Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 03:14
Static task
static1
Behavioral task
behavioral1
Sample
fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe
Resource
win10v2004-20231215-en
General
-
Target
fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe
-
Size
78KB
-
MD5
3332a2ae097b0d6660aa538c321f856b
-
SHA1
4c911806ab593db9555b5417f3148f93aa52d442
-
SHA256
fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769
-
SHA512
e702a7001db5dd51b48bde34922d59f6bf0a4247ffacfe450b66a29e18df0d8363680bfb0e38d29f23edbae0bcc8c2090547de8f50c5da9bc4f5b6d06ca05af1
-
SSDEEP
1536:4HH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtl9/41fr:4Ha3Ln7N041Qqhgl9/G
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp40E1.tmp.exepid process 1200 tmp40E1.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp40E1.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp40E1.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exetmp40E1.tmp.exedescription pid process Token: SeDebugPrivilege 464 fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe Token: SeDebugPrivilege 1200 tmp40E1.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exevbc.exedescription pid process target process PID 464 wrote to memory of 4068 464 fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe vbc.exe PID 464 wrote to memory of 4068 464 fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe vbc.exe PID 464 wrote to memory of 4068 464 fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe vbc.exe PID 4068 wrote to memory of 728 4068 vbc.exe cvtres.exe PID 4068 wrote to memory of 728 4068 vbc.exe cvtres.exe PID 4068 wrote to memory of 728 4068 vbc.exe cvtres.exe PID 464 wrote to memory of 1200 464 fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe tmp40E1.tmp.exe PID 464 wrote to memory of 1200 464 fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe tmp40E1.tmp.exe PID 464 wrote to memory of 1200 464 fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe tmp40E1.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe"C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cxik4jzp.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES41DB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD69D71365A734D508DA3E5CE2D12915C.TMP"3⤵PID:728
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp40E1.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp40E1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1200
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50a26835146ee13393907f34ad070e4ca
SHA1d3c1f13f82be4530e1e70d48e35188559a46632a
SHA256bd4db0db9b8f4fa5440ac67256219a976a7fa2ec352f0ae2adeb85a8f00ddc46
SHA512c0ceff09e3e07c7511e1015fbe58524d036972d5484b2b2957e240d490ba0ee3733ec4dc6908bc13a347e58682901704fe41756bbcc4719cad3f04f8881152ec
-
Filesize
15KB
MD565ba14eea4e71b093e3804a4c17ed5ff
SHA1c2707e937b0e928aece14b5ddbfe1120c6ccb5af
SHA256b92d5f444e41cab9aa1db5733a237c2fd1c6e1387494dbad3c32a3290e3d66c5
SHA512f66dfac01e9029ca3a6cb56148722fb10bd6d61e510bdfdebdf4ca388f406e1982594c227fbf2b777a1bd6ed7de04b5798a84866595f65a0f98cdd2ca824dd64
-
Filesize
266B
MD50aa963368e6ebc07851ee040868530b8
SHA162c1d10115b739112e3551b5d9a0fa734c9cd3a1
SHA256d4fa3667568875d954bc546e2670cbf56ce3719f01bebd8d9a1b68cb2e9f98a0
SHA512b9fde02e3d11173f63ba01c9a0ca2ba5befefbcae39428ce81aab2db06cf4120f14644e856f5f61456147a7f87898eb9b578188589782c09c00df8ccc178b916
-
Filesize
78KB
MD5386c508e2bae09dfe6099dea25bff727
SHA1bdd54683528bdd16c083a92fa9f68df8791c05be
SHA256fb5c7b286eb03602cd56aa2093799df9e1d31c35e88f0b6004e1295c34c6cabb
SHA512cc6b939aa79d144092124257f418a70973c20a2549f0528f580170dc9ca5edfa9b5a15af22a10c00558e9bc9954aee9c46e6329e456b808f1649cf687a1dd6b8
-
Filesize
660B
MD5c45257f0e9eea6a8651954a84d56cc6f
SHA15dcbb71468adb298731ee8cba5dc4a50d2f30fca
SHA2569f0e977e0d59d4999a47e8a548da50a9fe4b9bd95db773b94cf18b7975ff959c
SHA5125d08d007c294640edeb405da7a1ae58d30660201877d933f8e1078121fc6a52aab293bfc356b68aeb361ff697984cf0c9a4ece92f1824efbc025587e10df1a1e
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65