Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-04-2024 23:41

General

  • Target

    8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe

  • Size

    78KB

  • MD5

    8f304eb7a41b2b025542c43176604c9d

  • SHA1

    24ab6349bbfadfaac43607a25803152b3394c187

  • SHA256

    8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63

  • SHA512

    1b77ec6d35222fc88335a1821dc8eed7bb22ecc5054376f91c6053a38ac9f513e36088adf16a90ffc66271f0c8204cb5e38c31c3a2759dd1be87cd855a751d1d

  • SSDEEP

    1536:4HF3638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtep9/ju1t9:4HFq3Ln7N041Qqhgep9/E

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe
    "C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4760
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cyqy0our.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1368
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES561A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2DDD1E992346454CA33505975775733.TMP"
        3⤵
          PID:3600
      • C:\Users\Admin\AppData\Local\Temp\tmp43BB.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp43BB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        PID:3184
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2732 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:1328

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RES561A.tmp

        Filesize

        1KB

        MD5

        23aba11312fc64602fae1b3d9449bce3

        SHA1

        702f838be4fabe8dedf7f0a085c806a4409d89b3

        SHA256

        1095943d15ed190532f3d1ecd2a3de4772327e6f50bc775e1c8b6bf84be6a491

        SHA512

        1089f7eb187f71f1f89e4b46e5655178a31fe550c8f11fc7f212fabbd3afef701c46932a0d8c2ad8b62e149dc53ad8536c8a3e6147678af6a654ed6c5475fc37

      • C:\Users\Admin\AppData\Local\Temp\cyqy0our.0.vb

        Filesize

        15KB

        MD5

        e394a089d80d7505e9d3d9cb1d31f41a

        SHA1

        9cc39f2244a4220f45303b341b53a2f48436d3d8

        SHA256

        785508e544ff271aa897b9bc59e49295a621382303c7137097ca2574b0e655ff

        SHA512

        4c3d4cf22d189ca854118dad6a8c1f898d81a53ded79a24679e4c8cf27e1abf03965c1245e29f9c7dcdf9a077f6e69173bbdda6c3d72c4355cb995cf834ef4aa

      • C:\Users\Admin\AppData\Local\Temp\cyqy0our.cmdline

        Filesize

        266B

        MD5

        f8a0667906b45d2fbc5fd33fb519dd01

        SHA1

        e5d1602c62fba01637de9015e38f4ce55d047fde

        SHA256

        9284a13771d50275c304f907115c5a001193ecdbc2af0bd792c6350958ee4562

        SHA512

        d19db76d8bf746edd070a4344a2944bbcf552e5e98f21a2f442c63abc121a8c0a2b3788c2302ac74613b42ba4cb275032a72de2daf36c92b05553abf4edfe35a

      • C:\Users\Admin\AppData\Local\Temp\tmp43BB.tmp.exe

        Filesize

        78KB

        MD5

        baadfec4ac42a4b70900b8f795b4bced

        SHA1

        88da7a0fc8e9af20f1acb28df042415e3cb33c1c

        SHA256

        44127b1cee3e8eb74a8b8dcd870066208697848cd64ea7461c2a9ad25fa158f1

        SHA512

        f75d8fcd815010b55a585c7e658e6ef966f8b77bb6420c8de890a20a2e9fa8d3cf1445621ced00e637bf8dbc03a2ec52c035e57839e7fc2fe48a30af8906dc3a

      • C:\Users\Admin\AppData\Local\Temp\vbc2DDD1E992346454CA33505975775733.TMP

        Filesize

        660B

        MD5

        1c431e049b7a49bff3b6557d3042b9b7

        SHA1

        6cb8a1fa6d78ddfc45d99a215745a7799f0251d0

        SHA256

        3764524d8e0eb1698dc71f8fa03da456cad42f664fd665d77f5126361850d4d5

        SHA512

        2ceb1eedcbaf1868c6320b9ca1ae5e2e6d90512c42fb09a888eae68c85bb2f4f71b0758f9417f6e38cc2b3e73db410af3007f9a33324e0d8afdc09957a7bd8c1

      • C:\Users\Admin\AppData\Local\Temp\zCom.resources

        Filesize

        62KB

        MD5

        aa4bdac8c4e0538ec2bb4b7574c94192

        SHA1

        ef76d834232b67b27ebd75708922adea97aeacce

        SHA256

        d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

        SHA512

        0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

      • memory/1368-9-0x00000000022B0000-0x00000000022C0000-memory.dmp

        Filesize

        64KB

      • memory/3184-27-0x0000000074FC0000-0x0000000075571000-memory.dmp

        Filesize

        5.7MB

      • memory/3184-26-0x0000000001820000-0x0000000001830000-memory.dmp

        Filesize

        64KB

      • memory/3184-32-0x0000000001820000-0x0000000001830000-memory.dmp

        Filesize

        64KB

      • memory/3184-31-0x0000000001820000-0x0000000001830000-memory.dmp

        Filesize

        64KB

      • memory/3184-30-0x0000000074FC0000-0x0000000075571000-memory.dmp

        Filesize

        5.7MB

      • memory/3184-29-0x0000000001820000-0x0000000001830000-memory.dmp

        Filesize

        64KB

      • memory/3184-24-0x0000000074FC0000-0x0000000075571000-memory.dmp

        Filesize

        5.7MB

      • memory/4760-8-0x0000000074FC0000-0x0000000075571000-memory.dmp

        Filesize

        5.7MB

      • memory/4760-22-0x0000000000DD0000-0x0000000000DE0000-memory.dmp

        Filesize

        64KB

      • memory/4760-0-0x0000000074FC0000-0x0000000075571000-memory.dmp

        Filesize

        5.7MB

      • memory/4760-25-0x0000000074FC0000-0x0000000075571000-memory.dmp

        Filesize

        5.7MB

      • memory/4760-21-0x0000000074FC0000-0x0000000075571000-memory.dmp

        Filesize

        5.7MB

      • memory/4760-1-0x0000000074FC0000-0x0000000075571000-memory.dmp

        Filesize

        5.7MB

      • memory/4760-2-0x0000000000DD0000-0x0000000000DE0000-memory.dmp

        Filesize

        64KB