Analysis
-
max time kernel
156s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2022 21:04
Static task
static1
Behavioral task
behavioral1
Sample
92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe
Resource
win10v2004-20220812-en
General
-
Target
92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe
-
Size
122KB
-
MD5
c9d37054a8372b74f0de27dbdb4b7436
-
SHA1
083bcbd248bcfe4735f3785cb789647dcf02e7cd
-
SHA256
92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a
-
SHA512
4525e6acc3f4e118f315059f152a362dbed3a81e87fb46a1b6d388c53d9d547c0125db2a3c19814d559611e07150e5141d8d854a992d4e5a5a3f95dc7a1bdd28
-
SSDEEP
3072:+vCTDGgFwxgc0MwWvEsqfEcDemBXw6UoamxoF9CoTEgnShXAFKa2rMJt3cMtPRG5:lBgvoCRJvR36+dDZon9
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmpF69A.tmp.exepid process 4964 tmpF69A.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmpF69A.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\normalization = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.VisualBasic.Vsa.exe\"" tmpF69A.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exetmpF69A.tmp.exedescription pid process Token: SeDebugPrivilege 1988 92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe Token: SeDebugPrivilege 4964 tmpF69A.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exevbc.exedescription pid process target process PID 1988 wrote to memory of 4920 1988 92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe vbc.exe PID 1988 wrote to memory of 4920 1988 92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe vbc.exe PID 1988 wrote to memory of 4920 1988 92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe vbc.exe PID 4920 wrote to memory of 512 4920 vbc.exe cvtres.exe PID 4920 wrote to memory of 512 4920 vbc.exe cvtres.exe PID 4920 wrote to memory of 512 4920 vbc.exe cvtres.exe PID 1988 wrote to memory of 4964 1988 92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe tmpF69A.tmp.exe PID 1988 wrote to memory of 4964 1988 92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe tmpF69A.tmp.exe PID 1988 wrote to memory of 4964 1988 92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe tmpF69A.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe"C:\Users\Admin\AppData\Local\Temp\92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q7vwahnj.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFFF0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC6C485993404432899F6A53CF6ECC178.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpF69A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF69A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\92fa9c2214e60b9de229f3bd779c29834dac6f05f0d4b411416107e46840ea5a.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESFFF0.tmpFilesize
1KB
MD595f2ec1c93d4aad5813558fea395956c
SHA1efd5a89d854b9801e0655a8a2e596c5f98f542f3
SHA2569a70dd30231753ad17579013d0506682d1733a6b7738a35138c1e28470842f0f
SHA5120db120d577ef797db741f2810afed2ddb49173abbaef4dba9b64cb1ba7d5af234bfe98be9c37b09917c20500e2803c7b3bd73ca547c640e729d59fedf21852b2
-
C:\Users\Admin\AppData\Local\Temp\q7vwahnj.0.vbFilesize
85KB
MD5b7396f26ea95e1bf93beb2e306048ce8
SHA1f37ae83e9336f2c1ea666de6ce83bb25c2a46ca2
SHA256afc76454c7bf4561af36289ed86e7f70fb28a215fcc70dbb12a848a640a1d30a
SHA512d66dd754575acccc5d0143a0b84dbf40f11bff1c45b0eca177e1ff1adaabdeb09739f9775cd32b2a899a2e4f1a059fda970e89664204baa3b4a9724aead590e3
-
C:\Users\Admin\AppData\Local\Temp\q7vwahnj.cmdlineFilesize
266B
MD5d7acb7cf51ebfa78423ca4485fbb72eb
SHA1fb04d672d48fe7724448415407dc56f9e6021b59
SHA256fce482ec793d661a1132842d0456def8fe98eaf63861ada3b7743cb06120ffbf
SHA512e2caeaa21189594f6c5414f24f432382c3157ee7ab02a55107942add52355b051ce7d16d7fd16b5a503b6400fd9b5963b26acf3cfdaa2a27bc5a3e9f4e6bbc1a
-
C:\Users\Admin\AppData\Local\Temp\tmpF69A.tmp.exeFilesize
105KB
MD5ba80dc36701859fe403b4aeebbd02df0
SHA10b7d9b944448ecb6a1ccef77dadd89a65093b93a
SHA256dfc0899d653f274c686b6d329684826c96ff41b7ffa44d1d1f2f80ff32cec8d4
SHA51252b8f5260f21a157a0645b982396c5f63d81800f320d6582e595fa2bbad1c7cc63168ca6a41f539a5ab8bb4c2cccd6e61a2b2b41e5c6500f2e4a3c49d9b0dfff
-
C:\Users\Admin\AppData\Local\Temp\tmpF69A.tmp.exeFilesize
105KB
MD5ba80dc36701859fe403b4aeebbd02df0
SHA10b7d9b944448ecb6a1ccef77dadd89a65093b93a
SHA256dfc0899d653f274c686b6d329684826c96ff41b7ffa44d1d1f2f80ff32cec8d4
SHA51252b8f5260f21a157a0645b982396c5f63d81800f320d6582e595fa2bbad1c7cc63168ca6a41f539a5ab8bb4c2cccd6e61a2b2b41e5c6500f2e4a3c49d9b0dfff
-
C:\Users\Admin\AppData\Local\Temp\vbcC6C485993404432899F6A53CF6ECC178.TMPFilesize
660B
MD503abed65c2108101b93e991ead7884cf
SHA102fec4050ef3b3458cc9e58ae2ce7bae0cb507e3
SHA256084e26c8106c9d95f64f74f1bd4617eb42bac2aa7ceb818faabdec43ff434806
SHA5123d4dac4f503c2c40842dcb932a8539d1fa53a6ce88555fcd614a6a78f020d9268529043295685a3d1669bfe9b5614e3781738104e5ba63125f78ace8153fac78
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5ab2ae34957da340df62e391e4c787903
SHA1bbc36baa919c8bd54848f942b1649085fc0e7f69
SHA2569dab1334b4275bd3c2b051f79cc66eb8854f808eea4892617668c634842fe669
SHA512ff676f0ce26a2b867b2d37847fccdee6a25a99d3003490166673c8ba3048e79c50e9247ecd91287c638bfa42dc4e240df8ba076f6dc2b0a44b9f4fdc6c4941b3
-
memory/512-137-0x0000000000000000-mapping.dmp
-
memory/1988-132-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/1988-143-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/4920-133-0x0000000000000000-mapping.dmp
-
memory/4964-141-0x0000000000000000-mapping.dmp
-
memory/4964-144-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/4964-145-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB