Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 20:08
Static task
static1
Behavioral task
behavioral1
Sample
33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe
Resource
win10v2004-20240226-en
General
-
Target
33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe
-
Size
78KB
-
MD5
eb3e591c61216112064bbad14b1a973d
-
SHA1
9909f794d98238f42a5fbc56045df9a8dcaacc7c
-
SHA256
33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18
-
SHA512
ad79152d4194537eaa51985679527778bd9e0eea3bea7fb7371e3b5a5c2c5304ac9a61aaab6757db2a95a09512eff15b6f167fea9231809741e0d3a29a64acb4
-
SSDEEP
1536:Ay5jldy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6Y9/Rp1yo:Ay5jwn7N041Qqhgg9/B
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation 33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe -
Deletes itself 1 IoCs
Processes:
tmp8A3E.tmp.exepid process 1444 tmp8A3E.tmp.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp8A3E.tmp.exepid process 1444 tmp8A3E.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp8A3E.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp8A3E.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exetmp8A3E.tmp.exedescription pid process Token: SeDebugPrivilege 4280 33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe Token: SeDebugPrivilege 1444 tmp8A3E.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exevbc.exedescription pid process target process PID 4280 wrote to memory of 1676 4280 33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe vbc.exe PID 4280 wrote to memory of 1676 4280 33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe vbc.exe PID 4280 wrote to memory of 1676 4280 33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe vbc.exe PID 1676 wrote to memory of 4360 1676 vbc.exe cvtres.exe PID 1676 wrote to memory of 4360 1676 vbc.exe cvtres.exe PID 1676 wrote to memory of 4360 1676 vbc.exe cvtres.exe PID 4280 wrote to memory of 1444 4280 33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe tmp8A3E.tmp.exe PID 4280 wrote to memory of 1444 4280 33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe tmp8A3E.tmp.exe PID 4280 wrote to memory of 1444 4280 33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe tmp8A3E.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe"C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\izt2q59o.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B96.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc78EA23C825DB4922B077C37195D9C3C1.TMP"3⤵PID:4360
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8A3E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8A3E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ca53ef55774cd2804149b8b8de80812e
SHA19b0512c7181e8b569b2cd98ba1c40c323fc25aa2
SHA25638574b6ae1c68686985184deb94b92d7115b58019680a8818f1e607e97905ce3
SHA5122e86ad93ab49389cd6fe876fcb5ef36f823f7de914a6dabe4c778312f2bd03afa2f956beda667ae35c01596107e8d59cf725c5bb4d516b52df1eb47c2604cf76
-
Filesize
14KB
MD59c40f54adda927da873394580b3d7888
SHA177ebf0135c5ae90916dede1e2ea0a7a01863ee6a
SHA256e5fbe8dea4a815fb0c26f854fe36b824c0492a2b3edb0ad29c9984746439e238
SHA512e504f389f3a61bba44148d0f6ff4e311b615dd42ffdfc834746564143151031552001f9ad6815800a060665e92592b2e9ecf037c85416a30da1396ce98b2ab1c
-
Filesize
266B
MD5d34877a419dfda34f2d6e7b9aa9dd085
SHA13ea3609973656754573fda89b7fd7c03e151b27c
SHA25674ec0f820bf2fb2cc2f10e3c7bb180baae653b3a8e467cf8ea7bc4eb79573ee3
SHA5127aa9faa2aec21fc58a1c3f1a3f31a56b51ba6cb503aa2c457ea83ec11220e35966b11b7bd754da36172a7e77b17d733899b873354276a30c301e0b3162a61edc
-
Filesize
78KB
MD5cf33f91776e01a627e172db9d65cea8d
SHA1090dfd92c34642ece6182a8cfd2e88d250bbdaac
SHA25641ea5b603ed43e8af125b3753d4d2b483b99a1c77e287690530b9bfe952e3cf8
SHA512d5ea0829c96bc6ffb0a63b98bc6346147e27190adcd6ba0bfd67dac7691300fa266b226b060245c656f4d2a2c8bda1dca7e7f3060163410ba2af9c7b3640c635
-
Filesize
660B
MD543f6bf1548c27835ea8efa4d1bc9c832
SHA18b2755572d870423d7bc59e2e459445e34d194d5
SHA256d06cea9a7973fa02f009c3b5765974cec6ebfc2c366be913f2afd6bc5bb35a73
SHA512023159dd2237f1ea29123068d8384908a889e03ebd395a2549deffdfdfe46ec7885c2615fa29496c7ff74228977eba6cdb408c16f04da5a92fae101dd3976a0c
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65