Analysis
-
max time kernel
1800s -
max time network
1803s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
06-06-2022 20:35
Static task
static1
Behavioral task
behavioral1
Sample
556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe
Resource
win10v2004-20220414-en
General
-
Target
556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe
-
Size
78KB
-
MD5
b6e8fa374675658ee48142da90c14bd6
-
SHA1
53ec1171fda63af0eae7e440bc6aa0d7bf3094b5
-
SHA256
556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73
-
SHA512
86568c84272077e3f295d47805c337981ec59d9f56d3c258a8fd1c0ad5aed996e53d9d1604ada5c01abb21c01340d3302e1ac72dfa4b798e98bf51e0c1ce5e4d
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
tmpA27E.tmp.exepid process 456 tmpA27E.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmpA27E.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmpA27E.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exetmpA27E.tmp.exedescription pid process Token: SeDebugPrivilege 4628 556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe Token: SeDebugPrivilege 456 tmpA27E.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exevbc.exedescription pid process target process PID 4628 wrote to memory of 4504 4628 556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe vbc.exe PID 4628 wrote to memory of 4504 4628 556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe vbc.exe PID 4628 wrote to memory of 4504 4628 556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe vbc.exe PID 4504 wrote to memory of 2760 4504 vbc.exe cvtres.exe PID 4504 wrote to memory of 2760 4504 vbc.exe cvtres.exe PID 4504 wrote to memory of 2760 4504 vbc.exe cvtres.exe PID 4628 wrote to memory of 456 4628 556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe tmpA27E.tmp.exe PID 4628 wrote to memory of 456 4628 556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe tmpA27E.tmp.exe PID 4628 wrote to memory of 456 4628 556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe tmpA27E.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe"C:\Users\Admin\AppData\Local\Temp\556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tr25np84.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA405.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB7675E8E2D08412B814063D96B886517.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpA27E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA27E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\556643b11d60d343e14da4473d3ad224fd84f962cbdfb11fa1f8140e41e71d73.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESA405.tmpFilesize
1KB
MD5f8e2dd8d84f843d059c895f591d2f35c
SHA186ede02eba31e2bddebbc0aa6ac9fc56191b2837
SHA256597705d7b08e142a41dcf76b29fd0b61ac68f2575dda273cb288febbd1562eb5
SHA512f66fb5cd37ac7be365932521f7300d9636097363763832522ca23358abefd8d4996559fbaf9e12c5c90b4741a50aa1bae79e8187a1ec2f41358125d3f3fb63ec
-
C:\Users\Admin\AppData\Local\Temp\tmpA27E.tmp.exeFilesize
78KB
MD510281dbf002f0a74181e7d2b925d4f9a
SHA17cdae961d61c01a9bf32401f6d3ba00091d2a702
SHA2560638fb9db583ffacb5d2d40582c2ab385f8dfafa883b8e43ced45d2bf170a049
SHA51273de0e10c506c4a31855df1c4d15687fba133269784ee0d483a01bfd51c6729ff9c9575385d7c7d17ff6dfd23085fe434280423d75410215b3d8f15b613ffcc2
-
C:\Users\Admin\AppData\Local\Temp\tmpA27E.tmp.exeFilesize
78KB
MD510281dbf002f0a74181e7d2b925d4f9a
SHA17cdae961d61c01a9bf32401f6d3ba00091d2a702
SHA2560638fb9db583ffacb5d2d40582c2ab385f8dfafa883b8e43ced45d2bf170a049
SHA51273de0e10c506c4a31855df1c4d15687fba133269784ee0d483a01bfd51c6729ff9c9575385d7c7d17ff6dfd23085fe434280423d75410215b3d8f15b613ffcc2
-
C:\Users\Admin\AppData\Local\Temp\tr25np84.0.vbFilesize
14KB
MD524dfe4dd0d0826bc0599276846362d6e
SHA1fbf0a21c1afc403843879c4bef5bfaeaeabcdc97
SHA2564f0de2914862db1e29d4567d0502edd42ef1f6a8d9b777e97c4d0ec46a438474
SHA5127ed410edd0986af064da1f3031c01b6f74b5b6285de5810668047fcb9aa440cb78b4fa849223f631116a3cad760b3059e289570ef6da25bb482e6ea4ac1c55b3
-
C:\Users\Admin\AppData\Local\Temp\tr25np84.cmdlineFilesize
266B
MD5d5c4a68e31cf7c03d2b4b43fe17306da
SHA1a4b9a00c12bb2c35f9c6c79ca39349acdbd65fea
SHA2569af98e33e4698aa5c6aca24b619e50e5532a3b1e758d0dc07bb592182233da7d
SHA5128d272db13219227ca5303fee7077edfbaf96b0fafd93827d4ef04734467308ca6fa5dbf503a724be608df263ac8f1dd80ac7475837ba3d29607e94d36b183101
-
C:\Users\Admin\AppData\Local\Temp\vbcB7675E8E2D08412B814063D96B886517.TMPFilesize
660B
MD5c1f0a6fe39680054aa586be17e1fcb0e
SHA14750550a5d33658acda2540cb270aed9f0cbda14
SHA2564073747a9f4331fca3c985ea30ccee168c041a911d17909a989c883b474f091f
SHA512a3a53bbcf23eb612adae23843b5658430e441f8999b173041b14c1f5ea1762a419caad2527157e3a501208e16e9f366d6053917e33c4cc0397f74df7a9b431d2
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
memory/456-139-0x0000000000000000-mapping.dmp
-
memory/456-142-0x0000000074910000-0x0000000074EC1000-memory.dmpFilesize
5.7MB
-
memory/456-143-0x0000000074910000-0x0000000074EC1000-memory.dmpFilesize
5.7MB
-
memory/2760-135-0x0000000000000000-mapping.dmp
-
memory/4504-130-0x0000000000000000-mapping.dmp
-
memory/4628-133-0x0000000074910000-0x0000000074EC1000-memory.dmpFilesize
5.7MB
-
memory/4628-141-0x0000000074910000-0x0000000074EC1000-memory.dmpFilesize
5.7MB