Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Local\Temp\616f07f1bae6ff979adb8ccff74f97d4f46f87009eff2a8a72faa27d4d8ede51.exe	N/A

Deletes itself

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\tmpEBB8.tmp.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\tmpEBB8.tmp.exe	N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	C:\Users\Admin\AppData\Local\Temp\tmpEBB8.tmp.exe	N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\616f07f1bae6ff979adb8ccff74f97d4f46f87009eff2a8a72faa27d4d8ede51.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\tmpEBB8.tmp.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2072 wrote to memory of 2308	N/A	C:\Users\Admin\AppData\Local\Temp\616f07f1bae6ff979adb8ccff74f97d4f46f87009eff2a8a72faa27d4d8ede51.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2072 wrote to memory of 2308	N/A	C:\Users\Admin\AppData\Local\Temp\616f07f1bae6ff979adb8ccff74f97d4f46f87009eff2a8a72faa27d4d8ede51.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2072 wrote to memory of 2308	N/A	C:\Users\Admin\AppData\Local\Temp\616f07f1bae6ff979adb8ccff74f97d4f46f87009eff2a8a72faa27d4d8ede51.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2308 wrote to memory of 4724	N/A	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2308 wrote to memory of 4724	N/A	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2308 wrote to memory of 4724	N/A	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2072 wrote to memory of 2732	N/A	C:\Users\Admin\AppData\Local\Temp\616f07f1bae6ff979adb8ccff74f97d4f46f87009eff2a8a72faa27d4d8ede51.exe	C:\Users\Admin\AppData\Local\Temp\tmpEBB8.tmp.exe
PID 2072 wrote to memory of 2732	N/A	C:\Users\Admin\AppData\Local\Temp\616f07f1bae6ff979adb8ccff74f97d4f46f87009eff2a8a72faa27d4d8ede51.exe	C:\Users\Admin\AppData\Local\Temp\tmpEBB8.tmp.exe
PID 2072 wrote to memory of 2732	N/A	C:\Users\Admin\AppData\Local\Temp\616f07f1bae6ff979adb8ccff74f97d4f46f87009eff2a8a72faa27d4d8ede51.exe	C:\Users\Admin\AppData\Local\Temp\tmpEBB8.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\616f07f1bae6ff979adb8ccff74f97d4f46f87009eff2a8a72faa27d4d8ede51.exe

"C:\Users\Admin\AppData\Local\Temp\616f07f1bae6ff979adb8ccff74f97d4f46f87009eff2a8a72faa27d4d8ede51.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s4mt81pw.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED4E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC4AF13E325FF41DF9ADCD7739AC3F7D7.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpEBB8.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpEBB8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\616f07f1bae6ff979adb8ccff74f97d4f46f87009eff2a8a72faa27d4d8ede51.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1280,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4256 /prefetch:8

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	bejnz.com	udp
N/A	127.0.0.1:127		tcp
US	8.8.8.8:53	bejnz.com	udp
N/A	127.0.0.1:127		tcp
US	8.8.8.8:53	bejnz.com	udp
N/A	127.0.0.1:127		tcp
N/A	127.0.0.1:127		tcp
N/A	127.0.0.1:127		tcp
N/A	127.0.0.1:127		tcp
US	8.8.8.8:53	bejnz.com	udp
N/A	127.0.0.1:127		tcp
N/A	127.0.0.1:127		tcp
N/A	127.0.0.1:127		tcp
US	8.8.8.8:53	bejnz.com	udp
N/A	127.0.0.1:127		tcp
N/A	127.0.0.1:127		tcp
US	8.8.8.8:53	bejnz.com	udp
N/A	127.0.0.1:127		tcp
N/A	127.0.0.1:127		tcp
US	8.8.8.8:53	bejnz.com	udp
N/A	127.0.0.1:127		tcp
N/A	127.0.0.1:127		tcp
N/A	127.0.0.1:127		tcp
US	8.8.8.8:53	bejnz.com	udp
N/A	127.0.0.1:127		tcp
N/A	127.0.0.1:127		tcp
US	8.8.8.8:53	bejnz.com	udp
N/A	127.0.0.1:127		tcp
N/A	127.0.0.1:127		tcp
US	8.8.8.8:53	bejnz.com	udp

