Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
28-12-2022 09:22
Static task
static1
Behavioral task
behavioral1
Sample
HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe
Resource
win10v2004-20220812-en
General
-
Target
HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe
-
Size
78KB
-
MD5
f36c82d4adff5d05b7755ac1ce582be5
-
SHA1
9f5f2f973e6265a1558617182b3c0ed23ad98e5f
-
SHA256
04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb
-
SHA512
87526732cc047c8591855a5d346c4a89673c5dc11358cb192f8780f450561cc7eb0e93df9308b6c148e3f4688d328407d8b443313241030960b91a5a0321c1c9
-
SSDEEP
1536:2WV5Udy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt961M9/Ce19f:2WV5jn7N041QqhgGM9/C+
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp14AA.tmp.exepid process 536 tmp14AA.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exepid process 1768 HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe 1768 HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp14AA.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp14AA.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exetmp14AA.tmp.exedescription pid process Token: SeDebugPrivilege 1768 HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe Token: SeDebugPrivilege 536 tmp14AA.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exevbc.exedescription pid process target process PID 1768 wrote to memory of 1316 1768 HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe vbc.exe PID 1768 wrote to memory of 1316 1768 HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe vbc.exe PID 1768 wrote to memory of 1316 1768 HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe vbc.exe PID 1768 wrote to memory of 1316 1768 HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe vbc.exe PID 1316 wrote to memory of 1812 1316 vbc.exe cvtres.exe PID 1316 wrote to memory of 1812 1316 vbc.exe cvtres.exe PID 1316 wrote to memory of 1812 1316 vbc.exe cvtres.exe PID 1316 wrote to memory of 1812 1316 vbc.exe cvtres.exe PID 1768 wrote to memory of 536 1768 HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe tmp14AA.tmp.exe PID 1768 wrote to memory of 536 1768 HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe tmp14AA.tmp.exe PID 1768 wrote to memory of 536 1768 HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe tmp14AA.tmp.exe PID 1768 wrote to memory of 536 1768 HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe tmp14AA.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\af0tiygb.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES15E3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc15E2.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp14AA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp14AA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES15E3.tmpFilesize
1KB
MD55ff031bedb8cb05b50afda0fe53136dd
SHA1501b0e798e8acf9db80bdcfcb5d1f85111bee751
SHA256575c8484e24272fef3eacdffb9d5e42c6203a997633d8368467fc81ca3d40996
SHA512e8bbdea7f84515cd7bd00e7ba4d0e791fc34e59ff9e747a7d1382dd30c5534418901a0ff9944fcf0ba86ca61bad1a01d4e763f583a70cded1ebfabb720924577
-
C:\Users\Admin\AppData\Local\Temp\af0tiygb.0.vbFilesize
14KB
MD5ba6835f3cd93b1dbdb8b05dc7f11f361
SHA16abc993af64aa6646a4571c0d3388946960d34eb
SHA256edb60630815c54ef79a3fcce17be9a45d30497c53118bd3eb897ac30e148b059
SHA5120f684b3509b721f5281395b6e43fb2f180319afe4547d606e68e11079ef0c24e70f7c94c14e82fadb93c9b475a361b8b1acc8c51025a868bdc4a2f28f0fcc109
-
C:\Users\Admin\AppData\Local\Temp\af0tiygb.cmdlineFilesize
266B
MD5d591e25bd56e6c8e0f156bc38e141a32
SHA1acf96a7487f8872afce3dc993127ba5ffba59fe6
SHA2567e142523010f35dfc65f9dc83cbe7eda423e89f83571c15015ea9b4b0b484835
SHA51216c806a5c2726d9f38a9ee62c90a8beb84aebc2ed9ff1c0bae6bed6c32d145c6060aad4dacf6bfd0c6cd54fc5d1235a51829e17570d3b563fdc64d948544a375
-
C:\Users\Admin\AppData\Local\Temp\tmp14AA.tmp.exeFilesize
78KB
MD5783068f8d48d40b0b798ae30028ac262
SHA14eb29662ae7d23f3f33208992e514d4de0f425f1
SHA25669766499e2f46f9d26989db3cbfaef3bcd80ed6f7bbf1081ff5668fd6cf7bb57
SHA512d8eb39dd6c1cbad75904a2196c4571aa480f4874fc3f4045a738175709150dd694a3156e70236c57c77c7a115fe1d895f233ba761c2ef8471b0a25f75ebbf167
-
C:\Users\Admin\AppData\Local\Temp\tmp14AA.tmp.exeFilesize
78KB
MD5783068f8d48d40b0b798ae30028ac262
SHA14eb29662ae7d23f3f33208992e514d4de0f425f1
SHA25669766499e2f46f9d26989db3cbfaef3bcd80ed6f7bbf1081ff5668fd6cf7bb57
SHA512d8eb39dd6c1cbad75904a2196c4571aa480f4874fc3f4045a738175709150dd694a3156e70236c57c77c7a115fe1d895f233ba761c2ef8471b0a25f75ebbf167
-
C:\Users\Admin\AppData\Local\Temp\vbc15E2.tmpFilesize
660B
MD5fbd0c0d328ce41e9bf33d04f4314fdfd
SHA162558a3649b19f6d7850984f6bb8d146c40b2e19
SHA256cdbee4085a143ee4cf89a9984edfa7adb5b3122d373e955f1bfc4203d44ae0d3
SHA512a967ddbde4076a6fbc2b22c69cbf48fd54cae0c87c4fa570dce2ca373b5a7e0986fa76f56bf8682f040e938e3fe80b0f540f72cb657039af1e2babe770b1759c
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
\Users\Admin\AppData\Local\Temp\tmp14AA.tmp.exeFilesize
78KB
MD5783068f8d48d40b0b798ae30028ac262
SHA14eb29662ae7d23f3f33208992e514d4de0f425f1
SHA25669766499e2f46f9d26989db3cbfaef3bcd80ed6f7bbf1081ff5668fd6cf7bb57
SHA512d8eb39dd6c1cbad75904a2196c4571aa480f4874fc3f4045a738175709150dd694a3156e70236c57c77c7a115fe1d895f233ba761c2ef8471b0a25f75ebbf167
-
\Users\Admin\AppData\Local\Temp\tmp14AA.tmp.exeFilesize
78KB
MD5783068f8d48d40b0b798ae30028ac262
SHA14eb29662ae7d23f3f33208992e514d4de0f425f1
SHA25669766499e2f46f9d26989db3cbfaef3bcd80ed6f7bbf1081ff5668fd6cf7bb57
SHA512d8eb39dd6c1cbad75904a2196c4571aa480f4874fc3f4045a738175709150dd694a3156e70236c57c77c7a115fe1d895f233ba761c2ef8471b0a25f75ebbf167
-
memory/536-65-0x0000000000000000-mapping.dmp
-
memory/536-69-0x0000000073F00000-0x00000000744AB000-memory.dmpFilesize
5.7MB
-
memory/536-70-0x0000000000AD5000-0x0000000000AE6000-memory.dmpFilesize
68KB
-
memory/536-71-0x0000000073F00000-0x00000000744AB000-memory.dmpFilesize
5.7MB
-
memory/1316-55-0x0000000000000000-mapping.dmp
-
memory/1768-54-0x0000000075931000-0x0000000075933000-memory.dmpFilesize
8KB
-
memory/1768-68-0x0000000073F00000-0x00000000744AB000-memory.dmpFilesize
5.7MB
-
memory/1812-59-0x0000000000000000-mapping.dmp