Analysis
-
max time kernel
8s -
max time network
6s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2022 18:53
Static task
static1
Behavioral task
behavioral1
Sample
b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe
Resource
win10v2004-20220901-en
General
-
Target
b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe
-
Size
78KB
-
MD5
a458a860cc198d046bd160f8dce82e13
-
SHA1
98b3e2bb8224e751135e9c2b74ed8a7f428cd66a
-
SHA256
b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e
-
SHA512
bb9f213bb110615733628807537616bba34fb9895b3363516b97396a126942f003fe69a0808bcef7a410e58bba81430183b33187f292b0659377f39bb92d3891
-
SSDEEP
1536:8i5jSNpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtM699/0C19e:55jS7JywQjDgTLopLwdCFJzv9/e
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Uses the VBS compiler for execution 1 TTPs
-
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exedw20.exedescription pid process Token: SeDebugPrivilege 3420 b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe Token: SeRestorePrivilege 984 dw20.exe Token: SeBackupPrivilege 984 dw20.exe Token: SeBackupPrivilege 984 dw20.exe Token: SeBackupPrivilege 984 dw20.exe Token: SeBackupPrivilege 984 dw20.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exevbc.exedescription pid process target process PID 3420 wrote to memory of 4900 3420 b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe vbc.exe PID 3420 wrote to memory of 4900 3420 b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe vbc.exe PID 3420 wrote to memory of 4900 3420 b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe vbc.exe PID 4900 wrote to memory of 4236 4900 vbc.exe cvtres.exe PID 4900 wrote to memory of 4236 4900 vbc.exe cvtres.exe PID 4900 wrote to memory of 4236 4900 vbc.exe cvtres.exe PID 3420 wrote to memory of 984 3420 b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe dw20.exe PID 3420 wrote to memory of 984 3420 b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe dw20.exe PID 3420 wrote to memory of 984 3420 b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe"C:\Users\Admin\AppData\Local\Temp\b3996a786b0b8a559f726c5dcabb7faf50b1940f96ee8b72445c23348a13c67e.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7tm3mqro.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB87.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc29ACA4A62CAF411C89483E7928297D1B.TMP"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 9802⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7tm3mqro.0.vbFilesize
14KB
MD5c9ac861d8b336c67ce019e166cfc1c35
SHA104c40377a02ee0f481e836131737fde465cde45b
SHA256f83889504b6e4b7f9b1856693ee6a4452d7b4afcb0fe6d6613df5bed0b6f1c9d
SHA512fe7b8369f79731e542967bfbdd2bfe7dae4438933a6f9dfa808ef0c76a191dd487494de62aa6332fd0d98ced1fa628bd5821034c471c9987d3f430096b3a8eeb
-
C:\Users\Admin\AppData\Local\Temp\7tm3mqro.cmdlineFilesize
266B
MD5e1511a87643d1a31569b93c24bd52b9b
SHA1034d59b34e3df2f2fc2264a3d870825e6f08bc50
SHA256eaa3555c93de07e66e52dea8d683e9d989dbc02dcffd34caf12de88fd470041e
SHA512458919f111e749d64dcf77b429a9c1e77a799d7f26f039aa19f992e2250824a0e8e2d5ba86aad3011b7ad0e1b4100c54a1f226398977b53bcbe1d80d540870e9
-
C:\Users\Admin\AppData\Local\Temp\RESAB87.tmpFilesize
1KB
MD5730db9bbd8eb1bc7bf8c6c5452ab5be1
SHA18b1369d48a89b7e1a77de319556fe4793e29ad09
SHA25625bbb579fdb74f2f54fd63b5f687a97fe98e9a53b9861df5a35a859b8d7bbf6f
SHA512eb625dd1cab705c14bbb28c7dd2087eedbafaa326e259297e1bc7f1b3346a343d564d81c04a7071b10bc41fff2b15bc38804b0a0ca0b83272fa1434bed4a87cc
-
C:\Users\Admin\AppData\Local\Temp\vbc29ACA4A62CAF411C89483E7928297D1B.TMPFilesize
660B
MD543b72633f3c5dded7c0876cff33a05b4
SHA1a3d50c765db069cff02b04f05d97b30a76e458da
SHA25689427e2ad67e41dfb8d08aff65db2e4b8b691d05258424600712ac9f88163400
SHA51282d02509d2af5294aab2823de0923d8efe39261e809aad0f4807697875e08c4b364d16a87711304bcfb069498898c3e06eb3a5070aa69a8c602e42dd9312150b
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7
-
memory/984-143-0x0000000000000000-mapping.dmp
-
memory/3420-135-0x00000000750E0000-0x0000000075691000-memory.dmpFilesize
5.7MB
-
memory/3420-144-0x00000000750E0000-0x0000000075691000-memory.dmpFilesize
5.7MB
-
memory/4236-140-0x0000000000000000-mapping.dmp
-
memory/4900-136-0x0000000000000000-mapping.dmp