Analysis
-
max time kernel
138s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-06-2022 02:19
Static task
static1
Behavioral task
behavioral1
Sample
281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe
Resource
win10v2004-20220414-en
General
-
Target
281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe
-
Size
78KB
-
MD5
c9f4e2314818da2b06658920b8a1eb83
-
SHA1
3b8b409fd7321aa8453c59e5dd99c1665622ab5c
-
SHA256
281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0
-
SHA512
b047082b905b3be99090a26ec12354fbdf1bc0cca6263a9982575047784d0eab641ca1d842a1491ca54ff9d255e700931faef53ceb67fe405cc4cf64ae3c8987
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 1 IoCs
Processes:
tmpD631.tmp.exepid process 2352 tmpD631.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exetmpD631.tmp.exedescription pid process Token: SeDebugPrivilege 3460 281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe Token: SeDebugPrivilege 2352 tmpD631.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exevbc.exedescription pid process target process PID 3460 wrote to memory of 2960 3460 281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe vbc.exe PID 3460 wrote to memory of 2960 3460 281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe vbc.exe PID 3460 wrote to memory of 2960 3460 281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe vbc.exe PID 2960 wrote to memory of 1972 2960 vbc.exe cvtres.exe PID 2960 wrote to memory of 1972 2960 vbc.exe cvtres.exe PID 2960 wrote to memory of 1972 2960 vbc.exe cvtres.exe PID 3460 wrote to memory of 2352 3460 281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe tmpD631.tmp.exe PID 3460 wrote to memory of 2352 3460 281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe tmpD631.tmp.exe PID 3460 wrote to memory of 2352 3460 281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe tmpD631.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe"C:\Users\Admin\AppData\Local\Temp\281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4xtbmchj.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC95.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA1A7010FA3EE45379A9D4D2DEE3E6BF.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpD631.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD631.tmp.exe" C:\Users\Admin\AppData\Local\Temp\281815eb0a4ade0c28a64d9f5589ef8617006a8f60cb99d87065a462efa4fab0.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4xtbmchj.0.vbFilesize
15KB
MD54eef10d527c11d6df6303e8c9d818ce9
SHA15c62442259676fb8c68cbc0ea0b51e5d8654bc71
SHA25625949eabaccfa693d84e63556a60554ed26b675b9078efcc9ea1e172de6e6ad7
SHA512fcb2afd8756d7a0d05f09d1a7b9fcad857ea6b237e9167eb2b9a557129a63699017ac3657e463909a93868cc91db46b836f9870147507d29455d1122f2c3be8d
-
C:\Users\Admin\AppData\Local\Temp\4xtbmchj.cmdlineFilesize
266B
MD5bff061fee28c1b6499d47d5f81cda00e
SHA1cfb4a8c24bb621d488a53564c37f648bad2992b1
SHA256ae429e05d1de4389afd43faad351b4485ae62e4ecb832864a55acef0663289f2
SHA51213f74260d09871f903bb5cce58a62c841cc747a1657e4db077e405620512aa8740c1420fa98699c49941819d742dba0882282a9d2a58c02c7f1949493fd78fad
-
C:\Users\Admin\AppData\Local\Temp\RESFC95.tmpFilesize
1KB
MD53bff7e31a6f12045bdd9fd632007868e
SHA16af172f4811e4335e6fbfe3f26ea150813cb711a
SHA256c62d2c958eb0939408524a07080820196dedce883a9c8ffb8b150a80798542d0
SHA512b7a65a6e51d96a0e273e2fc75dd4191cb957c45be482319f91e3f370ff0ce4c9bbb580772d79c4f72d2babd2dc9493a77bafc1fd85f09cdcbe14da8b1c969927
-
C:\Users\Admin\AppData\Local\Temp\tmpD631.tmp.exeFilesize
78KB
MD53bfd4d2bfac328de39bac6219d751e2c
SHA1af55466fdac3c24b58d31a9c26e38ade986c78da
SHA2560bbd270126466350edd99859aec34daaecac30ddbde221f093e9f9776b3bf1b0
SHA51286db096a854e4982e5540c4d659e8bed9ae496d8a9f6f365baeec5202f577f2e4a3813d677bcad7bfe20664c37828256cc20b7f0d8b8c4195b1c1e5557bae58c
-
C:\Users\Admin\AppData\Local\Temp\tmpD631.tmp.exeFilesize
78KB
MD53bfd4d2bfac328de39bac6219d751e2c
SHA1af55466fdac3c24b58d31a9c26e38ade986c78da
SHA2560bbd270126466350edd99859aec34daaecac30ddbde221f093e9f9776b3bf1b0
SHA51286db096a854e4982e5540c4d659e8bed9ae496d8a9f6f365baeec5202f577f2e4a3813d677bcad7bfe20664c37828256cc20b7f0d8b8c4195b1c1e5557bae58c
-
C:\Users\Admin\AppData\Local\Temp\vbcA1A7010FA3EE45379A9D4D2DEE3E6BF.TMPFilesize
660B
MD59514b575c2ed195e6a1d788f672e86c4
SHA163eeca7c885440411bfea19ee878376175039774
SHA256dbf98da595106abdf203ca7f2182fa99ff42af5fed45330764a86cbaf673d03d
SHA5124ce1ad2141a942340e6a068758170dcf6afbbd7ec9236ff09008005da6b6875760a0ffec6b5f117100947817ab4812d382d4f1f16cac29d51d72da262389fecf
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7
-
memory/1972-136-0x0000000000000000-mapping.dmp
-
memory/2352-140-0x0000000000000000-mapping.dmp
-
memory/2352-143-0x0000000074C00000-0x00000000751B1000-memory.dmpFilesize
5.7MB
-
memory/2352-144-0x0000000074C00000-0x00000000751B1000-memory.dmpFilesize
5.7MB
-
memory/2960-132-0x0000000000000000-mapping.dmp
-
memory/3460-131-0x0000000074C00000-0x00000000751B1000-memory.dmpFilesize
5.7MB
-
memory/3460-130-0x0000000074C00000-0x00000000751B1000-memory.dmpFilesize
5.7MB
-
memory/3460-142-0x0000000074C00000-0x00000000751B1000-memory.dmpFilesize
5.7MB