Analysis
-
max time kernel
1800s -
max time network
1803s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
06-06-2022 20:35
Static task
static1
Behavioral task
behavioral1
Sample
556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe
Resource
win10v2004-20220414-en
General
-
Target
556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe
-
Size
78KB
-
MD5
b6e8fa374675658ee48142da90c14bd6
-
SHA1
53ec1171fda63af0eae7e440bc6aa0d7bf3094b5
-
SHA256
556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73
-
SHA512
86568c84272077e3f295d47805c337981ec59d9f56d3c258a8fd1c0ad5aed996e53d9d1604ada5c01abb21c01340d3302e1ac72dfa4b798e98bf51e0c1ce5e4d
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
tmpECFE.tmp.exepid process 1684 tmpECFE.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exepid process 1452 556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe 1452 556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmpECFE.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmpECFE.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exetmpECFE.tmp.exedescription pid process Token: SeDebugPrivilege 1452 556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe Token: SeDebugPrivilege 1684 tmpECFE.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exevbc.exedescription pid process target process PID 1452 wrote to memory of 1504 1452 556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe vbc.exe PID 1452 wrote to memory of 1504 1452 556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe vbc.exe PID 1452 wrote to memory of 1504 1452 556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe vbc.exe PID 1452 wrote to memory of 1504 1452 556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe vbc.exe PID 1504 wrote to memory of 1696 1504 vbc.exe cvtres.exe PID 1504 wrote to memory of 1696 1504 vbc.exe cvtres.exe PID 1504 wrote to memory of 1696 1504 vbc.exe cvtres.exe PID 1504 wrote to memory of 1696 1504 vbc.exe cvtres.exe PID 1452 wrote to memory of 1684 1452 556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe tmpECFE.tmp.exe PID 1452 wrote to memory of 1684 1452 556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe tmpECFE.tmp.exe PID 1452 wrote to memory of 1684 1452 556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe tmpECFE.tmp.exe PID 1452 wrote to memory of 1684 1452 556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe tmpECFE.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe"C:\Users\Admin\AppData\Local\Temp\556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\arie2xl2.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE76.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEE75.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpECFE.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpECFE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESEE76.tmpFilesize
1KB
MD52aa4bfe644d395d1d95b376708a37115
SHA1d52e016847b56a808b658f4bc6ef0000a3d4b043
SHA256ceced198ec733bfeb6bf4c4e2b995c1f6038d3757e9de9c996fd4358ac2ec135
SHA5129f4a11ec464745c297bcc2966524b7c97c3f67fdb49a0189e24cf2f6542a29d5728803b6c2d9292e0f10725cd8a2d5525597592d01a36bf9832fb8312dca2f9a
