Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 02:41
Static task
static1
Behavioral task
behavioral1
Sample
ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe
Resource
win10v2004-20231215-en
General
-
Target
ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe
-
Size
78KB
-
MD5
d08ed2cff94b42f8b2566188416e4a9e
-
SHA1
a7e15b6bfa3924b4b9ce5f5a3659bcddf87bb17e
-
SHA256
ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112
-
SHA512
48f8c248c805a1e1eb81d566d728bef196caace675a9ff140814bd1e6c6cb284ea0ed953860e1fd4c01387431215eb853f85fad4479b0d1526bcddf6317e8715
-
SSDEEP
1536:We5kdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQty6at9/H1en:We5Tn7N041Qqhg+9/G
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe -
Deletes itself 1 IoCs
Processes:
tmp4E6E.tmp.exepid process 2056 tmp4E6E.tmp.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp4E6E.tmp.exepid process 2056 tmp4E6E.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp4E6E.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp4E6E.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exetmp4E6E.tmp.exedescription pid process Token: SeDebugPrivilege 3300 ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe Token: SeDebugPrivilege 2056 tmp4E6E.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exevbc.exedescription pid process target process PID 3300 wrote to memory of 4856 3300 ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe vbc.exe PID 3300 wrote to memory of 4856 3300 ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe vbc.exe PID 3300 wrote to memory of 4856 3300 ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe vbc.exe PID 4856 wrote to memory of 3828 4856 vbc.exe cvtres.exe PID 4856 wrote to memory of 3828 4856 vbc.exe cvtres.exe PID 4856 wrote to memory of 3828 4856 vbc.exe cvtres.exe PID 3300 wrote to memory of 2056 3300 ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe tmp4E6E.tmp.exe PID 3300 wrote to memory of 2056 3300 ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe tmp4E6E.tmp.exe PID 3300 wrote to memory of 2056 3300 ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe tmp4E6E.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe"C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wa1znmbw.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F39.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcADF8DC2A6F2A49C7A5B59E64137EC06C.TMP"3⤵PID:3828
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp4E6E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4E6E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55797188c9b75a9156bc8ded36c2163e7
SHA1d2f06579257704ccfa11e2ee17a3f27bb111fc83
SHA256503c0c0421c3ab5714761e47815445816c31b50eaf67a206faca7e8170e33981
SHA512b60dd9481acd6f658b14a5310a84265e30895b6021b1e8a59fa4f41d3a2ebd6f02f0b268f68f169c31f2bfd53e7019123434267bf1f55c8d027a7d16df5da77f
-
Filesize
78KB
MD5aa41afc84b2712d9c4e4a57a816a19b4
SHA14ef580be52d97072248f8f038cc090350cb7c40b
SHA256fc494c1e00e049dd780b309109e5e8c243d81bc9e6bd55bd3e08bcdcf6b2c635
SHA512dc1506cc64c02fba50d76f85227b7a785b71a9786a20142a7a6004990439fc4034879301363bea795a37ddc897c3fa6b43e61df97df501e73c71d7e22f913a80
-
Filesize
660B
MD592ebc7f2cee7986f4b2df2295c82f733
SHA105dd064f45d8e27566d1394196b5637a78c243ad
SHA2568427d850f97b8e7451757060dc22118a8fd3b9b2d44ca5d9e63fc066ad014db4
SHA512807194f57539fa38862383e4c06424c03c1b925848ab16850f8452435d08ac0011e296275d8227335b47ab701b711f378904350bee55619c2f7d29eb0f7aca37
-
Filesize
14KB
MD55e342cc6a2729e2ccb429bf04b5f4d3c
SHA13bd17cb51dc49fa9f49a3400f99e9766ef7d67b0
SHA256c76145c34253f20dde0a857b77dc3b44069b128d1ef388cb3c38e2c3119e21d8
SHA512f049598a2e2f20ef5417f48b0ce6377c5cc2d54eafeed42f25affeb3400ccf80d8f1b53ec433ea313519b175745f307ce5e5e1499e1408e64b410f61d26bc1e1
-
Filesize
266B
MD5e6bdafb5f360c40bb39ac1f7f13b9124
SHA16cd21ca3095638ac5381ed8fe92fe02a65bb5a4a
SHA256aeacb0d255655f6b39f581f9f6d0847bcea313090c12fedde2ccad553f1f1dcc
SHA512c61516aee149ebc85372f970c5a28a05542df0a5ea69fe36b0d5600217e94e1ca632c0121a9e64ad2dff3ad6742b2b7763c768afd7f20b68f14d0211457e2e56
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65