Analysis
-
max time kernel
11s -
max time network
14s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
23-10-2022 07:02
Static task
static1
Behavioral task
behavioral1
Sample
852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe
Resource
win10v2004-20220812-en
General
-
Target
852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe
-
Size
78KB
-
MD5
ffc69516a66858e500dcc05a39fa3d78
-
SHA1
806791dd76c2419e5c1ee1c61f661babf2d2bb83
-
SHA256
852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a
-
SHA512
fa1e052c94236ffdcecadce525a29af2fa6fa6eb48b03f6e9254e1ca36a88ec7c3c7dddbd1e9bce5d4338da5da164870408f03a14111577ad2702fb2fe2ed081
-
SSDEEP
1536:cRy58MpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtd69v9/S1Zm:cRy58iJywQjDgTLopLwdCFJz+v9/D
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp1527.tmp.exepid process 848 tmp1527.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exepid process 1380 852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe 1380 852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exedescription pid process Token: SeDebugPrivilege 1380 852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exevbc.exedescription pid process target process PID 1380 wrote to memory of 1188 1380 852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe vbc.exe PID 1380 wrote to memory of 1188 1380 852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe vbc.exe PID 1380 wrote to memory of 1188 1380 852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe vbc.exe PID 1380 wrote to memory of 1188 1380 852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe vbc.exe PID 1188 wrote to memory of 1608 1188 vbc.exe cvtres.exe PID 1188 wrote to memory of 1608 1188 vbc.exe cvtres.exe PID 1188 wrote to memory of 1608 1188 vbc.exe cvtres.exe PID 1188 wrote to memory of 1608 1188 vbc.exe cvtres.exe PID 1380 wrote to memory of 848 1380 852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe tmp1527.tmp.exe PID 1380 wrote to memory of 848 1380 852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe tmp1527.tmp.exe PID 1380 wrote to memory of 848 1380 852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe tmp1527.tmp.exe PID 1380 wrote to memory of 848 1380 852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe tmp1527.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe"C:\Users\Admin\AppData\Local\Temp\852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b9f2lzff.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES16AE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc16AD.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp1527.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1527.tmp.exe" C:\Users\Admin\AppData\Local\Temp\852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES16AE.tmpFilesize
1KB
MD56a4c912b60f3fd7a758fd1b9d725bd41
SHA16fbf454ebc922068e3a87aea75d29ca0187f201d
SHA2564b00f505bb9c1dbcb05fd948a9d350e6863d08e9bd779558785716be45070bbb
SHA51200ddecb787f37289adf56c4ee91a9a68e79963fb18b1ea9138a233a5a606dc54d98d27167c46dec23641f657625ab3a6eacf4f12e0d1a0a6b1a0b3fdbe091890
-
C:\Users\Admin\AppData\Local\Temp\b9f2lzff.0.vbFilesize
14KB
MD5d627fc097a234fa11894089a0159679b
SHA1cd39b6cfc1ff6f898243d90d120cf982daec03a1
SHA2566a1c854fa4cee8b8212cba66cb61eaec208ce3533f76ad71f2fbeb0eb87b3905
SHA512278d74b5623dec0759ad5d96d546da5181beea8764cfeb6d9b303b2efa87e34d36b086d18eddf058dd0ce1ac7279176c932b86aa7ee0017437ff4594861bb224
-
C:\Users\Admin\AppData\Local\Temp\b9f2lzff.cmdlineFilesize
266B
MD5eb871c138721635c50536f6169b55a4c
SHA1fa165ad54a5d995390687f9167cc1d3e401dcb07
SHA256d61078243a1131f4c2b3f37956455148bcf691dbb7f19149e10bf7778e33dc05
SHA512b94e564421ed8a69cfcd3bdb5507dc453e983e45047765dd293bf82ff44f4f2ee528804d8a69f17a0f00ff4b4bb6cf549cd309a6f59ee71bb062061d36f5fccc
-
C:\Users\Admin\AppData\Local\Temp\tmp1527.tmp.exeFilesize
78KB
MD57574119fea41b1e1d7d87342dcf0875f
SHA1d1970cca1ffd7c4faf403135da1d1af11afb0ff1
SHA256317756146b8ab49bfa59bf6ecd3c62cc65e4cc7f8fb9a8817abca2937d647158
SHA5122a4d94b72a06462537988beebf0d9c121291f4f11d3650890ee221cf6915809392a44ea6cfcf25e06fe4642ab8eee5df347eeccdf573faa33af7d35bdecc0eba
-
C:\Users\Admin\AppData\Local\Temp\tmp1527.tmp.exeFilesize
78KB
MD57574119fea41b1e1d7d87342dcf0875f
SHA1d1970cca1ffd7c4faf403135da1d1af11afb0ff1
SHA256317756146b8ab49bfa59bf6ecd3c62cc65e4cc7f8fb9a8817abca2937d647158
SHA5122a4d94b72a06462537988beebf0d9c121291f4f11d3650890ee221cf6915809392a44ea6cfcf25e06fe4642ab8eee5df347eeccdf573faa33af7d35bdecc0eba
-
C:\Users\Admin\AppData\Local\Temp\vbc16AD.tmpFilesize
660B
MD548a09e326b018f147aacb9a66dbcae40
SHA184be259b8839e898c31b7a33dda4d2d88a8470ba
SHA25697e0f6937f802dbe538a28301d48a70e08c9dc56a2e08404328c644a8d65aa41
SHA512b0b0615c53ebdbd9bd704b6f55713bc5b7f92d00dceb1b36a335460d7da998f89ca0130796c39d1bd89dfb3da59977e05dbbfc60dfa69ed9a57faf1e017cc8c3
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7
-
\Users\Admin\AppData\Local\Temp\tmp1527.tmp.exeFilesize
78KB
MD57574119fea41b1e1d7d87342dcf0875f
SHA1d1970cca1ffd7c4faf403135da1d1af11afb0ff1
SHA256317756146b8ab49bfa59bf6ecd3c62cc65e4cc7f8fb9a8817abca2937d647158
SHA5122a4d94b72a06462537988beebf0d9c121291f4f11d3650890ee221cf6915809392a44ea6cfcf25e06fe4642ab8eee5df347eeccdf573faa33af7d35bdecc0eba
-
\Users\Admin\AppData\Local\Temp\tmp1527.tmp.exeFilesize
78KB
MD57574119fea41b1e1d7d87342dcf0875f
SHA1d1970cca1ffd7c4faf403135da1d1af11afb0ff1
SHA256317756146b8ab49bfa59bf6ecd3c62cc65e4cc7f8fb9a8817abca2937d647158
SHA5122a4d94b72a06462537988beebf0d9c121291f4f11d3650890ee221cf6915809392a44ea6cfcf25e06fe4642ab8eee5df347eeccdf573faa33af7d35bdecc0eba
-
memory/848-65-0x0000000000000000-mapping.dmp
-
memory/848-68-0x0000000074270000-0x000000007481B000-memory.dmpFilesize
5.7MB
-
memory/1188-55-0x0000000000000000-mapping.dmp
-
memory/1380-54-0x00000000757A1000-0x00000000757A3000-memory.dmpFilesize
8KB
-
memory/1380-69-0x0000000074270000-0x000000007481B000-memory.dmpFilesize
5.7MB
-
memory/1608-59-0x0000000000000000-mapping.dmp