Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 20:57
Static task
static1
Behavioral task
behavioral1
Sample
4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe
Resource
win10v2004-20231215-en
General
-
Target
4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe
-
Size
78KB
-
MD5
0ab385dd7216e9d677c4fee6ffa159a2
-
SHA1
d3578e3963d00825e0d4fc35c9b364d9be458c54
-
SHA256
4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0
-
SHA512
fa7ef3b261d86852c50a4567f3eda14dbe9962c57b9b1c85582a85e3e2cf6e2ec94fd0836784f258271fffaa629b1b688e2cfda92dea47f4fbe0131fb2696c69
-
SSDEEP
1536:9WV5jS6dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6V9/Q1rG:9WV5jS1n7N041Qqhg99/7
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation 4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe -
Deletes itself 1 IoCs
Processes:
tmp4D45.tmp.exepid process 2112 tmp4D45.tmp.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp4D45.tmp.exepid process 2112 tmp4D45.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp4D45.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp4D45.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exetmp4D45.tmp.exedescription pid process Token: SeDebugPrivilege 2596 4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe Token: SeDebugPrivilege 2112 tmp4D45.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exevbc.exedescription pid process target process PID 2596 wrote to memory of 2148 2596 4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe vbc.exe PID 2596 wrote to memory of 2148 2596 4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe vbc.exe PID 2596 wrote to memory of 2148 2596 4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe vbc.exe PID 2148 wrote to memory of 4112 2148 vbc.exe cvtres.exe PID 2148 wrote to memory of 4112 2148 vbc.exe cvtres.exe PID 2148 wrote to memory of 4112 2148 vbc.exe cvtres.exe PID 2596 wrote to memory of 2112 2596 4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe tmp4D45.tmp.exe PID 2596 wrote to memory of 2112 2596 4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe tmp4D45.tmp.exe PID 2596 wrote to memory of 2112 2596 4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe tmp4D45.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe"C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\peyqrj5o.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E2F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc41213723B7CE4C5DACA2D181F64FE652.TMP"3⤵PID:4112
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp4D45.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4D45.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD599c6684879572f000a9d4e3ac83194a6
SHA1b810fc679d74ab446ee08ee2cd0110884da6fb3f
SHA2568a6304ae0835c4ba56b9b324e6d5ae759856b7e537877d54b41da4926a63a5d6
SHA512d5b329bde0c9a9bb78d92cf7a1341d12ebc5157bbd2e63b72ce1d9ff857b6e026c5482e45319684322dcc17b6059644ec18eaf1c46d489b686feef9bd00ffdab
-
Filesize
14KB
MD52fade4e56662a80ec5b531584334c8b1
SHA1a7281f32fee391b8e571eb9782879dfe85725649
SHA256c02937ba4d58b1f5a0b0ea925c3ec57aa864bb5970a58ffbf561007fde1d6aad
SHA5128fcc97a5c973f0d3d82a2d2bf9ef5f5eac3bcbe6d40af88fe918e02b09af5763f48e6684c7c2399c420372103bd657c7628391128fe90485895e3eea24ea80dd
-
Filesize
266B
MD55a216974017482847e1173ddebf923c0
SHA1144ede6c6347f9a580df03ec6e56d0fa27284ac6
SHA2563370007520b70ffd1737cf9276e895c410356050c77136d2c4cb411579a9f1e2
SHA51272954a16306b57e982025b4568769d1073641875acffbfc19b889b1583702ec4e35b27a2c321c162e0572060baa66806ed177af7426f4a87a85926626cf46d17
-
Filesize
78KB
MD517ef610a75030ce7cf21bb881cb15331
SHA156a380fd672a4895744524a123ed259b046fa02a
SHA256e2bc5dce3a85eeda0cc46783b4f5a16726bff570e405db34c20b0f1c72f7e6fe
SHA51287944babb652eabfcee38b00ae6ffa9b4d3a1146a40dfe80a11f73bbe8521b4b57c42a71f7152a9ffb41a70a9d1f98c5fa311c604a0f5cf9d7a2113eb71fdd78
-
Filesize
660B
MD5d1b7eff95375eeb1a2e61b3a49c4ec20
SHA1b415d745e1501b20239c7dbd5686f5554a6930f2
SHA2560b30b43121b8b8a30aa3e9297eb2361e37d55aa582d3c279b0618675e2d5e790
SHA51229d2be7d07e4923143a365f0a565fe5760e9554e4b05c8169246543bce370738c2df919068fd43e6aaa4dd81daf418cd3ee1cdd8c1f3aa38f6627ef6cdc7ee3b
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65