Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 23:29
Static task
static1
Behavioral task
behavioral1
Sample
86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe
Resource
win10v2004-20240226-en
General
-
Target
86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe
-
Size
78KB
-
MD5
180829ee3a299f96c653d968e820a5a7
-
SHA1
2608b66111143b1d64d80f8500d97071c427e875
-
SHA256
86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310
-
SHA512
b7fe46eb13695c610913a3d29134cca0737ac83fab3bd3cdd70b0f68270854e3fe8347dd45bd6307c2106ece66da4eee95360f9e130a3bfbc882101f021f8a7d
-
SSDEEP
1536:s5jS9dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6J9/21kk:s5jSon7N041Qqhgx9/W
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation 86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp4045.tmp.exepid process 1596 tmp4045.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp4045.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp4045.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exetmp4045.tmp.exedescription pid process Token: SeDebugPrivilege 2928 86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe Token: SeDebugPrivilege 1596 tmp4045.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exevbc.exedescription pid process target process PID 2928 wrote to memory of 868 2928 86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe vbc.exe PID 2928 wrote to memory of 868 2928 86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe vbc.exe PID 2928 wrote to memory of 868 2928 86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe vbc.exe PID 868 wrote to memory of 1652 868 vbc.exe cvtres.exe PID 868 wrote to memory of 1652 868 vbc.exe cvtres.exe PID 868 wrote to memory of 1652 868 vbc.exe cvtres.exe PID 2928 wrote to memory of 1596 2928 86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe tmp4045.tmp.exe PID 2928 wrote to memory of 1596 2928 86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe tmp4045.tmp.exe PID 2928 wrote to memory of 1596 2928 86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe tmp4045.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe"C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3fnb4f1j.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES417D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc707C5DB43C8D436793BBAA474F365DE5.TMP"3⤵PID:1652
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp4045.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4045.tmp.exe" C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5daf690c9d79c8f7ad46244d687ed7da5
SHA18c2d7b026bea2cdd8cf363003dc89e14a559dc28
SHA256ba5be369e1c903d87402cb22cae86f6c3fe0cfcd306bcd6935e3ff9a0bf0ede9
SHA512c0532cf862b3b37ae23c6228df9f2b490a7b58c109e76896937809bdc560c3e34c2aeeef0ba708ceb0a0b4b44653032f3befa2cb6a5d7a8ee8ac415a3c39af3f
-
Filesize
266B
MD5d701f6483e913122331c112b0ebcb3b1
SHA1ea2df6958a0fbb2c9a29de0c98180495a86cb2b1
SHA25684a652b615a2fad19ec18357520f2fe246ccbad23e20b6356de7e9524c5a9173
SHA512b0497201010b9f11e395049f552e92bd07acd61a40e8f13b895c91a8ac7a9d8dd835a50295e5e7e18645c9742ed8a014a9f364e76c38cf0830f55cae8d3e8593
-
Filesize
1KB
MD551a2dcba163ba84415aa8274fc5442f6
SHA1478d99ed235f2f768246952e0165335b967a6836
SHA2564922e9d3f3ee4fd5550f3f44098c603d97cb7e5a85628655e664c256bed09c76
SHA512d5cf636a34f5804ed70d12f3b285c82cd50ecc196814998e5871d231fc62e689da9d28f6eb94ed9ff6fd36efcbfd554dcd206f7c6fa151fe163ec25a87ea97f3
-
Filesize
78KB
MD5053a44b4297ea526c2f5ddcfafd56507
SHA1216572a94bc18018f8a9c6e8a92798c090d5c7f4
SHA25685ee768f1b1cceedeb5bb403623866697166eefbecd41e7ad1cf138dec2e5c09
SHA512f2909dcde84d4fc9baa6cb4ab53f97219bc60e84b4d2606a1a69ecd78f08f0a72f15760f3e77e1bf1e6c24ff6fe431f941980d8f609d34c800b96962bfc01fc5
-
Filesize
660B
MD5ff15d2f04bc5d6b3508bca68df2a20d4
SHA19b8f7547e6af9af8f3ea40905e814fd5278d4f03
SHA256197c9e3be1e1250262e240b4f032b05121b32ac6881ce3e9b7828bb9c11f7bff
SHA512fd04cf3614fdf73d1c491a4781799301be21aed9772ffa411fd6103320e6b197bb9a9c24f6dd1cba921c3cf33e3fbc9db26716569140b6d79126cda288cd831e
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65