Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 23:12
Static task
static1
Behavioral task
behavioral1
Sample
8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe
Resource
win10v2004-20240226-en
General
-
Target
8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe
-
Size
78KB
-
MD5
4d58a1a717b57f8fd1a0e0b08e72d521
-
SHA1
3b12b2896e20274e18d71888f0eda019e96872bd
-
SHA256
8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8
-
SHA512
d46d9fa56d0b1c044d7b12ba79bdb75e035b8fffca97872ca1a7a74041e7cc091e49a571fe8c1f57b547b5f264f573b4fd905411b21598e3815bc907f6d9f261
-
SSDEEP
1536:PPy5jS/dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt96V9/n17mQ:PPy5jSen7N041Qqhga9/J
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation 8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp3662.tmp.exepid process 3316 tmp3662.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp3662.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp3662.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exetmp3662.tmp.exedescription pid process Token: SeDebugPrivilege 3572 8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe Token: SeDebugPrivilege 3316 tmp3662.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exevbc.exedescription pid process target process PID 3572 wrote to memory of 1212 3572 8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe vbc.exe PID 3572 wrote to memory of 1212 3572 8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe vbc.exe PID 3572 wrote to memory of 1212 3572 8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe vbc.exe PID 1212 wrote to memory of 100 1212 vbc.exe cvtres.exe PID 1212 wrote to memory of 100 1212 vbc.exe cvtres.exe PID 1212 wrote to memory of 100 1212 vbc.exe cvtres.exe PID 3572 wrote to memory of 3316 3572 8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe tmp3662.tmp.exe PID 3572 wrote to memory of 3316 3572 8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe tmp3662.tmp.exe PID 3572 wrote to memory of 3316 3572 8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe tmp3662.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe"C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zr1cdr0h.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES372D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD82972DFEBE24FF6B44C1782B2A0A25C.TMP"3⤵PID:100
-
C:\Users\Admin\AppData\Local\Temp\tmp3662.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp3662.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51594e14faa6b9a419ef51ef3bdc33440
SHA14be649a8e1c8aa9a3f93f35c7b066f1e48c7e1ba
SHA256b1a59a4e3691f8dba505d9bdab5f03165f9940b9d4b62fe2d13496298c4eac1c
SHA512c7f91e8323ed9fb3f69cd3cc048fdcb223c425afd261b7ea43985172dc8bc3850b847420323ba86229cc0a75a933ac7d554d215dcaa07929873f416571d923a3
-
Filesize
78KB
MD57f06c2d19f253fa1728a33115459f989
SHA13533a3e4c2e5594c52c57a7ab2e3e0227e546e40
SHA2565eda6d03065a63a873f0611f94c72ca9ee416d64cb3547355ca1a7536eb64eb6
SHA512e102893ff1f275f9b964266015fa42596e9117b0b7488c1480840210d9795d8bee576da626a90828aa158687cc20163a9adba05d5916583abc234325b58bcff8
-
Filesize
660B
MD5b1553496892911a4a27d2ba942515085
SHA1bea09ae3f3e67188041574d75d2e23daeeba5499
SHA25628cd7862342a930af8325e878bac1a6b9c4317c41ee672695187a2f33bd40f87
SHA512c287f50401ff863aa4e78d9cf0d2dd6da0ba6b1bc05777c7984239f3f9f1976d162d7569453a7d465de74aa2c823d6d69e22fda6d24d9f57febefa3b84baab20
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
Filesize
14KB
MD587e95cd471ec341640b222d6b07887c1
SHA1f394065cfa6fae1e8b8374fbd31f763326f5abf3
SHA256a08ee8d7eed1ff1f8b271c459ab7827aefbda960a28d3ea90554ee2fbf650115
SHA5129d5954561ff89edc3a5cb9777e182f3f98468668b6565f85d78f9244d52cf603213f9e78fb76df0ba5bfb0e269085951934dac236b6bb02fbdd5800ec3f7c7c2
-
Filesize
266B
MD5fa517438f1e7b1bf4eecb51efa7aeaed
SHA1f0d985a1580a0f2c1e949c0467f8bea5cb5d5067
SHA2561081bb6246e1f4252eb82dc989311024e6d8d4a11af61ed82d91d71e4d0e8137
SHA5120a28d19fc377ca44164684f1b9398e3a78083b64ffd175864624b78ebec286f982fda181565a0199fae9ae351dbf62b591ae2422ebfdf47f93b147e544858012