Analysis
-
max time kernel
10s -
max time network
11s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2022 09:49
Static task
static1
Behavioral task
behavioral1
Sample
90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe
Resource
win10v2004-20220812-en
General
-
Target
90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe
-
Size
78KB
-
MD5
aa40f7549e3e95321864e35cdda455db
-
SHA1
7724c529780a900aaf3754b762f02dcd37a0877c
-
SHA256
90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0
-
SHA512
344e73d0c57de54dd3e4a8b262602446354127f224f41485b3a567b4f1c9605fad1b0b75f4e2c8d7c88a3d3c518b1fa6992b73168fcfac10ffa430c619e1b8e2
-
SSDEEP
1536:1e58AvZv0kH9gDDtWzYCnJPeoYrGQt36xy9/K1kM:1e58Al0Y9MDYrm7x9/+
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp6EBC.tmp.exepid process 1964 tmp6EBC.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp6EBC.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\"" tmp6EBC.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exetmp6EBC.tmp.exedescription pid process Token: SeDebugPrivilege 4532 90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe Token: SeDebugPrivilege 1964 tmp6EBC.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exevbc.exedescription pid process target process PID 4532 wrote to memory of 5056 4532 90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe vbc.exe PID 4532 wrote to memory of 5056 4532 90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe vbc.exe PID 4532 wrote to memory of 5056 4532 90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe vbc.exe PID 5056 wrote to memory of 1432 5056 vbc.exe cvtres.exe PID 5056 wrote to memory of 1432 5056 vbc.exe cvtres.exe PID 5056 wrote to memory of 1432 5056 vbc.exe cvtres.exe PID 4532 wrote to memory of 1964 4532 90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe tmp6EBC.tmp.exe PID 4532 wrote to memory of 1964 4532 90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe tmp6EBC.tmp.exe PID 4532 wrote to memory of 1964 4532 90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe tmp6EBC.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe"C:\Users\Admin\AppData\Local\Temp\90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rel61olb.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7081.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2181DF4418924571A3EDFC6E638876F3.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp6EBC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6EBC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\90979312cb120d928164a0e6e921e826f1491a0b5fa82c60307b126e060c4eb0.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES7081.tmpFilesize
1KB
MD5205d3d08c5dac862338f3869806ea801
SHA1a9db6c370f95a49a969a7c08ac63cadca943b1cf
SHA25678c1fd7adb7199774f272345cf3124a22fca876d99e7abd48d5a1af644e517ed
SHA51260f6747643e8e1318e5367f514cbe4b6ae56c36797a24d26f217ae1d55d87334c7f4b5ecedd0daa35e433400a6252980dca0bc0040cea1b3c1a3729df4e52209
-
C:\Users\Admin\AppData\Local\Temp\rel61olb.0.vbFilesize
14KB
MD518bcb17197e9a8ae3a1a072159b822ea
SHA13821428510b25a051e09e8983e92b2aa4a762e06
SHA2568ee0bc2c0dc29ba1e2331213df8bab5ba68a74357b72f09f0693a646db75ef77
SHA51216d75da489e91247bd93f223b4f361dbb7c19d65a954e38174a55967abbd2ae787aa2c53711a8109e9aafc9584b25fbcacbdc06a61347585c26b061b948efa72
-
C:\Users\Admin\AppData\Local\Temp\rel61olb.cmdlineFilesize
266B
MD5f886319f456b3606fbb704eb55d93099
SHA1d54bd917ddb7c606d7958196b7e6b9797eded2cf
SHA2567617a4c5d3d7b7b5819e77d13fce62abf76943e906e2c42aa4c5d0ea71f89c02
SHA51282530941c1c4d48b41f1cac195dbb4177b2e096fb24355298ed9bd8ef01c6a278258f189348fda78ae6080d6c1db5b8e197e3735c0b0ab5032b420b1b8b05e17
-
C:\Users\Admin\AppData\Local\Temp\tmp6EBC.tmp.exeFilesize
78KB
MD5e0fe03a508808615c87fedc530934e11
SHA1e379b4d4c95f3d0d89e3d8990dfd81db569711c6
SHA25681f26cb2740dd65ec4350910f1d8640b5594ca7f53ef6e7f3a03c23d4a1b3e3a
SHA5120046eadb0316ced14a281d06d1242a06af274f9d67051c5e4937c7a6078d147863437ce77dc26840856814412057b0b8eedf1225b21e894289854ed69a8c3e07
-
C:\Users\Admin\AppData\Local\Temp\tmp6EBC.tmp.exeFilesize
78KB
MD5e0fe03a508808615c87fedc530934e11
SHA1e379b4d4c95f3d0d89e3d8990dfd81db569711c6
SHA25681f26cb2740dd65ec4350910f1d8640b5594ca7f53ef6e7f3a03c23d4a1b3e3a
SHA5120046eadb0316ced14a281d06d1242a06af274f9d67051c5e4937c7a6078d147863437ce77dc26840856814412057b0b8eedf1225b21e894289854ed69a8c3e07
-
C:\Users\Admin\AppData\Local\Temp\vbc2181DF4418924571A3EDFC6E638876F3.TMPFilesize
660B
MD5d0bb4930d772e9aed0cad76f573f0122
SHA167dedfc5abccc433197d269c58546a761fc975c6
SHA25663b7723f652a1fc70df88a477f399c38e0b1bcf876d91aa8264b9ae12a618dee
SHA51298a4e27d1c00e7ef3b22b14b1a04d886eac692f0d3db5d34ff05df52c73fad72c594417697dcb4faa5feb45b5df46cda49022e4882faa52f9a3e1a90d5d395ba
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD58b25b4d931908b4c77ce6c3d5b9a2910
SHA188b65fd9733484c8f8147dad9d0896918c7e37c7
SHA25679c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e
SHA5126d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d
-
memory/1432-137-0x0000000000000000-mapping.dmp
-
memory/1964-141-0x0000000000000000-mapping.dmp
-
memory/1964-144-0x0000000074E10000-0x00000000753C1000-memory.dmpFilesize
5.7MB
-
memory/4532-135-0x0000000074E10000-0x00000000753C1000-memory.dmpFilesize
5.7MB
-
memory/4532-143-0x0000000074E10000-0x00000000753C1000-memory.dmpFilesize
5.7MB
-
memory/5056-132-0x0000000000000000-mapping.dmp