Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2022 16:22
Static task
static1
Behavioral task
behavioral1
Sample
cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe
Resource
win10v2004-20220901-en
General
-
Target
cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe
-
Size
512KB
-
MD5
7986dfc5ba3a34272aad6b1128d04462
-
SHA1
1f26a98dafa6d33c09b57cc719df618eabe8d830
-
SHA256
cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8
-
SHA512
4582fd8c31f977faf3c815723f77b95406e67de9d5405b20cb8e35586b3cf9deb0de1299779160a88274cc711a82d88dfe235d2e3ef9ea496a336ee6fc4dea80
-
SSDEEP
12288:Ih1Lk70TnvjcM5ez2rZEo2J1nPIs9iQLsRZYqhipVgtPp:Uk70TrcUTrV2J1nWQOce
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmpC681.tmp.exepid process 3760 tmpC681.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmpC681.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft.Vsa = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\aspnet_filter.exe\"" tmpC681.tmp.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exedescription ioc process File opened for modification C:\Windows\assembly\Desktop.ini cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe File created C:\Windows\assembly\Desktop.ini cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe -
Drops file in Windows directory 3 IoCs
Processes:
cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exedescription ioc process File opened for modification C:\Windows\assembly cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe File created C:\Windows\assembly\Desktop.ini cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe File opened for modification C:\Windows\assembly\Desktop.ini cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exetmpC681.tmp.exedescription pid process Token: SeDebugPrivilege 2264 cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe Token: SeDebugPrivilege 3760 tmpC681.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exevbc.exedescription pid process target process PID 2264 wrote to memory of 4368 2264 cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe vbc.exe PID 2264 wrote to memory of 4368 2264 cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe vbc.exe PID 2264 wrote to memory of 4368 2264 cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe vbc.exe PID 4368 wrote to memory of 3804 4368 vbc.exe cvtres.exe PID 4368 wrote to memory of 3804 4368 vbc.exe cvtres.exe PID 4368 wrote to memory of 3804 4368 vbc.exe cvtres.exe PID 2264 wrote to memory of 3760 2264 cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe tmpC681.tmp.exe PID 2264 wrote to memory of 3760 2264 cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe tmpC681.tmp.exe PID 2264 wrote to memory of 3760 2264 cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe tmpC681.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe"C:\Users\Admin\AppData\Local\Temp\cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sobj64ph.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3EF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEBC0FBEFC561474E82DEE431658AE713.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpC681.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC681.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESD3EF.tmpFilesize
1KB
MD5b89a756808ba630c0b8a1968bb28e66a
SHA1cd19b480e26113398609f6db266e0a1a5adaf848
SHA256f666a76981e350a1cca5b6b2cb79f42a811fb1caddaaaad25da37f041b73d5a8
SHA512087047efb59d84321e6ab45e907c8471225bd39dd51a6a3e76151f509156c86aa9d89b8290ae7eb5e3e426f9f8f2a4b2de9c69bce1dce25c28107989ccf2af27
-
C:\Users\Admin\AppData\Local\Temp\sobj64ph.0.vbFilesize
128KB
MD53686f2cad7093f6d75baaede236fd4a7
SHA1e87de078a4e9c303b56fc9bc6f1da4d55a6d821e
SHA2562c79fd2da4f98234f32651b025605f08d9b822c8aeecae4f7d36b3509dc83eac
SHA512d6571ec24f4d8496e3411fd0da45097f7cdacbd454a644316dcbce80b81c6f0263d2fd5f8b2775e8f8ef7cf69b7233dca3576fab9ca6f9f4812992d55fc2b208
-
C:\Users\Admin\AppData\Local\Temp\sobj64ph.cmdlineFilesize
266B
MD53a4421cea468529c0ffcd4a30279e52a
SHA15df59be8b7a95a232e65e02522dc7b9845def189
SHA25626fbfaff5748abdd355892d50c64c628d85e272978cf7a59d1239c5ce97b9c0f
SHA51203c6e338851001ac4ceef4470e0cac87ee0a6925f7a445efd2732a4be1c2c884d61e6d98bdbdbae441c8481e0581b36b5ec094a5e0e6c135ac5e76842e43f70b
-
C:\Users\Admin\AppData\Local\Temp\tmpC681.tmp.exeFilesize
121KB
MD5e38ac741ed5e75255952e11b6706d1a1
SHA14afe1cffb78c1ed750dd66aab0f02f3e473b7bfd
SHA256023c002ac652b745a82efbd40db840f8eb38710d06afd6a3500023f470cd8122
SHA5125a37a71729832ad753ec9377dc46621a4a3103f873286b63aa708f6801856d7cc9f5d226d71ff52f8960f20f5941bc845c58c1ffd09fcf91f7adc9f5c0c2e1ca
-
C:\Users\Admin\AppData\Local\Temp\tmpC681.tmp.exeFilesize
121KB
MD5e38ac741ed5e75255952e11b6706d1a1
SHA14afe1cffb78c1ed750dd66aab0f02f3e473b7bfd
SHA256023c002ac652b745a82efbd40db840f8eb38710d06afd6a3500023f470cd8122
SHA5125a37a71729832ad753ec9377dc46621a4a3103f873286b63aa708f6801856d7cc9f5d226d71ff52f8960f20f5941bc845c58c1ffd09fcf91f7adc9f5c0c2e1ca
-
C:\Users\Admin\AppData\Local\Temp\vbcEBC0FBEFC561474E82DEE431658AE713.TMPFilesize
660B
MD5d56d06d264cfa82c1d49c87118356f3e
SHA1a5ea8abbed641a4c0098d31526aa2e2442b14370
SHA256a3b101bed5323dc9e223af3ff2b1df6eebe4f7b6cbd2d42aef3311fca30ed7f3
SHA512f03ab2c866b8f516085ecff3ebe7b1a03e8269bbd5ac6bb0e60a0d1761012b4169c9490b574aea1182d3f6dfe3bb7631103aa202149be1cbc826de48966a0c5a
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5b8fb7009403489ea2ceda4e5abb969aa
SHA1caeeda2b652f02370501de51b599dc82b89a996b
SHA256340012732dc6952273a5892d09869d171235b6221d0f6773b31c0df5a2b9e8d4
SHA5129595f829f9354c9851fc4f280ecb642bb47881e0b920a031409f58e3cbbe0e6e881dc10a98a8d48b7459130f005ee1d00917f6a826ae9ae0bbe08ba9dafeb407
-
memory/2264-132-0x0000000074EA0000-0x0000000075451000-memory.dmpFilesize
5.7MB
-
memory/2264-143-0x0000000074EA0000-0x0000000075451000-memory.dmpFilesize
5.7MB
-
memory/3760-141-0x0000000000000000-mapping.dmp
-
memory/3760-144-0x0000000074EA0000-0x0000000075451000-memory.dmpFilesize
5.7MB
-
memory/3760-145-0x0000000074EA0000-0x0000000075451000-memory.dmpFilesize
5.7MB
-
memory/3804-137-0x0000000000000000-mapping.dmp
-
memory/4368-133-0x0000000000000000-mapping.dmp