Files

memory/2072-0-0x00000000752B2000-0x00000000752B3000-memory.dmp

memory/2072-1-0x00000000752B0000-0x0000000075861000-memory.dmp

memory/2072-2-0x00000000752B0000-0x0000000075861000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\s4mt81pw.cmdline

MD5	8032f8e55d87d9104e34795e4e0b2875
SHA1	b56549021d751a4a1b27458a694d1138efdccc5c
SHA256	83e108bc20787683e9ff945ae54af2c3d883866f171d55bd4c631b30937a8f5b
SHA512	1d82e9e6596d51a76bb6731b14af80de8e7c6d13b16d53dec7f3e5ddeff7d0b8bf1dde1b587059b73a14eb2882775f3418ceafaa597e94ba29ba5035a97daa2f

C:\Users\Admin\AppData\Local\Temp\s4mt81pw.0.vb

MD5	ce17f17e30b706767c143daeaa24dcae
SHA1	ddd03eb638aff7383723d1dca4b77e32602b3d4f
SHA256	ed51399cb82a51080e618190c3d912542421602c34d16ebe2226c5d9c3d19aba
SHA512	cabe3b9865bcf593f68b683295ab31cf799821ec2c9e2a2582f44677a25785defe278a82627f7fbf8f3a041db3655a5b4f24273de49fd7bdaa331d9dace1bbf3

memory/2308-9-0x00000000752B0000-0x0000000075861000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5	4f0e8cf79edb6cd381474b21cabfdf4a
SHA1	7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256	e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA512	2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

C:\Users\Admin\AppData\Local\Temp\vbcC4AF13E325FF41DF9ADCD7739AC3F7D7.TMP

MD5	6ae2510107816228661858338d792ee3
SHA1	e992e174fa3e023e7e2e1f629ed82c44ca303f68
SHA256	34e17efb9eb58621011f3a25d4c1cca4b51c1a0b8d1cbd77743a319cdd56c3eb
SHA512	1c80f9852ef93faf41c4f1587d89552a72e6d23687af54e7746143d64f8b9e62346ab9352409a1f7d61001808e7f4d63ec1b143f4e2ceaa4491652e7428160a1

C:\Users\Admin\AppData\Local\Temp\RESED4E.tmp

MD5	3a0a00ede3371ed6d3315a80b725362c
SHA1	2bfb380b381b52664244f1a2e1ad6c465ecb944d
SHA256	310236593df938deb6232eb81970f0a81db0629004e4ecb5e9621c70d51522cc
SHA512	5d14fd3b61b99131dfc26ba18542c6d145dfd6a0b3552625c81aa058159f3d585271514060f4b0f2b38b528766ef1cda1e6edf033dbfa4c0b8ec129cbf54dec6

memory/2308-18-0x00000000752B0000-0x0000000075861000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpEBB8.tmp.exe

MD5	84eb6f1d384f9a0a0b4366425ee65019
SHA1	7c49dd374707a4ab093e67ce137c7f5a3f54caa9
SHA256	391507135efbbd33c367eaea884150896963f825c88f90e7696fee85a6d92bc5
SHA512	77fc4e948709a999e6a15d264acafe96178f7ef59e2b55bae7f65ad1bc4d53f6e09c778d44b4c8d2ca3baa4ada36c616804beee500d16c6f6c8aa4f130fff722

memory/2072-22-0x00000000752B0000-0x0000000075861000-memory.dmp

memory/2732-23-0x00000000752B0000-0x0000000075861000-memory.dmp

memory/2732-24-0x00000000752B0000-0x0000000075861000-memory.dmp

memory/2732-26-0x00000000752B0000-0x0000000075861000-memory.dmp

memory/2732-27-0x00000000752B0000-0x0000000075861000-memory.dmp

memory/2732-28-0x00000000752B0000-0x0000000075861000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 23:28

