Analysis
-
max time kernel
10s -
max time network
14s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2022 07:02
Static task
static1
Behavioral task
behavioral1
Sample
852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe
Resource
win10v2004-20220812-en
General
-
Target
852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe
-
Size
78KB
-
MD5
ffc69516a66858e500dcc05a39fa3d78
-
SHA1
806791dd76c2419e5c1ee1c61f661babf2d2bb83
-
SHA256
852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a
-
SHA512
fa1e052c94236ffdcecadce525a29af2fa6fa6eb48b03f6e9254e1ca36a88ec7c3c7dddbd1e9bce5d4338da5da164870408f03a14111577ad2702fb2fe2ed081
-
SSDEEP
1536:cRy58MpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtd69v9/S1Zm:cRy58iJywQjDgTLopLwdCFJz+v9/D
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp6513.tmp.exepid process 4972 tmp6513.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exedescription pid process Token: SeDebugPrivilege 4836 852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exevbc.exedescription pid process target process PID 4836 wrote to memory of 1364 4836 852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe vbc.exe PID 4836 wrote to memory of 1364 4836 852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe vbc.exe PID 4836 wrote to memory of 1364 4836 852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe vbc.exe PID 1364 wrote to memory of 5088 1364 vbc.exe cvtres.exe PID 1364 wrote to memory of 5088 1364 vbc.exe cvtres.exe PID 1364 wrote to memory of 5088 1364 vbc.exe cvtres.exe PID 4836 wrote to memory of 4972 4836 852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe tmp6513.tmp.exe PID 4836 wrote to memory of 4972 4836 852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe tmp6513.tmp.exe PID 4836 wrote to memory of 4972 4836 852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe tmp6513.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe"C:\Users\Admin\AppData\Local\Temp\852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jzoh3uur.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6810.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7DBA710F7A446BB969E577A4A696D9.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp6513.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6513.tmp.exe" C:\Users\Admin\AppData\Local\Temp\852c2b9cbfcf416bc8c0d770fd7e1cb7af517c208f1e02bedbf1ab2ac6c7f18a.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES6810.tmpFilesize
1KB
MD5d32a654c863c2a258fc3fe63d0997c2d
SHA10ff5828268b24e8f000ebefed1dc069e0ac64662
SHA2568f515fcf08a897b8b9f38dd2a84b7d5c82a9cd8f0c426c561924220b4c8123be
SHA5122bb522c23d151ea86ca538070b6b37e313411c7a3929209dab470d079867129d1ef65a6386dadabe8d659225e4455cfdcad543d4500e5448bd4a144d5216e359
-
C:\Users\Admin\AppData\Local\Temp\jzoh3uur.0.vbFilesize
14KB
MD5f3da7612a6ec93610602785e4746bb44
SHA1a5bc44a5ffc805136eb71cb9570c4dc0ceb58337
SHA25601c48d38eb57140ea3507cd0ca18c6d262057ca0bfaeffc976ae241978420bcd
SHA512adebc416ea34a7a2f8d8b137665fd65a078f43d3c53f14b125cdb4d6ad47d7b684293a92947a84e3287130403eee217b61f2ff136ad62e13d0a2ffe3aa633f93
-
C:\Users\Admin\AppData\Local\Temp\jzoh3uur.cmdlineFilesize
266B
MD5381b82b48c80eb0714bfc842826987f2
SHA1d847064c71e9d27d965979dbf0d12c882ec2bbfe
SHA2568d2a073fee6da602737f4333ace0d0c09d2af62b9ca25ed7b365ca61818dc687
SHA512e2fdcc35ee588ee084bc1a278450a6820ac3f48fef030e6e9190d918c1977b4f5631dd0bfd932f10c9566ccca8bede3788b40ae768bc9958ab8dd4ba305b2275
-
C:\Users\Admin\AppData\Local\Temp\tmp6513.tmp.exeFilesize
78KB
MD5e53c98b461bf0554290b4f821c1a8a34
SHA143b1e42617b2d5e2b6204c29fd4c3596714d61a0
SHA256b27c35a4c0a9706c6e19757b9b356d47ad2a81ccea71d6f04edbd470d85e6947
SHA512d1e05f0b8164d285744dc22fe2e75715ae2c7fd2c19e1d7ab0e05076fa3d094cb576e8798261e1bdb91982ebf365ddd213ee2c71881762389c7b799715ac4ae1
-
C:\Users\Admin\AppData\Local\Temp\tmp6513.tmp.exeFilesize
78KB
MD5e53c98b461bf0554290b4f821c1a8a34
SHA143b1e42617b2d5e2b6204c29fd4c3596714d61a0
SHA256b27c35a4c0a9706c6e19757b9b356d47ad2a81ccea71d6f04edbd470d85e6947
SHA512d1e05f0b8164d285744dc22fe2e75715ae2c7fd2c19e1d7ab0e05076fa3d094cb576e8798261e1bdb91982ebf365ddd213ee2c71881762389c7b799715ac4ae1
-
C:\Users\Admin\AppData\Local\Temp\vbc7DBA710F7A446BB969E577A4A696D9.TMPFilesize
660B
MD50a48610a7ca254fb4cc12faac5fa0c1d
SHA1e2e12de715deae6e467b74035c4a6c83d81f7d40
SHA256322401b198ac8e49dc53b8a740c1c268670612ec9cc3d7235d24cc69664d3fc3
SHA5120ff6c1227945f59b58f6057e3fe1538494d443c71f59dd09aa651589c8491b53247bdf1ad8bb454e5dffcd2d0f96b0965e84cf0036b902cb9dc8fe448f5b55f0
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7
-
memory/1364-133-0x0000000000000000-mapping.dmp
-
memory/4836-132-0x0000000074780000-0x0000000074D31000-memory.dmpFilesize
5.7MB
-
memory/4836-143-0x0000000074780000-0x0000000074D31000-memory.dmpFilesize
5.7MB
-
memory/4972-141-0x0000000000000000-mapping.dmp
-
memory/4972-144-0x0000000074780000-0x0000000074D31000-memory.dmpFilesize
5.7MB
-
memory/5088-137-0x0000000000000000-mapping.dmp