Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-12-2022 09:22
Static task
static1
Behavioral task
behavioral1
Sample
HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe
Resource
win10v2004-20221111-en
General
-
Target
HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe
-
Size
78KB
-
MD5
c81293ebc99a7ae9d05ce8578d706985
-
SHA1
8e2fca3d280fa5d20da7313a60dc73c32cdfcadb
-
SHA256
f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541
-
SHA512
295e5d1e6c46695bea6fb73249d8f92c72893ba5af76b782dcd0ded37df389e803c8812465053961d48665a0676b8697428ca5ed8dfd69e5f69b5cff8c04f5f8
-
SSDEEP
1536:KRWV5j+dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt96jT9/Kf1Gpg:KRWV5jJn7N041Qqhg6T9/3m
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp81ED.tmp.exepid process 1096 tmp81ED.tmp.exe -
Deletes itself 1 IoCs
Processes:
tmp81ED.tmp.exepid process 1096 tmp81ED.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exepid process 1148 HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe 1148 HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp81ED.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp81ED.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exetmp81ED.tmp.exedescription pid process Token: SeDebugPrivilege 1148 HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe Token: SeDebugPrivilege 1096 tmp81ED.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exevbc.exedescription pid process target process PID 1148 wrote to memory of 1640 1148 HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe vbc.exe PID 1148 wrote to memory of 1640 1148 HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe vbc.exe PID 1148 wrote to memory of 1640 1148 HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe vbc.exe PID 1148 wrote to memory of 1640 1148 HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe vbc.exe PID 1640 wrote to memory of 980 1640 vbc.exe cvtres.exe PID 1640 wrote to memory of 980 1640 vbc.exe cvtres.exe PID 1640 wrote to memory of 980 1640 vbc.exe cvtres.exe PID 1640 wrote to memory of 980 1640 vbc.exe cvtres.exe PID 1148 wrote to memory of 1096 1148 HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe tmp81ED.tmp.exe PID 1148 wrote to memory of 1096 1148 HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe tmp81ED.tmp.exe PID 1148 wrote to memory of 1096 1148 HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe tmp81ED.tmp.exe PID 1148 wrote to memory of 1096 1148 HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe tmp81ED.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ozijhnt1.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89EA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc89D9.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp81ED.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp81ED.tmp.exe" C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-f3d4c4142c30851be34e84e9329b4b4aa2f1232bec7ed1e44a7829237b336541.exe2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES89EA.tmpFilesize
1KB
MD58ff3120db423ad83d9e57c8b20870b93
SHA14e7cba613ae784a4a0d70dea53eb0682feaf87b6
SHA25665393a6827769552d7b3d1abaeac83d51fd38d4ae1b8840a42f68b062085acdd