-
C:\Users\Admin\AppData\Local\Temp\arie2xl2.0.vbFilesize
14KB
MD5fe1a602c237b40c59164bc689e0da074
SHA1e1eb28336cf9a476458b492523194f19ba6a6382
SHA25632d98468e6adb2d5234a06417fc001d5fc89492659a76f7bf406dfafdae0a984
SHA5125a528d69d478d127febf8be55aeca98b74f7bea9d6a9f8f9d5c7066ef9533dd4947ce0fe92f1637bfb60c94fa487e345537e07345dc4956e0075fb18cee42000
-
C:\Users\Admin\AppData\Local\Temp\arie2xl2.cmdlineFilesize
266B
MD58d0da827aa0118448698d9ddc00bd1dc
SHA18277b6eb7bd72e87a7b9609045829b48219e0446
SHA25649bd3f16bb7cba674b02a9a07d1e5299f59e7f5cf7327f83caeee16b624a53d0
SHA512ed6f01156c57c7f5f1421c34dd49c2fd4b95cef598eb4fb05ef532efaded7634fc31dd5357acb73e5b5be56bcedff83eb76df82fa4e81547a687fce8d4c286b7
-
C:\Users\Admin\AppData\Local\Temp\tmpECFE.tmp.exeFilesize
78KB
MD50e3bb356ae4f02ca2de07dcb55d6d759
SHA18a3277da90aafdfa0c28d05a10e160eae0fef4ce
SHA2566d9bcce1391f49284916e29469dbfe3d3ef9f72fd9084d410c9e88cd3899026f
SHA512ace8ad257bf83fc3ef8a8a9dd3fb536ba4dd7bd4ae40d591f9eee63493a4c707ab77b963b563a19c1dcd51d29f4f83195d8c732c3eafae5cd438eeea55b9b5b6
-
C:\Users\Admin\AppData\Local\Temp\tmpECFE.tmp.exeFilesize
78KB
MD50e3bb356ae4f02ca2de07dcb55d6d759
SHA18a3277da90aafdfa0c28d05a10e160eae0fef4ce
SHA2566d9bcce1391f49284916e29469dbfe3d3ef9f72fd9084d410c9e88cd3899026f
SHA512ace8ad257bf83fc3ef8a8a9dd3fb536ba4dd7bd4ae40d591f9eee63493a4c707ab77b963b563a19c1dcd51d29f4f83195d8c732c3eafae5cd438eeea55b9b5b6
-
C:\Users\Admin\AppData\Local\Temp\vbcEE75.tmpFilesize
660B
MD54354cb779e65801ab9c18091ac3475e8
SHA134b6831140d6bb5d67b211f45c422f46678e9e18
SHA2562d19cd85acfe034a89f9855b3e2ca9711c5cdc8cd172285ca53fbffca5aa8ce5
SHA512d1bc6af96b6d30afd3c72bebe14cac0a378338d496d3752e609b426e2e10da3d91fbc7f944f5956e5a4d1eccf112ffe2017b19bee31f33c9c1a3a6998ec873cf
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
\Users\Admin\AppData\Local\Temp\tmpECFE.tmp.exeFilesize
78KB
MD50e3bb356ae4f02ca2de07dcb55d6d759
SHA18a3277da90aafdfa0c28d05a10e160eae0fef4ce
SHA2566d9bcce1391f49284916e29469dbfe3d3ef9f72fd9084d410c9e88cd3899026f
SHA512ace8ad257bf83fc3ef8a8a9dd3fb536ba4dd7bd4ae40d591f9eee63493a4c707ab77b963b563a19c1dcd51d29f4f83195d8c732c3eafae5cd438eeea55b9b5b6
-
\Users\Admin\AppData\Local\Temp\tmpECFE.tmp.exeFilesize
78KB
MD50e3bb356ae4f02ca2de07dcb55d6d759
SHA18a3277da90aafdfa0c28d05a10e160eae0fef4ce
SHA2566d9bcce1391f49284916e29469dbfe3d3ef9f72fd9084d410c9e88cd3899026f
SHA512ace8ad257bf83fc3ef8a8a9dd3fb536ba4dd7bd4ae40d591f9eee63493a4c707ab77b963b563a19c1dcd51d29f4f83195d8c732c3eafae5cd438eeea55b9b5b6
-
memory/1452-54-0x0000000075EF1000-0x0000000075EF3000-memory.dmpFilesize
8KB
-
memory/1452-68-0x0000000074690000-0x0000000074C3B000-memory.dmpFilesize
5.7MB
-
memory/1504-55-0x0000000000000000-mapping.dmp
-
memory/1684-65-0x0000000000000000-mapping.dmp
-
memory/1684-69-0x0000000074690000-0x0000000074C3B000-memory.dmpFilesize
5.7MB
-
memory/1684-70-0x00000000003C5000-0x00000000003D6000-memory.dmpFilesize
68KB
-
memory/1684-71-0x0000000074690000-0x0000000074C3B000-memory.dmpFilesize
5.7MB
-
memory/1696-59-0x0000000000000000-mapping.dmp