Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
18/03/2024, 18:43
Static task
static1
Behavioral task
behavioral1
Sample
d43e10b4f39738f711608efe55db80cf.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d43e10b4f39738f711608efe55db80cf.exe
Resource
win10v2004-20240226-en
General
-
Target
d43e10b4f39738f711608efe55db80cf.exe
-
Size
78KB
-
MD5
d43e10b4f39738f711608efe55db80cf
-
SHA1
ee82d6ff8cdc432179c21ef964f71e81098c02cf
-
SHA256
a4ff5b98b2f01d0678bff0de141944d1471ef3d95b1d9e312a2a5bf0ee2462fb
-
SHA512
8341e61a701c5db30b6e7c901156398a922b2a7b5335c2e7eb76a8231588520d6fa2a7f8607fcfdcadc33f221787657c8abfc8c4d95900a3338247d15c442f10
-
SSDEEP
1536:dPCHY6JIdXT0XRhyRjVf3HaXOJR0zcEIvCZ1xjs9np/IPioYJbQtS9/PL1QG:dPCHYOINSyRxvHF5vCbxwpI6WS9/P1
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation d43e10b4f39738f711608efe55db80cf.exe -
Executes dropped EXE 1 IoCs
pid Process 1212 tmp596A.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\"" tmp596A.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1936 d43e10b4f39738f711608efe55db80cf.exe Token: SeDebugPrivilege 1212 tmp596A.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1936 wrote to memory of 4680 1936 d43e10b4f39738f711608efe55db80cf.exe 91 PID 1936 wrote to memory of 4680 1936 d43e10b4f39738f711608efe55db80cf.exe 91 PID 1936 wrote to memory of 4680 1936 d43e10b4f39738f711608efe55db80cf.exe 91 PID 4680 wrote to memory of 924 4680 vbc.exe 93 PID 4680 wrote to memory of 924 4680 vbc.exe 93 PID 4680 wrote to memory of 924 4680 vbc.exe 93 PID 1936 wrote to memory of 1212 1936 d43e10b4f39738f711608efe55db80cf.exe 95 PID 1936 wrote to memory of 1212 1936 d43e10b4f39738f711608efe55db80cf.exe 95 PID 1936 wrote to memory of 1212 1936 d43e10b4f39738f711608efe55db80cf.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\d43e10b4f39738f711608efe55db80cf.exe"C:\Users\Admin\AppData\Local\Temp\d43e10b4f39738f711608efe55db80cf.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qbyydg8y.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5AD2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA195D871E8C468AA42F3785781730FD.TMP"3⤵PID:924
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp596A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp596A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d43e10b4f39738f711608efe55db80cf.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1212
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5aab6fc8bf2de1507791c84c0c4e004e3
SHA1656dc5e82e857c1146181f6aff42e631e8690db3
SHA256bf3cc9e495e56fd8ddebcb10bb36acdeb78c28369fa2181a12c2b064bf7330c4
SHA512f417186e0fb52ba76c4a074f85104fed286edd4a08e6d491540e91f083d33627d4555f65f67acb7a4004cd5fd62c159e28a425c418aca931f1eaed26cb0383a8
-
Filesize
15KB
MD5b6304b94b8ed1b555853f961be085b04
SHA1a42aa13b92d93f116059c2012d12f75fe54bdac9
SHA256bb8621fff4f41438aa6a4c8868935643d57727354fa5634efe46876d5172e2fe
SHA5127f47562da3d5c61c5ec32d5cd0e688c9f043aa2a7ac6efeffb89f371e935bb6298f7cee1315b8dfbbe4e9cc07166b8fb8747a32bcdb80ed2ffeb3467a7037ca0
-
Filesize
266B
MD51a20c6cc21ce3480b0200752864c80e1
SHA1f2ca3dcf8c9708e251e54887a23f8cb3e5379c8e
SHA256690ffc4483e9be5abafe4e12e5c36ede9051ec46e42ba53dcb369c7052ce0355
SHA51232bb28aea17cb3e0eaba4b7ea0aad134093618b5433b4343fb72a9bef935a2b5581a300dfd56c48e92032a36dc3e8f2617ed5764a9e241ef13c27aa1af6b6e8b
-
Filesize
78KB
MD50fa258a9a7a8c06b3a5ff94f65aab97a
SHA19058fa314bdac3e77f9fd768233c329baf63cfdc
SHA25621d0916cdb99173ab2968c03c5d2406d0af8cc66c4f8c6e0e5a9b3ea8f3086bd
SHA51213605fc7ff528222f6c5521cb2d9fec48d2b43406ca950323a4458d3454041f57c5fff841149b5f6d1363e9bef6edf58ae5ce56a7a3c3b1bf245dabfd770005f
-
Filesize
660B
MD53b1f86e44b34f720954bed381ae3a953
SHA17fe626892cae252c7dd2f755893b769f6ee2579f
SHA2562cad34e096aacd41b73be15a541a945e25758de6c52771641c07f388456e9e21
SHA5124225cc2edd5f29ed59930f689123924a98612007fdac36f8d505def85e3ba6baf48a28c6180a8035894b0611c6ab4707f98130b247cc3587274c7c28fb3f53e8
-
Filesize
62KB
MD5097dd7d3902f824a3960ad33401b539f
SHA14e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f
SHA256e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f
SHA512bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4