Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 23:41
Static task
static1
Behavioral task
behavioral1
Sample
8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe
Resource
win10v2004-20240226-en
General
-
Target
8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe
-
Size
78KB
-
MD5
8f304eb7a41b2b025542c43176604c9d
-
SHA1
24ab6349bbfadfaac43607a25803152b3394c187
-
SHA256
8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63
-
SHA512
1b77ec6d35222fc88335a1821dc8eed7bb22ecc5054376f91c6053a38ac9f513e36088adf16a90ffc66271f0c8204cb5e38c31c3a2759dd1be87cd855a751d1d
-
SSDEEP
1536:4HF3638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtep9/ju1t9:4HFq3Ln7N041Qqhgep9/E
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp43BB.tmp.exepid process 3184 tmp43BB.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp43BB.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp43BB.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exetmp43BB.tmp.exedescription pid process Token: SeDebugPrivilege 4760 8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe Token: SeDebugPrivilege 3184 tmp43BB.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exevbc.exedescription pid process target process PID 4760 wrote to memory of 1368 4760 8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe vbc.exe PID 4760 wrote to memory of 1368 4760 8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe vbc.exe PID 4760 wrote to memory of 1368 4760 8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe vbc.exe PID 1368 wrote to memory of 3600 1368 vbc.exe cvtres.exe PID 1368 wrote to memory of 3600 1368 vbc.exe cvtres.exe PID 1368 wrote to memory of 3600 1368 vbc.exe cvtres.exe PID 4760 wrote to memory of 3184 4760 8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe tmp43BB.tmp.exe PID 4760 wrote to memory of 3184 4760 8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe tmp43BB.tmp.exe PID 4760 wrote to memory of 3184 4760 8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe tmp43BB.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe"C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cyqy0our.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES561A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2DDD1E992346454CA33505975775733.TMP"3⤵PID:3600
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp43BB.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp43BB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2732 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:81⤵PID:1328
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD523aba11312fc64602fae1b3d9449bce3
SHA1702f838be4fabe8dedf7f0a085c806a4409d89b3
SHA2561095943d15ed190532f3d1ecd2a3de4772327e6f50bc775e1c8b6bf84be6a491
SHA5121089f7eb187f71f1f89e4b46e5655178a31fe550c8f11fc7f212fabbd3afef701c46932a0d8c2ad8b62e149dc53ad8536c8a3e6147678af6a654ed6c5475fc37
-
Filesize
15KB
MD5e394a089d80d7505e9d3d9cb1d31f41a
SHA19cc39f2244a4220f45303b341b53a2f48436d3d8
SHA256785508e544ff271aa897b9bc59e49295a621382303c7137097ca2574b0e655ff
SHA5124c3d4cf22d189ca854118dad6a8c1f898d81a53ded79a24679e4c8cf27e1abf03965c1245e29f9c7dcdf9a077f6e69173bbdda6c3d72c4355cb995cf834ef4aa
-
Filesize
266B
MD5f8a0667906b45d2fbc5fd33fb519dd01
SHA1e5d1602c62fba01637de9015e38f4ce55d047fde
SHA2569284a13771d50275c304f907115c5a001193ecdbc2af0bd792c6350958ee4562
SHA512d19db76d8bf746edd070a4344a2944bbcf552e5e98f21a2f442c63abc121a8c0a2b3788c2302ac74613b42ba4cb275032a72de2daf36c92b05553abf4edfe35a
-
Filesize
78KB
MD5baadfec4ac42a4b70900b8f795b4bced
SHA188da7a0fc8e9af20f1acb28df042415e3cb33c1c
SHA25644127b1cee3e8eb74a8b8dcd870066208697848cd64ea7461c2a9ad25fa158f1
SHA512f75d8fcd815010b55a585c7e658e6ef966f8b77bb6420c8de890a20a2e9fa8d3cf1445621ced00e637bf8dbc03a2ec52c035e57839e7fc2fe48a30af8906dc3a
-
Filesize
660B
MD51c431e049b7a49bff3b6557d3042b9b7
SHA16cb8a1fa6d78ddfc45d99a215745a7799f0251d0
SHA2563764524d8e0eb1698dc71f8fa03da456cad42f664fd665d77f5126361850d4d5
SHA5122ceb1eedcbaf1868c6320b9ca1ae5e2e6d90512c42fb09a888eae68c85bb2f4f71b0758f9417f6e38cc2b3e73db410af3007f9a33324e0d8afdc09957a7bd8c1
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65