Reported

2024-06-13 23:31

Platform

win7-20240508-en

Max time kernel

139s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\616f07f1bae6ff979adb8ccff74f97d4f46f87009eff2a8a72faa27d4d8ede51.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\tmp1620.tmp.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\616f07f1bae6ff979adb8ccff74f97d4f46f87009eff2a8a72faa27d4d8ede51.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\616f07f1bae6ff979adb8ccff74f97d4f46f87009eff2a8a72faa27d4d8ede51.exe	N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	C:\Users\Admin\AppData\Local\Temp\tmp1620.tmp.exe	N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\616f07f1bae6ff979adb8ccff74f97d4f46f87009eff2a8a72faa27d4d8ede51.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\tmp1620.tmp.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2252 wrote to memory of 2344	N/A	C:\Users\Admin\AppData\Local\Temp\616f07f1bae6ff979adb8ccff74f97d4f46f87009eff2a8a72faa27d4d8ede51.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2252 wrote to memory of 2344	N/A	C:\Users\Admin\AppData\Local\Temp\616f07f1bae6ff979adb8ccff74f97d4f46f87009eff2a8a72faa27d4d8ede51.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2252 wrote to memory of 2344	N/A	C:\Users\Admin\AppData\Local\Temp\616f07f1bae6ff979adb8ccff74f97d4f46f87009eff2a8a72faa27d4d8ede51.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2252 wrote to memory of 2344	N/A	C:\Users\Admin\AppData\Local\Temp\616f07f1bae6ff979adb8ccff74f97d4f46f87009eff2a8a72faa27d4d8ede51.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2344 wrote to memory of 2712	N/A	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2344 wrote to memory of 2712	N/A	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2344 wrote to memory of 2712	N/A	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2344 wrote to memory of 2712	N/A	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2252 wrote to memory of 3024	N/A	C:\Users\Admin\AppData\Local\Temp\616f07f1bae6ff979adb8ccff74f97d4f46f87009eff2a8a72faa27d4d8ede51.exe	C:\Users\Admin\AppData\Local\Temp\tmp1620.tmp.exe
PID 2252 wrote to memory of 3024	N/A	C:\Users\Admin\AppData\Local\Temp\616f07f1bae6ff979adb8ccff74f97d4f46f87009eff2a8a72faa27d4d8ede51.exe	C:\Users\Admin\AppData\Local\Temp\tmp1620.tmp.exe
PID 2252 wrote to memory of 3024	N/A	C:\Users\Admin\AppData\Local\Temp\616f07f1bae6ff979adb8ccff74f97d4f46f87009eff2a8a72faa27d4d8ede51.exe	C:\Users\Admin\AppData\Local\Temp\tmp1620.tmp.exe
PID 2252 wrote to memory of 3024	N/A	C:\Users\Admin\AppData\Local\Temp\616f07f1bae6ff979adb8ccff74f97d4f46f87009eff2a8a72faa27d4d8ede51.exe	C:\Users\Admin\AppData\Local\Temp\tmp1620.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\616f07f1bae6ff979adb8ccff74f97d4f46f87009eff2a8a72faa27d4d8ede51.exe

"C:\Users\Admin\AppData\Local\Temp\616f07f1bae6ff979adb8ccff74f97d4f46f87009eff2a8a72faa27d4d8ede51.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\psvehw4q.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES171A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1719.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp1620.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1620.tmp.exe" C:\Users\Admin\AppData\Local\Temp\616f07f1bae6ff979adb8ccff74f97d4f46f87009eff2a8a72faa27d4d8ede51.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	bejnz.com	udp
N/A	127.0.0.1:127		tcp
US	8.8.8.8:53	bejnz.com	udp
N/A	127.0.0.1:127		tcp
US	8.8.8.8:53	bejnz.com	udp
N/A	127.0.0.1:127		tcp
US	8.8.8.8:53	bejnz.com	udp
N/A	127.0.0.1:127		tcp
US	8.8.8.8:53	bejnz.com	udp
N/A	127.0.0.1:127		tcp
US	8.8.8.8:53	bejnz.com	udp
N/A	127.0.0.1:127		tcp
US	8.8.8.8:53	bejnz.com	udp
N/A	127.0.0.1:127		tcp
US	8.8.8.8:53	bejnz.com	udp
N/A	127.0.0.1:127		tcp
US	8.8.8.8:53	bejnz.com	udp

