Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 23:42
Static task
static1
Behavioral task
behavioral1
Sample
8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe
Resource
win10v2004-20240226-en
General
-
Target
8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe
-
Size
78KB
-
MD5
eeec22974d525daca3a813ba47125c54
-
SHA1
a33269698deb6854a26c1caea8c285234083493a
-
SHA256
8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2
-
SHA512
83f07410fa952aeffd0b982564cf7e3235fd2641eb4474879c344df9a43794e560bab99147918d515b202cfbf1bcefc748bacadb9fd922624facf203aa1bb838
-
SSDEEP
1536:Xe58/dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt96O9/b1jR:Xe58en7N041Qqhgd9/T
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation 8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe -
Deletes itself 1 IoCs
Processes:
tmp56EA.tmp.exepid process 3032 tmp56EA.tmp.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp56EA.tmp.exepid process 3032 tmp56EA.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp56EA.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp56EA.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exetmp56EA.tmp.exedescription pid process Token: SeDebugPrivilege 908 8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe Token: SeDebugPrivilege 3032 tmp56EA.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exevbc.exedescription pid process target process PID 908 wrote to memory of 4720 908 8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe vbc.exe PID 908 wrote to memory of 4720 908 8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe vbc.exe PID 908 wrote to memory of 4720 908 8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe vbc.exe PID 4720 wrote to memory of 368 4720 vbc.exe cvtres.exe PID 4720 wrote to memory of 368 4720 vbc.exe cvtres.exe PID 4720 wrote to memory of 368 4720 vbc.exe cvtres.exe PID 908 wrote to memory of 3032 908 8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe tmp56EA.tmp.exe PID 908 wrote to memory of 3032 908 8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe tmp56EA.tmp.exe PID 908 wrote to memory of 3032 908 8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe tmp56EA.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe"C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ycvwefbh.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5890.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8A670FCA7A334F54A44161660A0D9CB.TMP"3⤵PID:368
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp56EA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp56EA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5465892bdcbd56fbd2a795b3fbaccfb52
SHA12743d27d5e65319619c621d76ca02627855ce336
SHA25609e75cef72375b514922ba7c3d15866ded61d2bfb763d4bfcd759e07cd74e64b
SHA512a61aedae46388e660582bc39a01c64e7290ab1a474382bde2b71d2dba9f1713dff85e8659cf033c5dfab0fa37e5c8da08488da452248d025cd3a700ef81a4ac6
-
Filesize
78KB
MD55340a4bb9b2ad810afb6a1c54ddcd440
SHA18050aa97a00b3a60467eee152ad093e6df55c058
SHA2561d176fef64190048753ffd5de475b52ee97a2579ee8c6792ff407d933223d523
SHA5128d64a958836d68e52392cd770e375baef77ff16fe0dfad37cf087f3d0dfe164ab5e4e749ed50c0a29cd6bad329ac89634d8c9e71eb687e0fe3423191ed5cb2d3
-
Filesize
660B
MD5f93b92d0e7a1b0acb8aedcba4b899e76
SHA149f2807c9ef3c0d203f1ba11bc1e192e9ddf34d8
SHA25627829cbe96458d5a920dce255c20d5478d7b4222d8e19c0e8e31e52e444b80ce
SHA512b7bd4b3ff803787e077b8f4422263898c15e0d34cb03c70415b159f537dfa0b33d46a45d597ee1511bf2619d84ee1cc03dbe092f2fde781367340ff4e5fb2555
-
Filesize
14KB
MD50a1d879802aedef8e7c1f407492a41b9
SHA14aaf77c78206d20c670a41ad76dc94ee177b137f
SHA256a400bf1e2680d042af02ddb0531d0314051ac2f5747e9e5806e96ffd24d138fc
SHA5122c89eb988ec5bfdbd035911843448be3843199a20b0ac0851db4303f299ecc7e8b9302e1e5061de01b96a1d67470fb002b876b58695ebc8ea4beb58fe7c0a271
-
Filesize
266B
MD56a6d99b3ee0c98405c6665c26604c11b
SHA124a0b03f16005e8136905a4b5870250c620bd73f
SHA256584e9d2e609ed7ee7d225527cef8d5e60a8f3a36641a7bfa783927f2ae04ff38
SHA512d94227495c458a988b42c83779b45a34160dc1c256eb8a502d0ce87e5f8531cd170ba87626143bad03fa154fa3ca8aa6bc7f5c285218ed9ea7dd71705396102c
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65