271319b95a4992827b8aa1aef16e9d4bf3074e7e3444c7947881fd2ba4cdb8a0

Resubmissions

04-06-2023 23:32

230604-3jsr7seb32 8

04-06-2023 23:15

04-06-2023 23:14

04-06-2023 23:14

04-06-2023 23:11

Analysis

max time kernel
65s
max time network
69s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2023 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Morpheus Crypter.exe
Size

1.4MB
MD5

1aa43e7d7e2e812792f06312db0757d8
SHA1

606a3060aac710287dd02b36b2999fecb9e67932
SHA256

894041eeb6bf1a9b30e3492c7effef36c7e7fe4c6369f52893ccf12cd01362ff
SHA512

8c148a5627e57e89209c17c96377d74130f3f780008830e0ecf75cff4666701d0521c8f3bcefd44148d564fc26f56ff39e794863d54af899fdcf935dea713121
SSDEEP

24576:ovtzecScg7UdHaebuoXlXNPiCXaRt1CGgJs3bO0Yts0POvlNQFfokUolc8VB/w/c:6tUEaSsf1LgJue0l8/w/c

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	Morpheus Crypter.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\S-1-5-21-2275444769-3691835758-4097679484-1000.lnk	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\S-1-5-21-2275444769-3691835758-4097679484-1000.lnk	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
1760	0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	Morpheus Crypter.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4692	Morpheus Crypter.exe
4692	Morpheus Crypter.exe
4692	Morpheus Crypter.exe
4692	Morpheus Crypter.exe
4692	Morpheus Crypter.exe
4692	Morpheus Crypter.exe
4692	Morpheus Crypter.exe
4692	Morpheus Crypter.exe
4692	Morpheus Crypter.exe
4692	Morpheus Crypter.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1760	0.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 1208	4692	Morpheus Crypter.exe	91
PID 4692 wrote to memory of 1208	4692	Morpheus Crypter.exe	91
PID 4692 wrote to memory of 1208	4692	Morpheus Crypter.exe	91
PID 4692 wrote to memory of 1760	4692	Morpheus Crypter.exe	92
PID 4692 wrote to memory of 1760	4692	Morpheus Crypter.exe	92

C:\Users\Admin\AppData\Local\Temp\Morpheus Crypter.exe
"C:\Users\Admin\AppData\Local\Temp\Morpheus Crypter.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\test.vbs"
  2⤵
  - Drops startup file
  PID:1208
- C:\Users\Admin\AppData\Local\Temp\0.exe
  C:\Users\Admin\AppData\Local\Temp\0.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0.exe

Filesize
336KB

MD5
8c9cecc003fd20db07692b1420169263

SHA1
304bc1e3b76369a2aa0fbe2925efcf57fd38e637

SHA256
e76823193642772db1a03757088624cfe059c047f0f064792c873876d75ba99c

SHA512
99cd19d27f8ea9681834d4d7bb74f3b09ae0d505006daed2c7788b91df5f1a50c020271625754d698413dfa2bece470775953bd58c5e9fdda1d1269ddd71c70a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.exe

Filesize
336KB

MD5
8c9cecc003fd20db07692b1420169263

SHA1
304bc1e3b76369a2aa0fbe2925efcf57fd38e637

SHA256
e76823193642772db1a03757088624cfe059c047f0f064792c873876d75ba99c

SHA512
99cd19d27f8ea9681834d4d7bb74f3b09ae0d505006daed2c7788b91df5f1a50c020271625754d698413dfa2bece470775953bd58c5e9fdda1d1269ddd71c70a

Download Submit
C:\Users\Admin\AppData\Local\Temp\S-1-5-21-2275444769-3691835758-4097679484-1000.lnk

Filesize
1KB

MD5
43d9772420c87dbb21d3254e35cd2e58

SHA1
905ed7b215f0c4dd138b658a3f76f7079d10e55f

SHA256
a6da8adfe099eb7cd37b5a55ecd17af9a22b902d5edda328bdee00134307047d

SHA512
88ef4cfa1c45ce7a1ad4a5ebea8975efebc491f1eeefa264877437a967ca7d463083eb532942b8ed6f9c4045fa0aef645c97c287de82c3aacc35791d03908d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.vbs

Filesize
295B

MD5
b669febf83c149e52e8738222baa393f

SHA1
06b7f8ab3af7bc9d9ea981c80d5c719514048450

SHA256
3411c6eda97d24e172f53e50295bb39079a2993aab322c71ea41cc3a55084f4b

SHA512
0d0abfeeacd1983073500435385e0a685b1d7e28195b1de0cd1a9ec8a48e9a31f9afdca3e0c71e2fd37ede39e5da12ade1f664a582fca1c02ace121479ea2dc5

Download Submit
memory/1760-154-0x000000001BB20000-0x000000001BB30000-memory.dmp

Filesize
64KB

Download
memory/1760-160-0x000000001BB20000-0x000000001BB30000-memory.dmp

Filesize
64KB

Download
memory/1760-159-0x000000001BB20000-0x000000001BB30000-memory.dmp

Filesize
64KB

Download
memory/1760-158-0x000000001BB20000-0x000000001BB30000-memory.dmp

Filesize
64KB

Download
memory/1760-157-0x000000001BB20000-0x000000001BB30000-memory.dmp

Filesize
64KB

Download
memory/1760-156-0x000000001BB20000-0x000000001BB30000-memory.dmp

Filesize
64KB

Download
memory/1760-155-0x0000000002E60000-0x0000000002E61000-memory.dmp

Filesize
4KB

Download
memory/1760-153-0x0000000000E10000-0x0000000000E6C000-memory.dmp

Filesize
368KB

Download
memory/4692-145-0x0000000002F40000-0x0000000003035000-memory.dmp

Filesize
980KB

Download
memory/4692-152-0x0000000002F40000-0x0000000003035000-memory.dmp

Filesize
980KB

Download
memory/4692-134-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/4692-135-0x0000000002570000-0x0000000002665000-memory.dmp

Filesize
980KB

Download
memory/4692-133-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4692-144-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/4692-136-0x0000000002F40000-0x0000000003035000-memory.dmp

Filesize
980KB

Download