Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 20:30
Static task
static1
Behavioral task
behavioral1
Sample
3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe
Resource
win10v2004-20240226-en
General
-
Target
3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe
-
Size
78KB
-
MD5
2627456fa3286338ba04377a00d84f91
-
SHA1
e598838e48f8c59131ba8ca6ec54603c85f00915
-
SHA256
3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9
-
SHA512
f3ea71639e000ece3f7b757f71313f757a03afa415aa150a0a4048ff70f03339a24f235c1e896d6e2a5c806f5ffdb50908541543ee7479e4f6ce2deca072099d
-
SSDEEP
1536:bHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtS9/ww1le:bHFo53Ln7N041QqhgS9/0
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation 3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe -
Deletes itself 1 IoCs
Processes:
tmp805B.tmp.exepid process 2648 tmp805B.tmp.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp805B.tmp.exepid process 2648 tmp805B.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp805B.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp805B.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exetmp805B.tmp.exedescription pid process Token: SeDebugPrivilege 4404 3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe Token: SeDebugPrivilege 2648 tmp805B.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exevbc.exedescription pid process target process PID 4404 wrote to memory of 2012 4404 3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe vbc.exe PID 4404 wrote to memory of 2012 4404 3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe vbc.exe PID 4404 wrote to memory of 2012 4404 3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe vbc.exe PID 2012 wrote to memory of 4660 2012 vbc.exe cvtres.exe PID 2012 wrote to memory of 4660 2012 vbc.exe cvtres.exe PID 2012 wrote to memory of 4660 2012 vbc.exe cvtres.exe PID 4404 wrote to memory of 2648 4404 3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe tmp805B.tmp.exe PID 4404 wrote to memory of 2648 4404 3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe tmp805B.tmp.exe PID 4404 wrote to memory of 2648 4404 3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe tmp805B.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe"C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0nemvysu.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc91DB679839454547A21C5EAE99BE6.TMP"3⤵PID:4660
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp805B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5b8e147d26abe709def149c1c243c3c65
SHA18f6ca911d4dc35db1f7478ca7609b55c6138934a
SHA25656936fa9cce510e6ea74fd77aab4080f9894e5c00695fa9a150fd62f666f0fca
SHA5125516fae2be098e5089e5bc7b04d86cc7e16e7b2f9e23a7f23d564bb25dfab23b2d4ec353d8392c803b42a27b7dd0241b14595f7470cf5eca10319d88cd368a6b
-
Filesize
266B
MD503599a7e611c72876f453ff6c819ee5e
SHA147b29ba60896d41b0d0b9755052cb4cbf81ac0c7
SHA2560162e504266c1579176631a8124c81423f48346612bdabd1518aec1989a5893e
SHA512e02800111e0cf893e120caa4b7b16e2657071c070624191cb36acea9053cd56a2c272ddf71ef210eb4e8c69955f9d3ce6ef9c0c65d981e0e3ffb86feed0c9817
-
Filesize
1KB
MD59502b62767c8947ecf7656a856382172
SHA1c41fc74bed12ef887560548b30a1dc2f087e2ccb
SHA2566095a306964545354b3436b5884e2ad3130650a46ac6e45312493c056afca04e
SHA512d5c8592497ebc38c9b56f70bec72e79ec0c0827dd7ce59d7e7c0e054a30a114d23d551ce80bff4524f979dec19ab7434f977c91dd129742740544745dc7c23df
-
Filesize
78KB
MD53de6945359a7f84064ce519cf60b95a3
SHA1bd23a417e5a28c393319f0d11c1903b5cffd301f
SHA256ed28b9af0594e43c5270dfbf6ac1d1eef371d8e692d7882ccef5e060d9edeb54
SHA512cb35dbad3482f94f1abbc6d88ab9a6665d1443f511c4b477bba79d394a776783f7366714c87019acc8368b0b7d60d44b7648f5592207c7c9aea182c56542f72d
-
Filesize
660B
MD58b4f6e3c5ec87cd97cc24f022242f950
SHA14c062b85cbd269fe482f1249ff09d8bdf39a2f39
SHA256fab93703b93f687b598cca0e4c1cfa305d5d5ae12c60cc948e95936c66f575a7
SHA512c0ece332135c75ffb0128a6d7f53effb3edc45802c0e8bcf0106d7f109bbfb1ed74c28c511023ab982cbf2e8225083e43245d9c66fa80170e9c86a560a52b0b3
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65