Analysis
-
max time kernel
8s -
max time network
9s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2022 08:29
Static task
static1
Behavioral task
behavioral1
Sample
8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e.exe
Resource
win10v2004-20220812-en
General
-
Target
8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e.exe
-
Size
78KB
-
MD5
9de5f6153622535b6cef04354364a3bc
-
SHA1
d2ca662e5cf9bb19490127d49ee872e8c51acfa2
-
SHA256
8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e
-
SHA512
c065cf0f511ef2e2fcd96e6d82214d1fc2a935ac9af10cc15a9569d73a06afbb8ab1162cc63dbac88d801e62db861489d88fe314d518e16ec61f280b5a9b6b83
-
SSDEEP
1536:SPWtHFo6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtB9/d1da:SPWtHFoI3DJywQjDgTLopLwdCFJzB9/0
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Uses the VBS compiler for execution 1 TTPs
-
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e.exedw20.exedescription pid process Token: SeDebugPrivilege 800 8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e.exe Token: SeRestorePrivilege 5032 dw20.exe Token: SeBackupPrivilege 5032 dw20.exe Token: SeBackupPrivilege 5032 dw20.exe Token: SeBackupPrivilege 5032 dw20.exe Token: SeBackupPrivilege 5032 dw20.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e.exevbc.exedescription pid process target process PID 800 wrote to memory of 1112 800 8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e.exe vbc.exe PID 800 wrote to memory of 1112 800 8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e.exe vbc.exe PID 800 wrote to memory of 1112 800 8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e.exe vbc.exe PID 1112 wrote to memory of 2784 1112 vbc.exe cvtres.exe PID 1112 wrote to memory of 2784 1112 vbc.exe cvtres.exe PID 1112 wrote to memory of 2784 1112 vbc.exe cvtres.exe PID 800 wrote to memory of 5032 800 8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e.exe dw20.exe PID 800 wrote to memory of 5032 800 8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e.exe dw20.exe PID 800 wrote to memory of 5032 800 8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e.exe"C:\Users\Admin\AppData\Local\Temp\8acf8a241adb9b57f2fc336f6b2e3cc93376eb374da73350873b2aca5b36d36e.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rk_ywqgu.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES812B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc709750C859284AFFB522BC4CD8132D82.TMP"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 9842⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES812B.tmpFilesize
1KB
MD5595e5184a4618e8a3b9424c9aa6d4a21
SHA136b041a09037dc0df818231d341da024bc0ed312
SHA256f842c51fc3f10abe27a8b98fb42e8eab6e6dedc8a53240726af260248923b55a
SHA512cdc978793a04c8ebb02ca745a21d02e5d4682d9eef19e092a96e90c776d4c34ecf8a89574ea65246ac48346bb603ccc7b5a21c0b657439d7f530a54dd4d6e8b0
-
C:\Users\Admin\AppData\Local\Temp\rk_ywqgu.0.vbFilesize
15KB
MD5e97ed47bba3e25e43a3a6529c3644e9b
SHA1cc5fd24779d56b4c5e02c70206948cd2bf426d7b
SHA2567373d67a3342cb915275d04fc9150eb8d349b9bb7b9b7b3395b5f6976240af5b
SHA512b492cee182c885be9fca6c1856ae5e879265c124ce60509cad1b833e9f8604c726c80a776c19dab12759fbcd9aedb689d2958f860b8af9257e67b0df2a030c6e
-
C:\Users\Admin\AppData\Local\Temp\rk_ywqgu.cmdlineFilesize
266B
MD51f51ce859852d373ef34a85121c658d6
SHA13d40bd5b7cb3d5090824943a2c11abaeba55d227
SHA256ecf732aa414c579c1000956a5f285633ac197354ceaa7757c960cb0f05ee2457
SHA512128d754f3eeb8991e98bebc13b1e7315db5ce84b35bf612c7aa4c516b4be0cb22b70e085f6252ab7202f5d1d870a62b0bd5ee9c13d0600fab54380a0482f5354
-
C:\Users\Admin\AppData\Local\Temp\vbc709750C859284AFFB522BC4CD8132D82.TMPFilesize
660B
MD5331826bcd5c11a39789cb8ed1edbbaa3
SHA1cf63cbc0f52dc95f0db374348aadd7fec18f0c9a
SHA25624d4e0fd61516f15867f5f13b6876916da223063e3e7c31e7347b518870770b6
SHA512179e52867c049c57e0f9b99214300ef29590e46b3eb7022e0953f2e98a8c09a07f51661fa8f6a5b784126cc5f92aa17c4ed5a5ea41a0dbf939247779d4c77597
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7
-
memory/800-132-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/800-141-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/1112-133-0x0000000000000000-mapping.dmp
-
memory/2784-137-0x0000000000000000-mapping.dmp
-
memory/5032-140-0x0000000000000000-mapping.dmp