Analysis
-
max time kernel
10s -
max time network
14s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-10-2022 18:53
Static task
static1
Behavioral task
behavioral1
Sample
b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe
Resource
win10v2004-20220901-en
General
-
Target
b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe
-
Size
78KB
-
MD5
a458a860cc198d046bd160f8dce82e13
-
SHA1
98b3e2bb8224e751135e9c2b74ed8a7f428cd66a
-
SHA256
b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e
-
SHA512
bb9f213bb110615733628807537616bba34fb9895b3363516b97396a126942f003fe69a0808bcef7a410e58bba81430183b33187f292b0659377f39bb92d3891
-
SSDEEP
1536:8i5jSNpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtM699/0C19e:55jS7JywQjDgTLopLwdCFJzv9/e
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmpF596.tmp.exepid process 1344 tmpF596.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exepid process 1004 b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe 1004 b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exedescription pid process Token: SeDebugPrivilege 1004 b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exevbc.exedescription pid process target process PID 1004 wrote to memory of 1600 1004 b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe vbc.exe PID 1004 wrote to memory of 1600 1004 b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe vbc.exe PID 1004 wrote to memory of 1600 1004 b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe vbc.exe PID 1004 wrote to memory of 1600 1004 b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe vbc.exe PID 1600 wrote to memory of 1536 1600 vbc.exe cvtres.exe PID 1600 wrote to memory of 1536 1600 vbc.exe cvtres.exe PID 1600 wrote to memory of 1536 1600 vbc.exe cvtres.exe PID 1600 wrote to memory of 1536 1600 vbc.exe cvtres.exe PID 1004 wrote to memory of 1344 1004 b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe tmpF596.tmp.exe PID 1004 wrote to memory of 1344 1004 b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe tmpF596.tmp.exe PID 1004 wrote to memory of 1344 1004 b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe tmpF596.tmp.exe PID 1004 wrote to memory of 1344 1004 b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe tmpF596.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe"C:\Users\Admin\AppData\Local\Temp\b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\35afforh.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF6DF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF6DE.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpF596.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF596.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\35afforh.0.vbFilesize
14KB
MD5fa830aa676ed1fb3be7d2329ab3da2f8
SHA187dd8f333b02f861a61c372934c77d559a23e60b
SHA256bb9b2cdf79401bbdaac502484014278d6bb11ba4616a0efe74a9d08bda31ad9e
SHA512a6bb04ab3d2eb9485aeeb78dc256b7e1c3079177c6018a3b0d972bc93126253dac1c71760b258456dbeef1c5ab5d2d8dc45fd0dd91b45d5d838bdc63956bfb28
-
C:\Users\Admin\AppData\Local\Temp\35afforh.cmdlineFilesize
266B
MD5387831b745cf64bd1fa9c08be5071e64
SHA12176e0081338379607eb0946853374c542c2ecc7
SHA2561e75898ca825339a83572f7d9bb98f2315e658210f77d646608aec8b47cfe992
SHA51261d0ac3dfae99ebe699d89eabcb09f0f72b058266ae7c327992d6f158d45f9432552919c4140f73ffee1d217b0daafd8719187938a3eabbf3d5e7b06cc75a236
-
C:\Users\Admin\AppData\Local\Temp\RESF6DF.tmpFilesize
1KB
MD5728c8c56470df407a52f1bfd19540cf4
SHA1635fbffca73d409f945da4f282f1284658295701
SHA2560a5b762063da4af53672d9549d9aa42bcda7be91de541b2c025b868f8bcd4d63
SHA5128e571d95c3a2ec063f11925ffdf4f6ff6408b84e0259dfd8af575f45da0ee6f6686c9d271683219e4d44095e2e5b8b5350a88d27363281ff8bdc14b7119c5b21
-
C:\Users\Admin\AppData\Local\Temp\tmpF596.tmp.exeFilesize
78KB
MD5c9b6c16b41fe675a60abb361c740250e
SHA13376625b24849a3d87e746eb0d273de58887192c
SHA2567b436e27561fce60339be0e275f77868eb81e275bb804757e163d3924895ccde
SHA512e3e7f4f306756752ea8d966c580816b82fa27861b2de32e958ea5a7e78f604876c0bb352b9cbb57d020ec6bcc5c523bc7e4502e889ddbb8cd1fdfb2662a19fdb
-
C:\Users\Admin\AppData\Local\Temp\tmpF596.tmp.exeFilesize
78KB
MD5c9b6c16b41fe675a60abb361c740250e
SHA13376625b24849a3d87e746eb0d273de58887192c
SHA2567b436e27561fce60339be0e275f77868eb81e275bb804757e163d3924895ccde
SHA512e3e7f4f306756752ea8d966c580816b82fa27861b2de32e958ea5a7e78f604876c0bb352b9cbb57d020ec6bcc5c523bc7e4502e889ddbb8cd1fdfb2662a19fdb
-
C:\Users\Admin\AppData\Local\Temp\vbcF6DE.tmpFilesize
660B
MD52acd14aa4e1b35407d4eb6d5c679cf2c
SHA1acbc43c3fde905bbcf241f6b4a3b976035291152
SHA256348bff5895ae12ce22c3e162193836fca7fb8e2cb12d09e52ee14ee18f5829d3
SHA512c1e59d2a6e213c7d854ebbf88f3e425ce6b7acd589474078476719d279e752189656927537a90e67c4b5b2aa4aae886a1fb97a49d98bcbd10edd96231270365d
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7
-
\Users\Admin\AppData\Local\Temp\tmpF596.tmp.exeFilesize
78KB
MD5c9b6c16b41fe675a60abb361c740250e
SHA13376625b24849a3d87e746eb0d273de58887192c
SHA2567b436e27561fce60339be0e275f77868eb81e275bb804757e163d3924895ccde
SHA512e3e7f4f306756752ea8d966c580816b82fa27861b2de32e958ea5a7e78f604876c0bb352b9cbb57d020ec6bcc5c523bc7e4502e889ddbb8cd1fdfb2662a19fdb
-
\Users\Admin\AppData\Local\Temp\tmpF596.tmp.exeFilesize
78KB
MD5c9b6c16b41fe675a60abb361c740250e
SHA13376625b24849a3d87e746eb0d273de58887192c
SHA2567b436e27561fce60339be0e275f77868eb81e275bb804757e163d3924895ccde
SHA512e3e7f4f306756752ea8d966c580816b82fa27861b2de32e958ea5a7e78f604876c0bb352b9cbb57d020ec6bcc5c523bc7e4502e889ddbb8cd1fdfb2662a19fdb
-
memory/1004-54-0x0000000075211000-0x0000000075213000-memory.dmpFilesize
8KB
-
memory/1004-68-0x00000000747E0000-0x0000000074D8B000-memory.dmpFilesize
5.7MB
-
memory/1344-65-0x0000000000000000-mapping.dmp
-
memory/1344-69-0x00000000747E0000-0x0000000074D8B000-memory.dmpFilesize
5.7MB
-
memory/1536-59-0x0000000000000000-mapping.dmp
-
memory/1600-55-0x0000000000000000-mapping.dmp