Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-12-2022 09:22
Static task
static1
Behavioral task
behavioral1
Sample
HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe
Resource
win10v2004-20220812-en
General
-
Target
HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe
-
Size
78KB
-
MD5
f36c82d4adff5d05b7755ac1ce582be5
-
SHA1
9f5f2f973e6265a1558617182b3c0ed23ad98e5f
-
SHA256
04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb
-
SHA512
87526732cc047c8591855a5d346c4a89673c5dc11358cb192f8780f450561cc7eb0e93df9308b6c148e3f4688d328407d8b443313241030960b91a5a0321c1c9
-
SSDEEP
1536:2WV5Udy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt961M9/Ce19f:2WV5jn7N041QqhgGM9/C+
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp8794.tmp.exepid process 4816 tmp8794.tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp8794.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp8794.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exetmp8794.tmp.exedescription pid process Token: SeDebugPrivilege 3708 HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe Token: SeDebugPrivilege 4816 tmp8794.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exevbc.exedescription pid process target process PID 3708 wrote to memory of 4440 3708 HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe vbc.exe PID 3708 wrote to memory of 4440 3708 HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe vbc.exe PID 3708 wrote to memory of 4440 3708 HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe vbc.exe PID 4440 wrote to memory of 5088 4440 vbc.exe cvtres.exe PID 4440 wrote to memory of 5088 4440 vbc.exe cvtres.exe PID 4440 wrote to memory of 5088 4440 vbc.exe cvtres.exe PID 3708 wrote to memory of 4816 3708 HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe tmp8794.tmp.exe PID 3708 wrote to memory of 4816 3708 HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe tmp8794.tmp.exe PID 3708 wrote to memory of 4816 3708 HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe tmp8794.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\83yuyykm.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8959.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBB91B7C89CE0401CA65F72A10B9D34D.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp8794.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8794.tmp.exe" C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-04140936a6dbdbcd0f6b9d0656625e9ea9eaee8a9c4a1f6c6ead1980376897fb.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\83yuyykm.0.vbFilesize
14KB
MD516381f0c010ff90456085ad2f546130c
SHA108501937f96a5ffddbb0ffc8c209166e613bcafd
SHA2567d79b6678acbec389a23a4ff45dc314e0ec741036387bae63b842c739d24c3c1
SHA51200778a6d118ca4ad7403e7a71cce83d2a43a549365cd41c59d93301794b98147a991ac01a61874619d796ace281263e2129912e971d11040d5c77dbf4b2f6b80
-
C:\Users\Admin\AppData\Local\Temp\83yuyykm.cmdlineFilesize
266B
MD54ae00c3e7844bb86cf5e58f87d5a21ab
SHA10bcacfa47878f59ed42d71cbbc1e294884af2d08
SHA25600246535f15967955cdbaf41e61bf566e1b334a6338e7f31c1338606f00fa902
SHA51252e9d56145826f1bfa5a517e321125c0a10597f49ba1c7df16291e6d424f52e0cfaae5c6b276987c68657a001727cd300baf7290380eb378a71760dd0003150a
-
C:\Users\Admin\AppData\Local\Temp\RES8959.tmpFilesize
1KB
MD5985530b9b1074272bafd87c0c0434851
SHA1c3e52529d0940d4e75f1e84e8a9ef66cc92b8e74
SHA256e12679d2b246c3fb5103ce90db8eceebc9ba8413a87a963c07d02b887faec17d
SHA5125873ce405ae368635472f37cb2b0f87fe9305bfbb3b9f46e574c4b8baeff938005c2dbd45a283dea13721d3b2a034392c2f52efec113c126b349233d69e52ba4
-
C:\Users\Admin\AppData\Local\Temp\tmp8794.tmp.exeFilesize
78KB
MD51b0cb20996cb788f36faecda660795c8
SHA12353e4cd0c68f88fdc1e676d44bb34f8a9e2f13b
SHA2567a90934ee04b8c84e23814ea9e6fafa5f23dab709905a968a3deec3b2c917eec
SHA512e3f851633105c17fad679dab3754c6105030195784a114cdeb0b799f307e7ca6754e5d6709ad2b26f3b4916c83597c802e5959553aa4a382c126ba9f7c5eb708
-
C:\Users\Admin\AppData\Local\Temp\tmp8794.tmp.exeFilesize
78KB
MD51b0cb20996cb788f36faecda660795c8
SHA12353e4cd0c68f88fdc1e676d44bb34f8a9e2f13b
SHA2567a90934ee04b8c84e23814ea9e6fafa5f23dab709905a968a3deec3b2c917eec
SHA512e3f851633105c17fad679dab3754c6105030195784a114cdeb0b799f307e7ca6754e5d6709ad2b26f3b4916c83597c802e5959553aa4a382c126ba9f7c5eb708
-
C:\Users\Admin\AppData\Local\Temp\vbcBB91B7C89CE0401CA65F72A10B9D34D.TMPFilesize
660B
MD54571e41d91dfe7bea8c7dad5d1b2d587
SHA1c4f7a251824e7622397cfce7be33b8e9a85c85a5
SHA2564c6e918c3061a4d4ac1ef6e01d3b71295965f4cc8bd1a5dea50f60816aeacb66
SHA512d3167fbf459882531ff443740c9b7defec59c2b58f238f293e8436b12a0fe9f11b12a755448ba45375c212eae4962300790d0cb5cf98d0df4f04b4a6db2b49c8
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
memory/3708-132-0x0000000074AC0000-0x0000000075071000-memory.dmpFilesize
5.7MB
-
memory/3708-143-0x0000000074AC0000-0x0000000075071000-memory.dmpFilesize
5.7MB
-
memory/4440-133-0x0000000000000000-mapping.dmp
-
memory/4816-141-0x0000000000000000-mapping.dmp
-
memory/4816-144-0x0000000074AC0000-0x0000000075071000-memory.dmpFilesize
5.7MB
-
memory/4816-145-0x0000000074AC0000-0x0000000075071000-memory.dmpFilesize
5.7MB
-
memory/5088-137-0x0000000000000000-mapping.dmp