Files

memory/2252-0-0x0000000074431000-0x0000000074432000-memory.dmp

memory/2252-1-0x0000000074430000-0x00000000749DB000-memory.dmp

memory/2252-2-0x0000000074430000-0x00000000749DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\psvehw4q.cmdline

MD5	8e855fbac602b4b05879e3dabee62bd9
SHA1	1a878ddd0a21fea2ec43624b09c7dd994e22fd14
SHA256	cfb11be3bff113fc49685ea788083937143aa51dcc7362a63fbd9031f4f842bc
SHA512	05cea25b232ad86d0554852b02abedfe4b3d3bb322e99832fcc5263919ac8e8bfdb608c40b8f795b059168fbb05a7d5b5c6ddf5023f8c5d4466b89e406b7cbda

memory/2344-8-0x0000000074430000-0x00000000749DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\psvehw4q.0.vb

MD5	1f86dc8240900c9fa72aed05372162ab
SHA1	cff091b79f6d661bfbd9783c9d0b3c223b06e1c2
SHA256	84bd8c61d759766372b924f7fbe38cec795288b3880522cad27f051ff96f0773
SHA512	24c629f51d13bd5f61de3c0c745778c93845bdbc89404866407f8edb6a582c1b02e18d9f0db56e4425e014692c4fc8aa00e93529b50de1270cea0c8c2961d5db

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5	4f0e8cf79edb6cd381474b21cabfdf4a
SHA1	7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256	e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA512	2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

C:\Users\Admin\AppData\Local\Temp\vbc1719.tmp

MD5	eeaa1b637c2fa54611e561b29a45bb4c
SHA1	d30ad8dab999098a6c553c9f166a9ebff09a0941
SHA256	e81a9ece2927f52a25ffdd2943e3f79db2e45772165a48bcb6526ca6400e8e5d
SHA512	6d09d56fba21cd3bca16524e08fac5c71075c19ed833828c15187c0a41923269ab55c300ec7d915ce51d37ed117925ddaa99c4a313afb53bd62ee4d05fbf7f69

C:\Users\Admin\AppData\Local\Temp\RES171A.tmp

MD5	7de86eb69b6209e3a3c0f3d8e92e93aa
SHA1	abd0ff4bfd2885fc2f1516b26713b7cfd6639aa7
SHA256	bc703a546beb01f35de3a067559fd85be018819f497664666d8fb6de7567e1d5
SHA512	5b4055b67e123cd1b9fdb06e445d5ec34985aba16f4c762f60911a4dac2c54fcc85c89565d180ebe3935820a4bfc1d7dbf18db0f3855f2ae284062fa967bc57b

memory/2344-18-0x0000000074430000-0x00000000749DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1620.tmp.exe

MD5	4b3ba01c9e0d6d382131f3d46eeb7308
SHA1	2d854320b10bb63c1b0095b7b3ea946dbd14ceaf
SHA256	69d61faea23ff334995448dd2713546bc1eca8b63de2e877b35d5c5bbf3bd787
SHA512	262d24a99de308475005317778ede9452422417ffc71a820d0791e18595c288dde6bcc3413d39457f04b6c6172af2a3acc637e66f537520711f80632b2ce5516

memory/2252-24-0x0000000074430000-0x00000000749DB000-memory.dmp

Sample ID	240613-3gatlsvgje
Target	616f07f1bae6ff979adb8ccff74f97d4f46f87009eff2a8a72faa27d4d8ede51
SHA256	616f07f1bae6ff979adb8ccff74f97d4f46f87009eff2a8a72faa27d4d8ede51
Tags	metamorpherrat persistence rat stealer trojan

Malware Analysis Report

2024-09-11 10:25

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files