Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 23:44
Static task
static1
Behavioral task
behavioral1
Sample
8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe
Resource
win10v2004-20240226-en
General
-
Target
8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe
-
Size
78KB
-
MD5
3d65702331cd2e0767e4cf1a74e771f7
-
SHA1
053b182c01151a3f5ddec67c1ef8693a7be3973e
-
SHA256
8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87
-
SHA512
60621e9157d0baf8260c5ab039ba9f958434b3c33fc2ae1f464599b447d5db34c7221921294aeef162fa392323e189d3c0c4f1b1a1c75d876c8b5427cff9eda3
-
SSDEEP
1536:1uHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQteP9/p1DB:1uHY53Ln7N041QqhgeP9/h
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation 8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp34DB.tmp.exepid process 4600 tmp34DB.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp34DB.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp34DB.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exetmp34DB.tmp.exedescription pid process Token: SeDebugPrivilege 804 8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe Token: SeDebugPrivilege 4600 tmp34DB.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exevbc.exedescription pid process target process PID 804 wrote to memory of 4880 804 8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe vbc.exe PID 804 wrote to memory of 4880 804 8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe vbc.exe PID 804 wrote to memory of 4880 804 8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe vbc.exe PID 4880 wrote to memory of 2424 4880 vbc.exe cvtres.exe PID 4880 wrote to memory of 2424 4880 vbc.exe cvtres.exe PID 4880 wrote to memory of 2424 4880 vbc.exe cvtres.exe PID 804 wrote to memory of 4600 804 8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe tmp34DB.tmp.exe PID 804 wrote to memory of 4600 804 8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe tmp34DB.tmp.exe PID 804 wrote to memory of 4600 804 8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe tmp34DB.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe"C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ddglcxwe.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES35C5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6F84368D210E4E029B5D84B929A52DF3.TMP"3⤵PID:2424
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp34DB.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp34DB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4600
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54e4c45855113bfa9cf727f19180525f9
SHA1be0632b96e3267da2a5cd6b0b48f117b4ac4687b
SHA25652f18438132d0966aecc70f897ca9e78a10da47de2c12c19029f6e1fc6aa0339
SHA512b6890346523c8cd9555d95a53f77dfd450acab1ca3a144335899ec5a2bfc4b4c01493f041ade2e547ad41e11705eb87e1c491bff351d3d33c31dd7fc2786632b
-
Filesize
15KB
MD5b6bce926908a01ece9b6de39285be9b9
SHA10a86934ed6e6ae324dc1107b6dfac0ad18586f97
SHA2563368c8b0790c6d346a140c9c43dcd7d704edf413b01860637eb7b8b0dfb3fddc
SHA512d9ba3c3aac1d1632cdcb8b7e7a0e30ffa25c1ec16e0e4b40060579115c44986cbcb552c6c4ae409445ddc463eafc8f188abaee586fb6ba1b88281793f2bd638a
-
Filesize
266B
MD593f2eedf98b511ba9ed00a284c371a72
SHA164ff826407fde0e5f3f5adea6929754b927e6165
SHA2569a1fb164316694b505063905c15009c63ba46ef21d7d6c27cd9c82510cc145e3
SHA512af05cdce73aac71c031d75af32a36bb66517c0a0b07b8d1f905b02bae2961947caff06642b2bb461f9163d9771621fa13ca09688ec2af0d0d6fa50b0bc7a9836
-
Filesize
78KB
MD5aac5b67d3ffcdd026b31d44ed2db52c0
SHA120044222554068c3846a0d2a84084f73fb812506
SHA2563ba73a85c5df4b31cef0a72cd06a563dcfe20dd422cd0543427f2cc15cb0b068
SHA512d68ebcdae22f68b9e4e5cd7cd91002367f09d23278aba11c851e9aff42e050d9007b8752e90575959516d3eb0f9e337c79d9dc44e5e90652c550eb037a436497
-
Filesize
660B
MD541a871d670dcf8c8853b894e48a9f48c
SHA1f0a780473d149682d295f6e4164af9321de3ec1a
SHA256d6421b6846daf19ae8c7abc8b3ce1b747217bc7b7081d744eee9ba499d6c9a23
SHA512639dc81fcac3ba4378aaeeb147b808c4725e741b6002c83ed09a1b546552c8d2a8ec018948d24c25e5217a4bb8b5939f8a3c951bf37dc711b30aa1356ba3008d
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65