Analysis
-
max time kernel
132s -
max time network
170s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-12-2022 21:04
Static task
static1
Behavioral task
behavioral1
Sample
92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe
Resource
win10v2004-20220812-en
General
-
Target
92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe
-
Size
122KB
-
MD5
c9d37054a8372b74f0de27dbdb4b7436
-
SHA1
083bcbd248bcfe4735f3785cb789647dcf02e7cd
-
SHA256
92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a
-
SHA512
4525e6acc3f4e118f315059f152a362dbed3a81e87fb46a1b6d388c53d9d547c0125db2a3c19814d559611e07150e5141d8d854a992d4e5a5a3f95dc7a1bdd28
-
SSDEEP
3072:+vCTDGgFwxgc0MwWvEsqfEcDemBXw6UoamxoF9CoTEgnShXAFKa2rMJt3cMtPRG5:lBgvoCRJvR36+dDZon9
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp713B.tmp.exepid process 1104 tmp713B.tmp.exe -
Deletes itself 1 IoCs
Processes:
tmp713B.tmp.exepid process 1104 tmp713B.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exepid process 1480 92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe 1480 92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp713B.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\normalization = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.VisualBasic.Vsa.exe\"" tmp713B.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exetmp713B.tmp.exedescription pid process Token: SeDebugPrivilege 1480 92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe Token: SeDebugPrivilege 1104 tmp713B.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exevbc.exedescription pid process target process PID 1480 wrote to memory of 1996 1480 92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe vbc.exe PID 1480 wrote to memory of 1996 1480 92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe vbc.exe PID 1480 wrote to memory of 1996 1480 92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe vbc.exe PID 1480 wrote to memory of 1996 1480 92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe vbc.exe PID 1996 wrote to memory of 1904 1996 vbc.exe cvtres.exe PID 1996 wrote to memory of 1904 1996 vbc.exe cvtres.exe PID 1996 wrote to memory of 1904 1996 vbc.exe cvtres.exe PID 1996 wrote to memory of 1904 1996 vbc.exe cvtres.exe PID 1480 wrote to memory of 1104 1480 92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe tmp713B.tmp.exe PID 1480 wrote to memory of 1104 1480 92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe tmp713B.tmp.exe PID 1480 wrote to memory of 1104 1480 92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe tmp713B.tmp.exe PID 1480 wrote to memory of 1104 1480 92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe tmp713B.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe"C:\Users\Admin\AppData\Local\Temp\92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z5b_vjce.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A02.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7A01.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp713B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp713B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES7A02.tmpFilesize
1KB
MD547a2ebe7b6b1a24e8266603e6b6b6468
SHA11e51fa058471f9563d7c8a1a503565d4402efb68
SHA256a182c7e44d06c17abc36e0bdd2c218350020484e438af198367586bf04f71689
SHA512f9a2e29556a692fd52d9b815c023719f9de2bccaa8bbea23b9278eba823ed8684ed68a7262cb34642d11fb3d8738a738fdc636ec429cfef879c5b76e01829320
-
C:\Users\Admin\AppData\Local\Temp\tmp713B.tmp.exeFilesize
