Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 03:12
Static task
static1
Behavioral task
behavioral1
Sample
fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe
Resource
win10v2004-20240226-en
General
-
Target
fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe
-
Size
78KB
-
MD5
da6ed2a31a3ebd8b179a3babdfd7f227
-
SHA1
bd9afa1afe1977a9712d2fc8cea9a9394017e56a
-
SHA256
fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db
-
SHA512
41442c7e9baa57eb14d23a89438f6397b730fb7176c4e1be768ea254a49066178aa222acf69d0901dbecc10410d412479e4cf4a2d3469893614a3d3d16a0e52e
-
SSDEEP
1536:AV5jidy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6T9/z1FW:AV5j9n7N041QqhgL9/2
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp38D3.tmp.exepid process 628 tmp38D3.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp38D3.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp38D3.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exetmp38D3.tmp.exedescription pid process Token: SeDebugPrivilege 3764 fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe Token: SeDebugPrivilege 628 tmp38D3.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exevbc.exedescription pid process target process PID 3764 wrote to memory of 4676 3764 fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe vbc.exe PID 3764 wrote to memory of 4676 3764 fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe vbc.exe PID 3764 wrote to memory of 4676 3764 fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe vbc.exe PID 4676 wrote to memory of 4220 4676 vbc.exe cvtres.exe PID 4676 wrote to memory of 4220 4676 vbc.exe cvtres.exe PID 4676 wrote to memory of 4220 4676 vbc.exe cvtres.exe PID 3764 wrote to memory of 628 3764 fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe tmp38D3.tmp.exe PID 3764 wrote to memory of 628 3764 fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe tmp38D3.tmp.exe PID 3764 wrote to memory of 628 3764 fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe tmp38D3.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe"C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w3pe7kc4.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A59.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8F540C4932254764A496F38B5B5198B7.TMP"3⤵PID:4220
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp38D3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp38D3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:628
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58af09354e776af0e3c53d16d9cc7926b
SHA129f8693d0a76f3bf9e5b72bb70152dd9830dbd4f
SHA2562a82a86341171f3a4b40b06c21189e2aed8dbffbcef8bf74a827316735499571
SHA512d6658ce0bb8363182a15f39300af1b5a290a4324b005af347c091fa3cb2fe604176fbd7e261befcce749e065c443070e39caeb66d19f3a35aa087344d22c5d1e
-
Filesize
78KB
MD51fa2c8132ab2596c6814394efe72603f
SHA1a4f1dcfac6412e7f9134ff5ad32f84ec67a0a2ef
SHA2563520650f2c2d7d8c923a8ecca2f0e1aede664aa2eb37f05b510ab08dd2c6b256
SHA5127be354052a23de0286dc72d66d3e833fa552f0669607046fc72ce30f64a2449a6e9e9c1bd63139c24625b8936f13f91ff82fb188733528ad4b329c1b58ddb122
-
Filesize
660B
MD58fcdd42e4fedc199a26cd5cb1374c894
SHA116e2cc33c6f3938cde965d221deddc0eec021926
SHA2567bbb1e3c0f3b8226024e0c45c34678c1cedd306eee0801a18783657508470c69
SHA512817c57f2c9df84033aa714874a3fea789e7d8cd6fe0d4aa822bd04b636ae0959bc2851097e642d50705a877284d220412a4a5243cd758b16ca27d3bd11d6ba8b
-
Filesize
14KB
MD5cca9fb6a7814f07fdbf228d7f564e895
SHA1f6858d91dc87c20413685ce8ef9db3ac84b871ec
SHA256e97e22435834aca159d8f263d4aa7612202bde89e156e5ea631e4970ce519b80
SHA512d60da3d22f2f6735948beca31a9977793dc8d75103b1b9c895a365e38b9801beaf466bd4f50818737c70a93ca389c1c085bad3b4b71456bec667a7b418af7232
-
Filesize
266B
MD5ecfab649c8416ca57297ecaa497ecdd3
SHA1748872a07e979b1f9c11db66c6cd653dd377d783
SHA2566188615cb58749d9d6634e79618920eece78d7591f555a7257860f7cc6a24a56
SHA512c0487e9002721430a7e0de08324a2847a7a4f8e654ad612eaa0a3595a56730b8382ebe0a17d695052d92566b22814db8fa93c469808f1d6abef3d2390831ba1e
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65