SHA512894cb1b9adb852eb3b99d426c69a4f378e778f7b33001c80546d3042c0689803ef1ecb93fab53d3a39c7a99db25ad7409c630849d4435403476d3d5f092b205a
-
C:\Users\Admin\AppData\Local\Temp\ozijhnt1.0.vbFilesize
14KB
MD5025bada906c8c3001a6232499df55798
SHA19ef56c31a01997464fce984ba5b6fd7324b655d0
SHA25665dccd8bdbcdf22b35bc3470965eaad77a8a50792dd777cb331095832d557c84
SHA5125de7bcacdefc60ba52a6d0935e305771656becb123d651fa2acc72c867c3d2168c6e26cc30414bc06a7f03df9cdd1472a5fb67a8bcd5322334477e9b1a1867c5
-
C:\Users\Admin\AppData\Local\Temp\ozijhnt1.cmdlineFilesize
266B
MD52cf51b0ea0cf97856ff7f9d809347c88
SHA149e9e40ad6fcd8de507a46e19caa9cd90253d444
SHA256b435a8f26b8622de42ceb6699e248157fb2b928a2770b1c8de3aef04616cda19
SHA512366850e1293baaa43d81bdaa8544ba5ab146afe97732d34300d851602f01a30276f6054d33153e46bdf8da0f0e1b9399fc7c7384b154d5a057bed29b42efde00
-
C:\Users\Admin\AppData\Local\Temp\tmp81ED.tmp.exeFilesize
78KB
MD5879ffd45cdf2723fa3dc5e50ee4c60a6
SHA1da4dd30739e5e285df46f8f62f564cb1959751dc
SHA2565e2b1ccd98ce596c989d9cf9757aa65bf91a7ce13b0e0997f24339df120da828
SHA512984408a0c371b3b73c6a47d18c2dd00fc314ba47c4ae46d12cb9a9e5229b70aa43de6f644d98f1ecdac4491b415fb6ca91549cbf1a6d688c25ffb4df1ca2e238
-
C:\Users\Admin\AppData\Local\Temp\tmp81ED.tmp.exeFilesize
78KB
MD5879ffd45cdf2723fa3dc5e50ee4c60a6
SHA1da4dd30739e5e285df46f8f62f564cb1959751dc
SHA2565e2b1ccd98ce596c989d9cf9757aa65bf91a7ce13b0e0997f24339df120da828
SHA512984408a0c371b3b73c6a47d18c2dd00fc314ba47c4ae46d12cb9a9e5229b70aa43de6f644d98f1ecdac4491b415fb6ca91549cbf1a6d688c25ffb4df1ca2e238
-
C:\Users\Admin\AppData\Local\Temp\vbc89D9.tmpFilesize
660B
MD558f96ca60bd0009bb1f45b847fb6820c
SHA1bfafbc2617585c3d10b3d37d2dc4000fba4be234
SHA2560e0c7f5bafda7b5356bdf3bd4c5f7ff1da585be428ed57be26b8f86e6da67cb1
SHA51234a474ae13cfad9d5102d127463c79babe97bd846b10b8f34c87385c64411b30c4634d57f0d297dc005bf4b1cc5b165fefa64f7c7b96c0f8dd99c5210d50417d
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
\Users\Admin\AppData\Local\Temp\tmp81ED.tmp.exeFilesize
78KB
MD5879ffd45cdf2723fa3dc5e50ee4c60a6
SHA1da4dd30739e5e285df46f8f62f564cb1959751dc
SHA2565e2b1ccd98ce596c989d9cf9757aa65bf91a7ce13b0e0997f24339df120da828
SHA512984408a0c371b3b73c6a47d18c2dd00fc314ba47c4ae46d12cb9a9e5229b70aa43de6f644d98f1ecdac4491b415fb6ca91549cbf1a6d688c25ffb4df1ca2e238
-
\Users\Admin\AppData\Local\Temp\tmp81ED.tmp.exeFilesize
78KB
MD5879ffd45cdf2723fa3dc5e50ee4c60a6
SHA1da4dd30739e5e285df46f8f62f564cb1959751dc
SHA2565e2b1ccd98ce596c989d9cf9757aa65bf91a7ce13b0e0997f24339df120da828
SHA512984408a0c371b3b73c6a47d18c2dd00fc314ba47c4ae46d12cb9a9e5229b70aa43de6f644d98f1ecdac4491b415fb6ca91549cbf1a6d688c25ffb4df1ca2e238
-
memory/980-60-0x0000000000000000-mapping.dmp
-
memory/1096-66-0x0000000000000000-mapping.dmp
-
memory/1096-70-0x0000000074550000-0x0000000074AFB000-memory.dmpFilesize
5.7MB
-
memory/1096-71-0x0000000074550000-0x0000000074AFB000-memory.dmpFilesize
5.7MB
-
memory/1096-72-0x0000000000A25000-0x0000000000A36000-memory.dmpFilesize
68KB
-
memory/1148-55-0x0000000074550000-0x0000000074AFB000-memory.dmpFilesize
5.7MB
-
memory/1148-54-0x0000000075041000-0x0000000075043000-memory.dmpFilesize
8KB
-
memory/1148-69-0x0000000074550000-0x0000000074AFB000-memory.dmpFilesize
5.7MB
-
memory/1640-56-0x0000000000000000-mapping.dmp