Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 19:44
Static task
static1
Behavioral task
behavioral1
Sample
2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe
Resource
win10v2004-20240319-en
General
-
Target
2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe
-
Size
78KB
-
MD5
7610fdebc9263ef8a369d1602b36d2f9
-
SHA1
6a989b25e91bc1b80c6a4ca435aca9ba886c18a1
-
SHA256
2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba
-
SHA512
6aff82bce3277181101913f5c6c8b52d7b446c3a583f041466c7049d4119df2df13ad3c5ed14c1917a7f0821ea8ce88dfbcef79db4edf8ffda78efce45227c60
-
SSDEEP
1536:6y5j5dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6G9/gV14l:6y5jkn7N041Qqhg+9/H
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation 2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe -
Deletes itself 1 IoCs
Processes:
tmp731D.tmp.exepid process 4036 tmp731D.tmp.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp731D.tmp.exepid process 4036 tmp731D.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp731D.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp731D.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exetmp731D.tmp.exedescription pid process Token: SeDebugPrivilege 496 2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe Token: SeDebugPrivilege 4036 tmp731D.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exevbc.exedescription pid process target process PID 496 wrote to memory of 1944 496 2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe vbc.exe PID 496 wrote to memory of 1944 496 2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe vbc.exe PID 496 wrote to memory of 1944 496 2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe vbc.exe PID 1944 wrote to memory of 3712 1944 vbc.exe cvtres.exe PID 1944 wrote to memory of 3712 1944 vbc.exe cvtres.exe PID 1944 wrote to memory of 3712 1944 vbc.exe cvtres.exe PID 496 wrote to memory of 4036 496 2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe tmp731D.tmp.exe PID 496 wrote to memory of 4036 496 2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe tmp731D.tmp.exe PID 496 wrote to memory of 4036 496 2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe tmp731D.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe"C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tlgmbvvn.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7ABE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc97A72AB2B14E44218E6EE5323D9CFEDF.TMP"3⤵PID:3712
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp731D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp731D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=2260,i,11662483365823245381,11064702639240765741,262144 --variations-seed-version /prefetch:81⤵PID:3176
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51b4e24b0423d285a49780b2d54e545fc
SHA19d7e9f97cab20e9783b2d6cffc5f7e9a2cfd2994
SHA256ea53a778fa3faf7904e74ad719b5489795c114ea419c89a8df28e5bd7a205f9e
SHA51281f3964363fcc267c3979996818b15f615ac214077cf49045f66044cb1853775f0e0e4a754dad46f36b89dce39e9946015f0316108cc44c3722954b05321301f
-
Filesize
14KB
MD521ad08b33ec0d979eef6dc27946c6b46
SHA1b97bb14303d9fbdb0fc4209bca6d7aaa48f1a5d2
SHA256fdfe5eae7cebfef2f84a8bf6ca416a6be6d4392b079f1ebe120f6e80987954df
SHA512f6041c4b6677f177ec554aaded1aa9b6225088b6b51e27555982c68937643b3bc841b36ce101002ef961ce300bc8ffdb85c881cf8447159cf799f0a2090a15e1
-
Filesize
266B
MD50b40a607d8594ca78dc1b33bed745035
SHA17919530129690fa7be1c2d7c2907cb68986ac9b7
SHA256f8f61091357e484f9e3d73c3916d29dd27ebce3823a412f5572e56e862f566dc
SHA512a5dd8e1e821acbc267637b6c9c43501590d111764587950a6f8b36eef369fb6bd63079658b76f3792a806ed33e95f68d3d8ba63f9179a4d6ff25bf837f2d09a8
-
Filesize
78KB
MD5feb1f1d9d0192ebae986f941630cbb0e
SHA1be7951231b94f24fc69958c7a4b496d35824a59b
SHA2569a721c2c8cc049071b2f3322dd0cee8a9e3305baa310af1a27daef336caef36e
SHA512ab5d5e2d9842b49b5412abce2ada2d55d7d92f891ae4ad4942a1c560af4ffaf75edc159def83e7c89909b3fa095aaaf90dd2072cfffda1abfbd987234a3048ef
-
Filesize
660B
MD5530998809fda3e5823264c4f2c2bea8d
SHA1f325ebbc72e26a09a3c5776cd6aeee3a5c7e36fb
SHA2560ec66fe7d64c9f355bd8de5a818e24f45b6cf66b7e6e206f8565670f378ca2ed
SHA512e7d69de193c5a774dc38fb89d2afa44e5a266275c320d8e0fc8d80ea48f902a29f9ba612dbe928a9262ec70a08d0a0a07dee757b95b45a4f7aeee864ad7f4573
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65