Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
19-10-2023 17:09
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.004c34856806b862f88d96f92c46ddb0_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.004c34856806b862f88d96f92c46ddb0_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.004c34856806b862f88d96f92c46ddb0_JC.exe
-
Size
78KB
-
MD5
004c34856806b862f88d96f92c46ddb0
-
SHA1
247e797d9e8f8e22a4856bffba868815539b8c2a
-
SHA256
82034508e6639dcbf9bb36c028e7b35ad271779a242870a3839ee148b4ea9305
-
SHA512
911274d17ca625b42944b6d4e5368c35e4696608203d76bfe2252a4e2d0eeb3582ed7e67a617ff1cfaa802dc998fb4321224009f0887913f2ee8bb0325e59999
-
SSDEEP
1536:GPCHY6uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtx9/L1mr:GPCHYI3DJywQjDgTLopLwdCFJzx9/6
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NEAS.004c34856806b862f88d96f92c46ddb0_JC.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation NEAS.004c34856806b862f88d96f92c46ddb0_JC.exe -
Executes dropped EXE 1 IoCs
Processes:
tmpFA3E.tmp.exepid process 1688 tmpFA3E.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
NEAS.004c34856806b862f88d96f92c46ddb0_JC.exetmpFA3E.tmp.exedescription pid process Token: SeDebugPrivilege 4140 NEAS.004c34856806b862f88d96f92c46ddb0_JC.exe Token: SeDebugPrivilege 1688 tmpFA3E.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
NEAS.004c34856806b862f88d96f92c46ddb0_JC.exevbc.exedescription pid process target process PID 4140 wrote to memory of 4508 4140 NEAS.004c34856806b862f88d96f92c46ddb0_JC.exe vbc.exe PID 4140 wrote to memory of 4508 4140 NEAS.004c34856806b862f88d96f92c46ddb0_JC.exe vbc.exe PID 4140 wrote to memory of 4508 4140 NEAS.004c34856806b862f88d96f92c46ddb0_JC.exe vbc.exe PID 4508 wrote to memory of 3948 4508 vbc.exe cvtres.exe PID 4508 wrote to memory of 3948 4508 vbc.exe cvtres.exe PID 4508 wrote to memory of 3948 4508 vbc.exe cvtres.exe PID 4140 wrote to memory of 1688 4140 NEAS.004c34856806b862f88d96f92c46ddb0_JC.exe tmpFA3E.tmp.exe PID 4140 wrote to memory of 1688 4140 NEAS.004c34856806b862f88d96f92c46ddb0_JC.exe tmpFA3E.tmp.exe PID 4140 wrote to memory of 1688 4140 NEAS.004c34856806b862f88d96f92c46ddb0_JC.exe tmpFA3E.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.004c34856806b862f88d96f92c46ddb0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.004c34856806b862f88d96f92c46ddb0_JC.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vnqv9_a0.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFDF7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFF3D484D85E4C119918FEF9FA804FE.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpFA3E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFA3E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\NEAS.004c34856806b862f88d96f92c46ddb0_JC.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESFDF7.tmpFilesize
1KB
MD5f24fcde49b8134e463e320ce923824f8
SHA1f922b1ef9431dcdbd7113483b46c9d98a40b047c
SHA256e80e4638866646063287dcaa0f4fae6b7ef529f33d34c600f71ace0a948d10e8
SHA5129c8424d225b2287a92b3859970f7de1db1213e8775cb6adffd112f9cf49222022634decc7072a170f827f9ad7a10976653c6dcbe97f867bd47e3964adfdab7e1
-
C:\Users\Admin\AppData\Local\Temp\tmpFA3E.tmp.exeFilesize
78KB
MD5b0c946eece54c09881aeebcf2627601f
SHA1b932d3adb5b6c1f2d327c7ed968a46c1dec0e666
SHA256f550664b295624b4df6d84311d64a1c5e5bff064612fc40c1b83722e70a81dbf
SHA512e3b3bbca2774d59fefc09e48e474e1b2a9e21de773586132204875c71446fde93464106aa0271997e381ab5c2547b0d32e39bf5e20b5054a8edb879fa428fcee
-
C:\Users\Admin\AppData\Local\Temp\tmpFA3E.tmp.exeFilesize
78KB
MD5b0c946eece54c09881aeebcf2627601f
SHA1b932d3adb5b6c1f2d327c7ed968a46c1dec0e666
SHA256f550664b295624b4df6d84311d64a1c5e5bff064612fc40c1b83722e70a81dbf
SHA512e3b3bbca2774d59fefc09e48e474e1b2a9e21de773586132204875c71446fde93464106aa0271997e381ab5c2547b0d32e39bf5e20b5054a8edb879fa428fcee
-
C:\Users\Admin\AppData\Local\Temp\vbcFF3D484D85E4C119918FEF9FA804FE.TMPFilesize
660B
MD5747e6446aa2c5dd92fbbe7020e0b9da2
SHA13a0e068bdcbca003a7af806af9d315969c2be3bc
SHA256b11c951756fca5f4f0e693ad8174ac98dfdaafbae33f39611f1bacb65bb786dc
SHA512208331cadb681a753766a21002cd8185525a8f46897bda0b422bc3cc2985518cc77161cc313698f5f8baa53a8239ea7ab83db0a35c0e24e555b25d3b99437ffe
-
C:\Users\Admin\AppData\Local\Temp\vnqv9_a0.0.vbFilesize
15KB
MD5c36a2d260e05a7b74d96ee36f35afab0
SHA12e35ab7918a4e8128666437afa29838983098e50
SHA256a3dceda8ee100a463ba5a2160528b8354e679d5df110b749762c909bcbe1ffee
SHA512ddf2090b8b284f492f0d0f7293141626b09f879fdade1c7b8f4f8d6c11c930120ea5c76d1f7669434688cb5c7080e9876f5cc5b492e300b97c42a36180037dae
-
C:\Users\Admin\AppData\Local\Temp\vnqv9_a0.cmdlineFilesize
266B
MD592faac6945dc365074faf18a0d31d054
SHA1230c211395c3d3369e3660fcb55284f530e11df8
SHA256288dc07212640a56820e68c1589da0309544251377a396dcb92f18deaa1e96a9
SHA5122745a30a830871e2ee742c618e2f97bac8ce16582e97272649b8154df106ee35733f7afc4e3adbbcf0ce3841dcf670d6eaad2217d879fa90013626a0161306be
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7
-
memory/1688-25-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/1688-23-0x00000000015D0000-0x00000000015E0000-memory.dmpFilesize
64KB
-
memory/1688-26-0x00000000015D0000-0x00000000015E0000-memory.dmpFilesize
64KB
-
memory/1688-27-0x00000000015D0000-0x00000000015E0000-memory.dmpFilesize
64KB
-
memory/1688-22-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/1688-24-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/4140-21-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/4140-0-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/4140-2-0x0000000001810000-0x0000000001820000-memory.dmpFilesize
64KB
-
memory/4140-1-0x0000000075150000-0x0000000075701000-memory.dmpFilesize
5.7MB
-
memory/4508-8-0x0000000002260000-0x0000000002270000-memory.dmpFilesize
64KB