Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
16-07-2024 22:44
Static task
static1
Behavioral task
behavioral1
Sample
2561b7a1603462034ddf1da1bd2fed20N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2561b7a1603462034ddf1da1bd2fed20N.exe
Resource
win10v2004-20240709-en
General
-
Target
2561b7a1603462034ddf1da1bd2fed20N.exe
-
Size
78KB
-
MD5
2561b7a1603462034ddf1da1bd2fed20
-
SHA1
634c9f4bfa9073ac5a68676ea7fdf1f260fde473
-
SHA256
5d029d827c3af7a0465416c60385d09c72ad34a600a6c1ba7e3ebf12d3ff0e22
-
SHA512
876a89488c7dd5aa0cec2e32d4171dd77750ca6e6132ecdeac01e1247be14c94c93ed6a048013c8ef7057c76c1471e4b5d305bab3e27f7187c46b89396a00e03
-
SSDEEP
1536:KsHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtt9/X1tn:KsHFo53Ln7N041Qqhgt9/n
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2561b7a1603462034ddf1da1bd2fed20N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation 2561b7a1603462034ddf1da1bd2fed20N.exe -
Executes dropped EXE 1 IoCs
Processes:
tmpB229.tmp.exepid process 2600 tmpB229.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmpB229.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmpB229.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2561b7a1603462034ddf1da1bd2fed20N.exetmpB229.tmp.exedescription pid process Token: SeDebugPrivilege 232 2561b7a1603462034ddf1da1bd2fed20N.exe Token: SeDebugPrivilege 2600 tmpB229.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2561b7a1603462034ddf1da1bd2fed20N.exevbc.exedescription pid process target process PID 232 wrote to memory of 5036 232 2561b7a1603462034ddf1da1bd2fed20N.exe vbc.exe PID 232 wrote to memory of 5036 232 2561b7a1603462034ddf1da1bd2fed20N.exe vbc.exe PID 232 wrote to memory of 5036 232 2561b7a1603462034ddf1da1bd2fed20N.exe vbc.exe PID 5036 wrote to memory of 956 5036 vbc.exe cvtres.exe PID 5036 wrote to memory of 956 5036 vbc.exe cvtres.exe PID 5036 wrote to memory of 956 5036 vbc.exe cvtres.exe PID 232 wrote to memory of 2600 232 2561b7a1603462034ddf1da1bd2fed20N.exe tmpB229.tmp.exe PID 232 wrote to memory of 2600 232 2561b7a1603462034ddf1da1bd2fed20N.exe tmpB229.tmp.exe PID 232 wrote to memory of 2600 232 2561b7a1603462034ddf1da1bd2fed20N.exe tmpB229.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe"C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gu0wwysg.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB45C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc837E273DE06A46C7AEF2622A8885B830.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpB229.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB229.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2561b7a1603462034ddf1da1bd2fed20N.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESB45C.tmpFilesize
1KB
MD584bd34d1dfaa1ec2cd3d7a5b3a7cfead
SHA1c3c775fa363aee7359d4823b318e34707a5f54fe
SHA2567a0fece925c2e8015efa39afac8e1cc1cb2670ffb8a0a9ca387fd693cbd6311d
SHA512f65f9aae2594f5c1b557f0ac3cacc6a512b6a1c509e745b9e8056b831c94c413fdf161bbbdca80e8d44743674ca9b53bdccf8a2682019f1b7270c501aaf1bb3e
-
C:\Users\Admin\AppData\Local\Temp\gu0wwysg.0.vbFilesize
15KB
MD52a891c7779e816a4589248b5845e102d
SHA1951206e71273a7e80165f3eb591c2498f7e1ae36
SHA2563a5dfdac29f427b96dca7bfb1c5b705d1bd968c735b2cd0ffa21e5a89bbf3c26
SHA51242174c8649964be4d5e3232a40eeea83b056f4353d25f3db2e1458c85f88a08c750188942391e9572ef7c2d2999d2e85e93cf389733f5b0fbb85045566d94ff0
-
C:\Users\Admin\AppData\Local\Temp\gu0wwysg.cmdlineFilesize
266B
MD52f1a97054f868935f7104987cdaaf765
SHA11c0c3eef53d3813446c14f44ac010cd81430bc50
SHA2566e8a7f4fd2250ab75f988bd35135cb3b85d710093471e30813f3b888e65881d3
SHA5126354ab7be509ca97f76057fefe4ab68b70fd02fdbcdae4545bac1f44f79294c696f43e83c1cb8fc79dff242cab578cb720db35a756b8cd60a6d8b60ac4584768
-
C:\Users\Admin\AppData\Local\Temp\tmpB229.tmp.exeFilesize
78KB
MD5174b878cf321f33f817fdc678b8f61fc
SHA11da5557a956f9325dc1d588665725ad94e613d95
SHA2560b2e652a06babc3de46c19523ed77719640afd24289f9542b8d7fa85e83c8cce
SHA51266d9736b9f268649136a1782c136146e6c5bf8c5b23952ff600ef3af7951cedfd1b9adc8c5724aa53aa5e38a8718b0ac02d4000620a7ca497246b9295502d8a4
-
C:\Users\Admin\AppData\Local\Temp\vbc837E273DE06A46C7AEF2622A8885B830.TMPFilesize
660B
MD5323bc8c8d1a1b5d33728f9f01db6ab34
SHA19e58ceaf69d552f137e9f7dad414b402ae4fefe7
SHA25694b16f86326080303dda152a516b71c25f3548a71fd0efbc40e67299b3d04f2a
SHA512d1233fd6c688df4f8b8a63813426008c622c8e60b9acf8e89540716bedc18cfa978761451f836678ce1982711635e3e088269522b688fc0b7cda9b655c95b119
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
memory/232-1-0x0000000074DF0000-0x00000000753A1000-memory.dmpFilesize
5.7MB
-
memory/232-2-0x0000000074DF0000-0x00000000753A1000-memory.dmpFilesize
5.7MB
-
memory/232-0-0x0000000074DF2000-0x0000000074DF3000-memory.dmpFilesize
4KB
-
memory/232-22-0x0000000074DF0000-0x00000000753A1000-memory.dmpFilesize
5.7MB
-
memory/2600-23-0x0000000074DF0000-0x00000000753A1000-memory.dmpFilesize
5.7MB
-
memory/2600-24-0x0000000074DF0000-0x00000000753A1000-memory.dmpFilesize
5.7MB
-
memory/2600-25-0x0000000074DF0000-0x00000000753A1000-memory.dmpFilesize
5.7MB
-
memory/2600-27-0x0000000074DF0000-0x00000000753A1000-memory.dmpFilesize
5.7MB
-
memory/2600-28-0x0000000074DF0000-0x00000000753A1000-memory.dmpFilesize
5.7MB
-
memory/2600-29-0x0000000074DF0000-0x00000000753A1000-memory.dmpFilesize
5.7MB
-
memory/5036-18-0x0000000074DF0000-0x00000000753A1000-memory.dmpFilesize
5.7MB
-
memory/5036-9-0x0000000074DF0000-0x00000000753A1000-memory.dmpFilesize
5.7MB