Analysis
-
max time kernel
10s -
max time network
12s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2022 16:05
Static task
static1
Behavioral task
behavioral1
Sample
a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe
Resource
win10v2004-20220812-en
General
-
Target
a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe
-
Size
78KB
-
MD5
b08577bf2c8e0b1beaf1b07b30fb7ba4
-
SHA1
7dc41082c33bb9c2ba802c495aff3e5043c5808d
-
SHA256
a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933
-
SHA512
edb177107973654efe5d0a27d93be2a801cdc2e106c6080a50ea29d77231f4683c9b4af07f17e56bb744630495c1e7a14bf3b221bebfc68ca2180aed55756488
-
SSDEEP
1536:tSV5OXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQts639/Vq1JM:tSV5GSyRxvY3md+dWWZy99/P
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp6F1A.tmp.exepid process 4892 tmp6F1A.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp6F1A.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmp6F1A.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exetmp6F1A.tmp.exedescription pid process Token: SeDebugPrivilege 528 a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe Token: SeDebugPrivilege 4892 tmp6F1A.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exevbc.exedescription pid process target process PID 528 wrote to memory of 1428 528 a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe vbc.exe PID 528 wrote to memory of 1428 528 a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe vbc.exe PID 528 wrote to memory of 1428 528 a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe vbc.exe PID 1428 wrote to memory of 2532 1428 vbc.exe cvtres.exe PID 1428 wrote to memory of 2532 1428 vbc.exe cvtres.exe PID 1428 wrote to memory of 2532 1428 vbc.exe cvtres.exe PID 528 wrote to memory of 4892 528 a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe tmp6F1A.tmp.exe PID 528 wrote to memory of 4892 528 a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe tmp6F1A.tmp.exe PID 528 wrote to memory of 4892 528 a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe tmp6F1A.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe"C:\Users\Admin\AppData\Local\Temp\a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g4pnc6et.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7053.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc30F07043550847D19B21AD7CBA06970.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp6F1A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6F1A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a91e76e61134a96de1c29b6ba7192fc3d4388460dc80a3138f67274339f59933.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES7053.tmpFilesize
1KB
MD5b482c738e7e6a0d7df77ca587d6b5f6d
SHA12bd4ae9346adbb691aa7c8424aeace78ac6fd5e4
SHA25646712b182035b7eddfbf7a11201d93c14231dafb01ddabf7e6d797aaa75b7d7d
SHA512449956a0198b0da057c08b40e3d0c90f210ce2dab000389686e2db8928dcf9531adb5947da252a01ccf62f68b541c6cce0f45a9d7b10bfca4c3f5fb8a1dcb8c1
-
C:\Users\Admin\AppData\Local\Temp\g4pnc6et.0.vbFilesize
14KB
MD55bb81699addb123610accd5666822d9e
SHA167edbeefda02f6a2a7c1f46d9cb4888352eb55db
SHA2566ce922917c0d4a5cfc570bb09ca4416cfcfcc7ab9cea860026820ba38f4d8ec7
SHA5127ec1a5da86633381d4d34dda0e8065e85e171b8d83b309337ed9898efff2ed6ecef1490beec5b49813fb0ae27b85e7788eb75f53337d101ebe163de80882deba
-
C:\Users\Admin\AppData\Local\Temp\g4pnc6et.cmdlineFilesize
266B
MD5af37c2ef0272e993626bb48a6ba65ec2
SHA1993274a7a190118dbccb365e2b375822112de81a
SHA2561ad189acb54488204b513e46ef5bbd1642660c457a5d17cc4bed568344949b0a
SHA51273aee9d5d2e7de5ba43a9f16961f246253f3abc48936d8c9aa03ccaa275427d47c91b20eb350aaed484a3e77b36616e02435a5ca0d5694c2a3ba932461891870
-
C:\Users\Admin\AppData\Local\Temp\tmp6F1A.tmp.exeFilesize
78KB
MD5584b67776a574277bf7dd3f516c225cc
SHA10f4a882189c7858bc44a75d1e60c4ddfefccc748
SHA256463a67c57aaa3091b4b643322d587b0c84009c0a3c33fe33d6bfcee03bcb621f
SHA512ec7fabafc6de6e0e27b8ed43f22e74351cebc712f537f9b423c408c3cbabaf5057755d44c57632d911fe4278ad6ea398accce4da4fcb6455e80c248cf7280c3e
-
C:\Users\Admin\AppData\Local\Temp\tmp6F1A.tmp.exeFilesize
78KB
MD5584b67776a574277bf7dd3f516c225cc
SHA10f4a882189c7858bc44a75d1e60c4ddfefccc748
SHA256463a67c57aaa3091b4b643322d587b0c84009c0a3c33fe33d6bfcee03bcb621f
SHA512ec7fabafc6de6e0e27b8ed43f22e74351cebc712f537f9b423c408c3cbabaf5057755d44c57632d911fe4278ad6ea398accce4da4fcb6455e80c248cf7280c3e
-
C:\Users\Admin\AppData\Local\Temp\vbc30F07043550847D19B21AD7CBA06970.TMPFilesize
660B
MD581a3fbb3c94dde576aa95eee5d451320
SHA177210b35de1e01f7497a09a2b1bd1bf949970490
SHA2567e741c1bf5e268edb470f85b6da9f4c0ef32e48df6e354ce8b3155bf6c33324f
SHA512651b30d1b4c9f26566814caaa5bac942fea02fd3cf749e613ac4a1192229f43f943a304fa7bb130cada9b77f046943df7b55f07a12b974ad33bead1d70904a46
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107
-
memory/528-140-0x0000000075580000-0x0000000075B31000-memory.dmpFilesize
5.7MB
-
memory/528-143-0x0000000075580000-0x0000000075B31000-memory.dmpFilesize
5.7MB
-
memory/1428-132-0x0000000000000000-mapping.dmp
-
memory/2532-136-0x0000000000000000-mapping.dmp
-
memory/4892-141-0x0000000000000000-mapping.dmp
-
memory/4892-144-0x0000000075580000-0x0000000075B31000-memory.dmpFilesize
5.7MB