Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 23:32
Static task
static1
Behavioral task
behavioral1
Sample
87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe
Resource
win10v2004-20240226-en
General
-
Target
87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe
-
Size
78KB
-
MD5
5c31bc8753446e3b507dbfdee6d9270c
-
SHA1
2469bb398e293b0c9be5585272e99837c2138b96
-
SHA256
87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170
-
SHA512
238e63ffb5e7231b968443edb19adc5e396e2ac30f514a52977c64806288170bd40f3d727b02eaf1ab5ddf927997e6d3fa14a263310d69cb46a511c74ca4f966
-
SSDEEP
1536:kWV5jS/dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQty6i9/y1Fa:kWV5jSen7N041Qqhg69/j
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation 87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp3856.tmp.exepid process 3404 tmp3856.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp3856.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp3856.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exetmp3856.tmp.exedescription pid process Token: SeDebugPrivilege 1712 87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe Token: SeDebugPrivilege 3404 tmp3856.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exevbc.exedescription pid process target process PID 1712 wrote to memory of 3984 1712 87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe vbc.exe PID 1712 wrote to memory of 3984 1712 87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe vbc.exe PID 1712 wrote to memory of 3984 1712 87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe vbc.exe PID 3984 wrote to memory of 116 3984 vbc.exe cvtres.exe PID 3984 wrote to memory of 116 3984 vbc.exe cvtres.exe PID 3984 wrote to memory of 116 3984 vbc.exe cvtres.exe PID 1712 wrote to memory of 3404 1712 87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe tmp3856.tmp.exe PID 1712 wrote to memory of 3404 1712 87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe tmp3856.tmp.exe PID 1712 wrote to memory of 3404 1712 87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe tmp3856.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe"C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kp4hknof.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3930.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB2B0129462DA4BD1B3DCA238031D365.TMP"3⤵PID:116
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp3856.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp3856.tmp.exe" C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3404
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c1e944a6d5128d5a31c3330abbc02dfb
SHA1123be1d62cdc04c564da4cd626fafb46bd9ff19c
SHA25675fa476fda23b7d10b8b765857fd5af3e838ced46d513ce5f9bd3a1264e993f8
SHA512ed03cd74968da0d546a0518eaebb53225fce87d30b3dc6aa5a8667e96a8b679279129207e111f1424b30f5a9fcd20a7d4511d4bae8c1258525a5e11557230c75
-
Filesize
14KB
MD514b4241bf77320cca978120abefce8f8
SHA164afb3ab2c5e8706ea96b829e4332bc89c6e5142
SHA256a2c771a429078a387f75113b8d55177b97d049e9b43f93fea1a22c9217cc8a16
SHA512d8ffb9960e1272345151c189fb15371c2e2058c4f6ae746dd9882161d443cc3115d830266c78dca0b3478f1995e0a10deb552aede5969c13779855857e5fc651
-
Filesize
266B
MD5c2ed8c2bf7dbbc80c4e63621e374278c
SHA106554ea09a85160f8fc18fd01f668d690dc3975e
SHA256060097ac22b7aa7cf6c4920b5d209fbf32ea2019414e64dd0024a7f54e7f12c1
SHA51244b5c14cb37bbc5484cb42f6a6893629f72b3bdfd8f5a7332840bf0f893ff06d375a27062dfc245593d059720fa0e7ce5df2005119a0ec0ebbca1b693564e9c2
-
Filesize
78KB
MD54b83d2ae2139702e8e60ae651c4a9437
SHA164676bd279c7caca239bf949a6c75849a0ee2f44
SHA256293464130a4c0679ff33981fe58e895b6c95a565ba003f48940cdd43c1f897ca
SHA512c434019e512e13132509aba42c50d1b431562747d7b5e0618aea7ea291cd7e74fcbef76e79dd2f232af7eb446d393ddba0446327c58a9cf723b76f74ee73d23f
-
Filesize
660B
MD513be886886aeec806f9a797506b951ef
SHA1e4f250761d470d37a7d6eb4bd7eea64808023b34
SHA2569a754b8a5041976c30d64dd8a805e58f425ffb88dc5f88e1cba861de19a2aeb3
SHA512dbfc6721a1644fbccf495d4c9ae7447bdd342d55de1650d99b6fe55500eb06edb3436b9a8166f2fcc30a2e17de76f616fcd3289440552064924c0ab7008d1982
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65