Analysis
-
max time kernel
9s -
max time network
12s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-10-2022 16:05
Static task
static1
Behavioral task
behavioral1
Sample
a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe
Resource
win10v2004-20220812-en
General
-
Target
a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe
-
Size
78KB
-
MD5
b08577bf2c8e0b1beaf1b07b30fb7ba4
-
SHA1
7dc41082c33bb9c2ba802c495aff3e5043c5808d
-
SHA256
a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933
-
SHA512
edb177107973654efe5d0a27d93be2a801cdc2e106c6080a50ea29d77231f4683c9b4af07f17e56bb744630495c1e7a14bf3b221bebfc68ca2180aed55756488
-
SSDEEP
1536:tSV5OXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQts639/Vq1JM:tSV5GSyRxvY3md+dWWZy99/P
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmpF651.tmp.exepid process 1664 tmpF651.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exepid process 828 a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe 828 a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmpF651.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmpF651.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exetmpF651.tmp.exedescription pid process Token: SeDebugPrivilege 828 a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe Token: SeDebugPrivilege 1664 tmpF651.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exevbc.exedescription pid process target process PID 828 wrote to memory of 1948 828 a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe vbc.exe PID 828 wrote to memory of 1948 828 a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe vbc.exe PID 828 wrote to memory of 1948 828 a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe vbc.exe PID 828 wrote to memory of 1948 828 a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe vbc.exe PID 1948 wrote to memory of 1744 1948 vbc.exe cvtres.exe PID 1948 wrote to memory of 1744 1948 vbc.exe cvtres.exe PID 1948 wrote to memory of 1744 1948 vbc.exe cvtres.exe PID 1948 wrote to memory of 1744 1948 vbc.exe cvtres.exe PID 828 wrote to memory of 1664 828 a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe tmpF651.tmp.exe PID 828 wrote to memory of 1664 828 a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe tmpF651.tmp.exe PID 828 wrote to memory of 1664 828 a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe tmpF651.tmp.exe PID 828 wrote to memory of 1664 828 a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe tmpF651.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe"C:\Users\Admin\AppData\Local\Temp\a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mjgdaadi.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF7C9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF7C8.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpF651.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF651.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESF7C9.tmpFilesize
1KB
MD57b0d6e4b715e2c940cabe298f52e7ad8
SHA118b7e9173a6d3d50fd32e6a98b114f3173517ecd
SHA256d68e8bdf0c5c513d00e65b859a1944ce2868e0d324ca626b644ba82a87198274
SHA5127df4e89f6713ed7675d04cf179804b6fc322aeecf54023636e47e64f91a30cab0dcffb03ef256b9d3809ee271114a8b8c123727ae932e2f9f71281879e3449c0
-
C:\Users\Admin\AppData\Local\Temp\mjgdaadi.0.vbFilesize
14KB
MD5b6933af07b647101af5de45e8a284c87
SHA1cf9b9821561e2f5deaf8caed4a02dd81e91a1c61
SHA2563fb32cd61908e471080050862a4631b4685fb70af4e097627451382bcfb779b6
SHA512123e816790408b013d73f55f6485d8001b11687bc555d7e6100631f5a8b9707da7b4d0c489a85eea52f91559a432c26adb195916dd6fe0a6ee304e66680bd6d9
-
C:\Users\Admin\AppData\Local\Temp\mjgdaadi.cmdlineFilesize
266B
MD5d3c1d08af83c1a692fad9dd44dbfc8d3
SHA1cb3227fcd970e717867a13ac79aa26b2ceaf47c7
SHA256ed6b38f8cd0d98ffead3e2e42bcad507407453989448711dcbd09230c6d98299
SHA5120b2e6ba7ef793ad269da6522657b8bd204b38592d3d58c55065cc10002209da9fca16384c22b44f4ed4d208e32ef01f5025476f4a3957dc2e999c8f5811bcdbf
-
C:\Users\Admin\AppData\Local\Temp\tmpF651.tmp.exeFilesize
78KB
MD5238aee89bb52b80dbca05b8a078a7351
SHA1aedd5f06957b065c2cf22e082c20cb5dc59f4c14
SHA256d975f5c90f61c8cc38508ebf43a34dc2ac7e509f82f57e6ccb94ddf0cfdcfa64
SHA512b7beebc9e0befc2ee4e71339355c5d7617e8c8b67019d35bf0396501811b00f87ef34808ab267646db4d0801612707c4d844724e58861a6cc0ae35d325318991
-
C:\Users\Admin\AppData\Local\Temp\tmpF651.tmp.exeFilesize
78KB
MD5238aee89bb52b80dbca05b8a078a7351
SHA1aedd5f06957b065c2cf22e082c20cb5dc59f4c14
SHA256d975f5c90f61c8cc38508ebf43a34dc2ac7e509f82f57e6ccb94ddf0cfdcfa64
SHA512b7beebc9e0befc2ee4e71339355c5d7617e8c8b67019d35bf0396501811b00f87ef34808ab267646db4d0801612707c4d844724e58861a6cc0ae35d325318991
-
C:\Users\Admin\AppData\Local\Temp\vbcF7C8.tmpFilesize
660B
MD5902836b1ba0a2b8c08bbd62715b6fee7
SHA1a81290fe5615dccfecc990e8085bc6b76a4c735f
SHA2568814d26ea808d7a599ccb1a5c14d2758fbd18bc7ba37e0d5bcbbe14858ae63e6
SHA512498002705109a60c814924b8d7a77c986c82bc287d4471526ddf8fd340dd54c65fd7d69dfdb01ec92d8269680beae17a2bf34b6cc3b39007e63b96021d3ce64c
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107
-
\Users\Admin\AppData\Local\Temp\tmpF651.tmp.exeFilesize
78KB
MD5238aee89bb52b80dbca05b8a078a7351
SHA1aedd5f06957b065c2cf22e082c20cb5dc59f4c14
SHA256d975f5c90f61c8cc38508ebf43a34dc2ac7e509f82f57e6ccb94ddf0cfdcfa64
SHA512b7beebc9e0befc2ee4e71339355c5d7617e8c8b67019d35bf0396501811b00f87ef34808ab267646db4d0801612707c4d844724e58861a6cc0ae35d325318991
-
\Users\Admin\AppData\Local\Temp\tmpF651.tmp.exeFilesize
78KB
MD5238aee89bb52b80dbca05b8a078a7351
SHA1aedd5f06957b065c2cf22e082c20cb5dc59f4c14
SHA256d975f5c90f61c8cc38508ebf43a34dc2ac7e509f82f57e6ccb94ddf0cfdcfa64
SHA512b7beebc9e0befc2ee4e71339355c5d7617e8c8b67019d35bf0396501811b00f87ef34808ab267646db4d0801612707c4d844724e58861a6cc0ae35d325318991
-
memory/828-54-0x0000000075A11000-0x0000000075A13000-memory.dmpFilesize
8KB
-
memory/828-68-0x0000000074240000-0x00000000747EB000-memory.dmpFilesize
5.7MB
-
memory/1664-65-0x0000000000000000-mapping.dmp
-
memory/1664-69-0x0000000074240000-0x00000000747EB000-memory.dmpFilesize
5.7MB
-
memory/1744-59-0x0000000000000000-mapping.dmp
-
memory/1948-55-0x0000000000000000-mapping.dmp