Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18-10-2022 03:00
Static task
static1
Behavioral task
behavioral1
Sample
04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe
Resource
win10v2004-20220812-en
General
-
Target
04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe
-
Size
78KB
-
MD5
f36c82d4adff5d05b7755ac1ce582be5
-
SHA1
9f5f2f973e6265a1558617182b3c0ed23ad98e5f
-
SHA256
04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb
-
SHA512
87526732cc047c8591855a5d346c4a89673c5dc11358cb192f8780f450561cc7eb0e93df9308b6c148e3f4688d328407d8b443313241030960b91a5a0321c1c9
-
SSDEEP
1536:2WV5Udy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt961M9/Ce19f:2WV5jn7N041QqhgGM9/C+
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp832F.tmp.exepid process 1548 tmp832F.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp832F.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp832F.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exetmp832F.tmp.exedescription pid process Token: SeDebugPrivilege 4880 04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe Token: SeDebugPrivilege 1548 tmp832F.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exevbc.exedescription pid process target process PID 4880 wrote to memory of 4364 4880 04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe vbc.exe PID 4880 wrote to memory of 4364 4880 04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe vbc.exe PID 4880 wrote to memory of 4364 4880 04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe vbc.exe PID 4364 wrote to memory of 1688 4364 vbc.exe cvtres.exe PID 4364 wrote to memory of 1688 4364 vbc.exe cvtres.exe PID 4364 wrote to memory of 1688 4364 vbc.exe cvtres.exe PID 4880 wrote to memory of 1548 4880 04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe tmp832F.tmp.exe PID 4880 wrote to memory of 1548 4880 04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe tmp832F.tmp.exe PID 4880 wrote to memory of 1548 4880 04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe tmp832F.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe"C:\Users\Admin\AppData\Local\Temp\04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rb08i6_d.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6C534670BA4D4AF9A062615651BCB84B.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp832F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp832F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES84E4.tmpFilesize
1KB
MD5b58bef03b6554cc9118cb58040f52ae5
SHA13b814f1a6f875e293c99866e905a70bdf6e97f52
SHA2564c43d62b7b814ed37e01f0512c8c977150b1e03907e100e96bf11e4bf7a25166
SHA5127639559ed0d6b4d656bd96ccc4b034fbfa89a0c726eea3c074c93a9aae8837da16f504b1d65680e165e26cee99086147a30b69ad937f3bd72a02dbd6bc5ed4b2
-
C:\Users\Admin\AppData\Local\Temp\rb08i6_d.0.vbFilesize
14KB
MD53b7e3994102e2594f2c7f358f88514dd
SHA1e9fb0e8e6548cec1907d268fee6a95fb1a1c86b5
SHA2567527a83ae6ffbc0b163edb78a863dbf3d59d435f519ed5276bfd9383c37cdaad
SHA512ebd1512733474ed6aec8a5b05e9069e9f8ed903bf197c203e537a2f1f1e9b73ae705120cf3790f6dc997e7190a2e680c1ea9ba2626976a0d84004221399f8be7
-
C:\Users\Admin\AppData\Local\Temp\rb08i6_d.cmdlineFilesize
266B
MD500928d54d041884b8f473cefbea108b0
SHA1c26f7e9bcee807471d565d758ddd963aed40a657
SHA25608d6bdf6cb8a5018dc9e5eb424e458353fabb60eaa01b25ae9b4b5f53c82e221
SHA51296efcc675c32561b4aaf4440611a4dd11b1071df73e26f9937a59d2f0e1020cd7728c2b53fc159e10aec23ffcec77a84f1e514bc819f69b719e074fbc616d8f5
-
C:\Users\Admin\AppData\Local\Temp\tmp832F.tmp.exeFilesize
78KB
MD5d3d12f3774fe6e0756713690892fe46f
SHA1dd744d22d67abcda15be36512a88b0839b2f1a5c
SHA256422a41377e75e6d1edfea75a46654a21ccf66a4009b04b1ca32239bb9c83008b
SHA5127068c0f0c44c69278f8100948e0b37f42dba6cb5ff5e5caeaebd331b07f5f965f82ce3efcf7d8b553d0e3dd8e88246f4201113bcfd7ed7278a3bbc54875aa756
-
C:\Users\Admin\AppData\Local\Temp\tmp832F.tmp.exeFilesize
78KB
MD5d3d12f3774fe6e0756713690892fe46f
SHA1dd744d22d67abcda15be36512a88b0839b2f1a5c
SHA256422a41377e75e6d1edfea75a46654a21ccf66a4009b04b1ca32239bb9c83008b
SHA5127068c0f0c44c69278f8100948e0b37f42dba6cb5ff5e5caeaebd331b07f5f965f82ce3efcf7d8b553d0e3dd8e88246f4201113bcfd7ed7278a3bbc54875aa756
-
C:\Users\Admin\AppData\Local\Temp\vbc6C534670BA4D4AF9A062615651BCB84B.TMPFilesize
660B
MD5284d2ad64cb5daca40637aa1dccb3881
SHA13a94ff2caf9f6a21f1a554bfd0c03aaac41c7b75
SHA256fa6ecdaf6f92a463cc1a0f18066ab29a69421be175ca6686b4b99d6830b09478
SHA51200ae1809bf5ed6c316ad2f472af720c062a1cd2991065643f594a1169a26ed6e4ca0cff949fed9826493ddcc58d80303ae35477e60b4e534e21d0ebeff51571b
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
memory/1548-141-0x0000000000000000-mapping.dmp
-
memory/1548-144-0x0000000074B40000-0x00000000750F1000-memory.dmpFilesize
5.7MB
-
memory/1548-145-0x0000000074B40000-0x00000000750F1000-memory.dmpFilesize
5.7MB
-
memory/1688-137-0x0000000000000000-mapping.dmp
-
memory/4364-133-0x0000000000000000-mapping.dmp
-
memory/4880-132-0x0000000074B40000-0x00000000750F1000-memory.dmpFilesize
5.7MB
-
memory/4880-143-0x0000000074B40000-0x00000000750F1000-memory.dmpFilesize
5.7MB