Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-04-2024 00:49
Static task
static1
Behavioral task
behavioral1
Sample
a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe
Resource
win10v2004-20240226-en
General
-
Target
a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe
-
Size
78KB
-
MD5
cc3ad847921295c623d421afe0aa980d
-
SHA1
86e8e13535d6da57e96fe080454ba4b4797e933d
-
SHA256
a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f
-
SHA512
687de735dbf4425c8c6c873a86c3b768f467d0360e81154e0fc202b3dad9526796179016d0b458f2dbfc6ca5a614b95cea9584f9ccd817b8178420eab5f21dd4
-
SSDEEP
1536:cHH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC9/h1GU:cHa3Ln7N041QqhgC9/v
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp3393.tmp.exepid process 3272 tmp3393.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp3393.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp3393.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exetmp3393.tmp.exedescription pid process Token: SeDebugPrivilege 4756 a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe Token: SeDebugPrivilege 3272 tmp3393.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exevbc.exedescription pid process target process PID 4756 wrote to memory of 2816 4756 a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe vbc.exe PID 4756 wrote to memory of 2816 4756 a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe vbc.exe PID 4756 wrote to memory of 2816 4756 a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe vbc.exe PID 2816 wrote to memory of 2784 2816 vbc.exe cvtres.exe PID 2816 wrote to memory of 2784 2816 vbc.exe cvtres.exe PID 2816 wrote to memory of 2784 2816 vbc.exe cvtres.exe PID 4756 wrote to memory of 3272 4756 a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe tmp3393.tmp.exe PID 4756 wrote to memory of 3272 4756 a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe tmp3393.tmp.exe PID 4756 wrote to memory of 3272 4756 a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe tmp3393.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe"C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wrkveqmm.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES349D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4BD3FFD73D694E2F97E06652B7CE8E12.TMP"3⤵PID:2784
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp3393.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp3393.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3272
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50ab7e9927132a322ffad07d6836f9bf0
SHA1319900f331d984609b42cc31ecde139677ecc5d3
SHA2561f3ae11edb5b340efdcba1c5ac4533788d5eb1911db292465c1f068ee2d66866
SHA512b231f5b1032a4409b369b868b499c4be18ee50e7ddc2ad4971f3c2d52ad171d792f5cedb2ba70e3c3b72e060043fd43c4e4f8d28451146d60f93594b30b7faef
-
Filesize
78KB
MD57a589baf691c2364bf44a91de07f3006
SHA1fa4397119f14c5e585701b5d2fdfb41980597cac
SHA256d0a45988b38d5ab15d9df72340ac5709086bcb375919790464d022233aff04a6
SHA512d790fd27e7b007d597b1073862d9350ba4d769d3dca7ff550a2d688e87a65465c620222aa48a9d5600c0de53042549b788500311b00228c62907144301fd1877
-
Filesize
660B
MD539b4288ec22c4563b1d0e0c722c8380c
SHA1b275f3a1ab0b8b61e3988f99217abc8879bb7d84
SHA256d5c863d76883676b97f834ee1573bcba0647141c50d3a97126281ca2c4c17978
SHA512f0aae44531955f56235a59b3b8ec5b1e8cf81ce72415078bdbb871cf943f723aedd1680cff4b5d033d467804bb053dc7428051ec8c9d5a80eddc6dabfede4984
-
Filesize
15KB
MD514f27bf1279da7493410456ae6eb48e0
SHA1385c6a4330f44745201455080bd65ad96e7fe998
SHA2560d3d11ec8050ebba969722750ac68abbc494d2c82222df1186417a41d8d59d88
SHA512f09a3ba9cfc29a5ff1e8ded71459fcd0cbfe0e4a02b8b6cbafb893b18448870eb7971ddcc36e7e3daa9b4ddf38e93db3050c51c2fba7418af4d4f6704e0a64b9
-
Filesize
266B
MD5acabb575e424fab627f55e96e319e5af
SHA1a40299a221e25146203ae2fa44af8c5bfe6368b7
SHA2568f8ab63b373d7db985e815e08d02db9dd7eb8b034001419d6197c84f85acb637
SHA512fa4f429df09c7183441556f1e008adaf271c516ff25ea44a9c7b37dd07b636677f9cfd3169d925f7848962336fe481ec56473fbc62e30b2776dd9f75a83a7d63
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65