.exeFilesize
78KB
MD55b09c90bb07c0b06450b6eaf16cc280d
SHA16448330e363c06bd60c0b1e9821ede0509c14026
SHA2561a52aa12231ff6c5eb50ffb5c0562938bbda70b5af6ba21eb2c9c0e44f5f3eae
SHA512153706685edc078f41499f6a8a8036f8bbee8abc8a5996af01a53c0e54220261fddd9d0c092d0941651ffe3400f65ece075952c96f171e0b49686784b5114f1b
-
C:\Users\Admin\AppData\Local\Temp\vbc548687F639A848898B9A8E54854046CF.TMPFilesize
660B
MD578703972c26d05f847bfa75280f2ed2b
SHA18cf19a7b45100e5319bb4213bfee4b9d9ddb7d62
SHA2565f43c877be1b4fad50f54d5cc7fc1958a9f490c1ebac0a4bfd7659901655a886
SHA512c81a33d893ee0d782bf3021a1e75442c023d634ee0866eac89068b2488c5fbfee747f25a02c6bed95bf60446dac41e29a89ad3555b7c14827e173bcceb75a78e
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
memory/2244-139-0x0000000000000000-mapping.dmp
-
memory/2244-142-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB
-
memory/2244-143-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB
-
memory/3136-130-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB
-
memory/3136-141-0x00000000752D0000-0x0000000075881000-memory.dmpFilesize
5.7MB
-
memory/4412-131-0x0000000000000000-mapping.dmp
-
memory/4632-135-0x0000000000000000-mapping.dmp