84KB
MD5fa49fce306b22bf35ca917ce54c17e13
SHA18dbbc4cf8a78c1bb854100f75a837d1b1cb4cdb4
SHA256a2d87d6b498f8eeef01d53b5136f9cf100c32d79397cd247b8ca9c3add84ea55
SHA5126a437261269053bcd5034ea8537bb7265e42320498ceb5895ab312c856b8d62aac21d49cc1b5c8150f02da9cde7faf4e930cb8e794f7c743fbf4fac214a8c5e1
-
C:\Users\Admin\AppData\Local\Temp\tmp713B.tmp.exeFilesize
84KB
MD5fa49fce306b22bf35ca917ce54c17e13
SHA18dbbc4cf8a78c1bb854100f75a837d1b1cb4cdb4
SHA256a2d87d6b498f8eeef01d53b5136f9cf100c32d79397cd247b8ca9c3add84ea55
SHA5126a437261269053bcd5034ea8537bb7265e42320498ceb5895ab312c856b8d62aac21d49cc1b5c8150f02da9cde7faf4e930cb8e794f7c743fbf4fac214a8c5e1
-
C:\Users\Admin\AppData\Local\Temp\vbc7A01.tmpFilesize
660B
MD57db878b144b045f56f5087caec8714d2
SHA1e8af6fec8f35d8fd730d0528428352919dc09e70
SHA256ac2136c6e469c6a193f779e3be92a3b678306cad6b24624df9d8a251082c91d6
SHA5125a5aeeb44c816ff9361f3e6d95d725a632526e8ce7cb3f651cb34b79a0eef164902bbe867391672d7e2648c90319be05117418cc904552740df558a0fe3224f7
-
C:\Users\Admin\AppData\Local\Temp\z5b_vjce.0.vbFilesize
31KB
MD51598e1b8904a7e3ce9df9693f4a23274
SHA144a0031083b4358b9db073c44b38f36d06b32c42
SHA2561124bb900509ddb1d15a161b9b9a3673135ace46332375c06a12c9fa6f020527
SHA5125138c5846e14a4ab9a33c843813b7d76150470adc5e5065bebd8f19f8b0d7db3b3742970fad0039cc2d8fcde2d1e2796ed6204f80237aecaa62eb20d6e51cfee
-
C:\Users\Admin\AppData\Local\Temp\z5b_vjce.cmdlineFilesize
266B
MD54bf8a41c87c80ab961714ddd9aaee617
SHA1231469ab7f0c2af3c0e409ebefe974473a0e7730
SHA256afe963e0e02f7285286d28476237097207614e255b289e59db29321ed6b480bc
SHA5120e129958b04189d6f4e0126b56a097cd5c9956c7eb2b57d66a2a1ed993a482a6f9e7414010aa3ff3b55a01473beb39599813d941bffee8375f9135eb260bc3db
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5ab2ae34957da340df62e391e4c787903
SHA1bbc36baa919c8bd54848f942b1649085fc0e7f69
SHA2569dab1334b4275bd3c2b051f79cc66eb8854f808eea4892617668c634842fe669
SHA512ff676f0ce26a2b867b2d37847fccdee6a25a99d3003490166673c8ba3048e79c50e9247ecd91287c638bfa42dc4e240df8ba076f6dc2b0a44b9f4fdc6c4941b3
-
\Users\Admin\AppData\Local\Temp\tmp713B.tmp.exeFilesize
84KB
MD5fa49fce306b22bf35ca917ce54c17e13
SHA18dbbc4cf8a78c1bb854100f75a837d1b1cb4cdb4
SHA256a2d87d6b498f8eeef01d53b5136f9cf100c32d79397cd247b8ca9c3add84ea55
SHA5126a437261269053bcd5034ea8537bb7265e42320498ceb5895ab312c856b8d62aac21d49cc1b5c8150f02da9cde7faf4e930cb8e794f7c743fbf4fac214a8c5e1
-
\Users\Admin\AppData\Local\Temp\tmp713B.tmp.exeFilesize
84KB
MD5fa49fce306b22bf35ca917ce54c17e13
SHA18dbbc4cf8a78c1bb854100f75a837d1b1cb4cdb4
SHA256a2d87d6b498f8eeef01d53b5136f9cf100c32d79397cd247b8ca9c3add84ea55
SHA5126a437261269053bcd5034ea8537bb7265e42320498ceb5895ab312c856b8d62aac21d49cc1b5c8150f02da9cde7faf4e930cb8e794f7c743fbf4fac214a8c5e1
-
memory/1104-66-0x0000000000000000-mapping.dmp
-
memory/1104-70-0x0000000075000000-0x00000000755AB000-memory.dmpFilesize
5.7MB
-
memory/1104-71-0x0000000075000000-0x00000000755AB000-memory.dmpFilesize
5.7MB
-
memory/1104-72-0x0000000000BA5000-0x0000000000BB6000-memory.dmpFilesize
68KB
-
memory/1104-73-0x0000000000BA5000-0x0000000000BB6000-memory.dmpFilesize
68KB
-
memory/1480-58-0x0000000075000000-0x00000000755AB000-memory.dmpFilesize
5.7MB
-
memory/1480-54-0x0000000076831000-0x0000000076833000-memory.dmpFilesize
8KB
-
memory/1480-69-0x0000000075000000-0x00000000755AB000-memory.dmpFilesize
5.7MB
-
memory/1904-60-0x0000000000000000-mapping.dmp
-
memory/1996-55-0x0000000000000000-mapping.dmp