Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 19:21
Static task
static1
Behavioral task
behavioral1
Sample
22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe
Resource
win10v2004-20240226-en
General
-
Target
22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe
-
Size
78KB
-
MD5
489c28346117bff8775f7bc03e031a01
-
SHA1
dfa5db753944597180ebff7bd4517ad5f0c5797b
-
SHA256
22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd
-
SHA512
70a8c4be0af7b41ad2cac2aa46ead0e5fae7142b1c131cfad2945199632c7ee3313e205595c417d35fc241b0ccd9c3d5079e7b482ca6723d877f525d6cd3bf28
-
SSDEEP
1536:qCHH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtea9/Y1cY:qCHa3Ln7N041Qqhgea9/8
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation 22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp6A14.tmp.exepid process 3920 tmp6A14.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp6A14.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp6A14.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exetmp6A14.tmp.exedescription pid process Token: SeDebugPrivilege 3576 22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe Token: SeDebugPrivilege 3920 tmp6A14.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exevbc.exedescription pid process target process PID 3576 wrote to memory of 1472 3576 22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe vbc.exe PID 3576 wrote to memory of 1472 3576 22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe vbc.exe PID 3576 wrote to memory of 1472 3576 22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe vbc.exe PID 1472 wrote to memory of 4852 1472 vbc.exe cvtres.exe PID 1472 wrote to memory of 4852 1472 vbc.exe cvtres.exe PID 1472 wrote to memory of 4852 1472 vbc.exe cvtres.exe PID 3576 wrote to memory of 3920 3576 22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe tmp6A14.tmp.exe PID 3576 wrote to memory of 3920 3576 22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe tmp6A14.tmp.exe PID 3576 wrote to memory of 3920 3576 22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe tmp6A14.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe"C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oevv2rjk.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E86.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8C97F8D52E904A318B5029819EB7D1A2.TMP"3⤵PID:4852
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp6A14.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6A14.tmp.exe" C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3920
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d98eb291b58e2bc633418dd761634de1
SHA10dbcc6bf863045069f3044d2f27dfca1a222face
SHA2567755a8f04b852efcb76a8db8c9172a99f4ed8d378ff48f2d5abd6fffa56bf1d7
SHA512e45574ed71b120c1ae1d758e00e5f2a6f4c992fa2e135d36ed156397f92e1c3e44e10891d821fa58e3883aace6b9bd13adc768ff700d3cccd97515885e60714c
-
Filesize
15KB
MD5189b276bd04907658d464c11d12aac86
SHA1600ff2300c4d5224516518ac45b46e09dd2d6486
SHA256a26cd768c78c350ec16895e13c9e18861c293fb5f4beb96596e68b01453e4b77
SHA512a0a0b769b04d9a83c086fb802de4519e1efad0755804a3805cd8456f0664bca9271cf456fa5a6f2c1dc5efbfbe9378e9b9db3852b0157a4ed822ef0d80d37e01
-
Filesize
266B
MD5ffe6436382eb096e43558860cd454345
SHA17318ce46ce3eb6a29504c35ee746c80a824851b1
SHA2565a1e933bc728242d668878e6ecb62ed53754e8c40a5d81fc20f6cbb2ba056c72
SHA51292ff79b101303914a6932f00064e241994dbddbd78009a2b9ad25e568444fe4c1233cf710cac0f0b1f8431128104bec95551a74edfa6f9eee8ce0ae23d56d358
-
Filesize
78KB
MD5b371e62e0008d7160b190f70573cec52
SHA1ac59332bca5f3516787a07d3ff4615a39aac7c14
SHA256c88bbf72880c9766e3ce87f7eaf3418a89507e687ac5e5c9294553e5c23c56f3
SHA512b41b68146557d2a70d1cf840262113a65e1abe00076bee2bf151a0723fcac752644e994f48b9e2d0d5fd6573ada55ca63d566d5139df0a5c186e174193db8872
-
Filesize
660B
MD56a045b5f4029ca0a0973f325e2bbf88d
SHA1827547ff4d6b2280d06d909309a0006f6e4752ff
SHA2562d133f003eaac9da81fcd992e529a44f8684a423c2f24c799749940d51a22047
SHA512d66722ccf9bac1c4d0fa8e2f13bd382c3db7b808fa4b200bc80c426357f9c4377999718bfd4ef7b4bf00fb4750d04add8d4008d1b73074cb9300431a6720c663
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65