Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 02:00
Static task
static1
Behavioral task
behavioral1
Sample
d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe
Resource
win10v2004-20240226-en
General
-
Target
d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe
-
Size
78KB
-
MD5
d5e438d5c28d8817b77f2e3893c5648d
-
SHA1
64bfba0f51eb646da49b40013a02668c5f553ac3
-
SHA256
d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e
-
SHA512
cb18609831659429a649c92ab3f6b12c8b043cbe08c0c089b20df95fbeb53b7341a59728fd14ce4257cdab4460ad506997416d9d8951ce28d94ec92482b5b179
-
SSDEEP
1536:iPCHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtQ9/S1mC:iPCHY53Ln7N041QqhgQ9/m
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp95B8.tmp.exepid process 3100 tmp95B8.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp95B8.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp95B8.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exetmp95B8.tmp.exedescription pid process Token: SeDebugPrivilege 4004 d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe Token: SeDebugPrivilege 3100 tmp95B8.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exevbc.exedescription pid process target process PID 4004 wrote to memory of 4020 4004 d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe vbc.exe PID 4004 wrote to memory of 4020 4004 d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe vbc.exe PID 4004 wrote to memory of 4020 4004 d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe vbc.exe PID 4020 wrote to memory of 228 4020 vbc.exe cvtres.exe PID 4020 wrote to memory of 228 4020 vbc.exe cvtres.exe PID 4020 wrote to memory of 228 4020 vbc.exe cvtres.exe PID 4004 wrote to memory of 3100 4004 d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe tmp95B8.tmp.exe PID 4004 wrote to memory of 3100 4004 d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe tmp95B8.tmp.exe PID 4004 wrote to memory of 3100 4004 d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe tmp95B8.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe"C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zggyny_a.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9877.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc12D51EACE16D463881A9B7152B4CB0.TMP"3⤵PID:228
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp95B8.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp95B8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3100
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5cdddd359871468d1c085087170e488b1
SHA151e4ad0121bd2a3210b615d541dc51f8c7f277bc
SHA2568451552219b08b881c30eae9a31a24ae02ccdb43d69c40d59ec7391749607751
SHA5123bf7e6a5c1fe38d3745bbc9572c9673a87c74eba8cdca2614684d3d480fe17d4648529eda75da712ec4988866799dc529b0ed375c93c334bd5b377a1673994a4
-
Filesize
78KB
MD556d63316eca2de05b3c5101cc49a02b7
SHA10f7c055941e1527b8d6637e669ac54244d43a652
SHA256bd3981369cf2cc92f7be09865f1ebdfe3dccccc89489fab5ec5448f111e7e46d
SHA512e85ae7f3510bd889a12035c90c79d7b049658a57fbc9ec583758c11c46567aa320276b6cc8bee5af0ae1c4ef19b10e9dbe67959c2c2409d0652ff9dfc802750e
-
Filesize
660B
MD580bb7da641b09eb99e7708c259239a27
SHA1bb3f1d5713b551ea38c5c792402b2911513d7aab
SHA25622c243aee2e8022b9b4cb0860e9eb499a8818eccf65ae97d273e6a7a855bc6d1
SHA512f5c40f6f62c3839a419c9fa985c1b0edc69d0e9def8fe511447e93ba9d816da13472d22813d68a42884eb4d369b3d7274c9322fedea48c810c1e9c95bb4d5abe
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
Filesize
15KB
MD5c87e312addaca667a248342317ee43e7
SHA12bb285f770ad6ebfcee602d98a86796e4092ba3c
SHA2568b2372bcb8eed59383af9ed5fd783ad9eb4b63df7e8c7d2f7dad8a561579d927
SHA512e6f83cb0c0e4a38cde032a56e9b0ba06b561489e15d72667fe149e8f9d08d7f30487bd8ee85c870525dd9fcdc95b11be9d6ddf32ab6f5ce87612db5339970a9d
-
Filesize
266B
MD53f32bee5d01ba8c9221fc86cc6abf01b
SHA1b91abfe88437e02315ed274585aaa767a0d6041d
SHA2563b3c17f8e2bc00364fb028d0a6f0e95434b3241107659147c757f375e5047e42
SHA512ce01bba628d758573ac2a4a919199de931d9f72596121dfa223fc632ae5a73ea2fa75c457efb622b6da3697a4f115c3d452f91f543fd53f15c0e71009378e143