Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
17-07-2024 02:52
Static task
static1
Behavioral task
behavioral1
Sample
56fda1a225279bc1a477cd3f82fd34a0N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
56fda1a225279bc1a477cd3f82fd34a0N.exe
Resource
win10v2004-20240709-en
General
-
Target
56fda1a225279bc1a477cd3f82fd34a0N.exe
-
Size
78KB
-
MD5
56fda1a225279bc1a477cd3f82fd34a0
-
SHA1
c9a62f04247fad125ed89e95e7c452ba0a75ebdf
-
SHA256
662ae2b794e8775927d6f8af0d7df19514dd2e3958db545dd048f2b79d4dda6d
-
SHA512
ac053631dd1808072071ad0d9975ad3fe738550a266517d1d07c32171b0143881ce3b830434c82abf75ca7a1bd8143d05bd89ebd3e31e30c7d4e569331b368f2
-
SSDEEP
1536:YuHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQteh9/XyJ1sA:YuHYnhASyRxvhTzXPvCbW2Ueh9/XyV
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
56fda1a225279bc1a477cd3f82fd34a0N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 56fda1a225279bc1a477cd3f82fd34a0N.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp5DCF.tmp.exepid process 3284 tmp5DCF.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp5DCF.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmp5DCF.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
56fda1a225279bc1a477cd3f82fd34a0N.exetmp5DCF.tmp.exedescription pid process Token: SeDebugPrivilege 4696 56fda1a225279bc1a477cd3f82fd34a0N.exe Token: SeDebugPrivilege 3284 tmp5DCF.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
56fda1a225279bc1a477cd3f82fd34a0N.exevbc.exedescription pid process target process PID 4696 wrote to memory of 2752 4696 56fda1a225279bc1a477cd3f82fd34a0N.exe vbc.exe PID 4696 wrote to memory of 2752 4696 56fda1a225279bc1a477cd3f82fd34a0N.exe vbc.exe PID 4696 wrote to memory of 2752 4696 56fda1a225279bc1a477cd3f82fd34a0N.exe vbc.exe PID 2752 wrote to memory of 464 2752 vbc.exe cvtres.exe PID 2752 wrote to memory of 464 2752 vbc.exe cvtres.exe PID 2752 wrote to memory of 464 2752 vbc.exe cvtres.exe PID 4696 wrote to memory of 3284 4696 56fda1a225279bc1a477cd3f82fd34a0N.exe tmp5DCF.tmp.exe PID 4696 wrote to memory of 3284 4696 56fda1a225279bc1a477cd3f82fd34a0N.exe tmp5DCF.tmp.exe PID 4696 wrote to memory of 3284 4696 56fda1a225279bc1a477cd3f82fd34a0N.exe tmp5DCF.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe"C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\idoncn1a.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F37.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD246494BF4D44482A034A1173C3C98.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp5DCF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5DCF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\56fda1a225279bc1a477cd3f82fd34a0N.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES5F37.tmpFilesize
1KB
MD5730e6d1d97b52ea2eefda626fe327303
SHA108759df5234f97b9a1490facad661f69aff18c3f
SHA256f801334c7e2edcfce47b54e56dadf6a2ef4573731b273cbf6bd2944c86038bbf
SHA51235648a4f5e99d618cc0c1efeff2645005cc9b4a79a03546ac84ce70199f0d2bd693ff055d3290d5f1f94998a6aef5eab03568fa0c323090c2d342a4c1d00abad
-
C:\Users\Admin\AppData\Local\Temp\idoncn1a.0.vbFilesize
15KB
MD54fe832a34dbf8b56e644500eab069feb
SHA1bc8c1219dc0ff4ef56b6a406b63649d12000230c
SHA256842237ea012d711b84756c1642d194fa34107c3e7f98c3fc929aff3383a9f64e
SHA512304ebfada44e38fc5711acbf0efa94b1d49b2a5fbdf99aba230bcdd0b5b2415c79cf746595e83a5ca6d5906c97ccec658bcec3daf3a05e45df6a1f7197c68925
-
C:\Users\Admin\AppData\Local\Temp\idoncn1a.cmdlineFilesize
266B
MD58d1ced5a993fd2eb7bc8bea9c7813b25
SHA1f6baebc60814266a0799bc72a4a9a0c757d64346
SHA25685f1f0b8ae0a32075a9f761fc27587e6fbd4e39b697e518e52f76f734d94b079
SHA512b36bc4602784b1ca5570d95e14403fe577495e9078366900202aa64ca8a1594470f14bb61ad6d7cc8e121b1afc8c633c591e49ecfd50a867c5424686ec00fed7
-
C:\Users\Admin\AppData\Local\Temp\tmp5DCF.tmp.exeFilesize
78KB
MD59cb6c77df4a94aaf2f201fddf5df7fb7
SHA16af721d47f162c554fd9791ca9036520c8a5f6bc
SHA256d80253bfd652c85dbbc8af45785294bf21d58e91a3112165cbe3d5dd84887642
SHA51221c09496999960c314025425694b33ff42baf0dd47c7d9572576411c0963f8f049154ca507edb985b96e981c47e3103aaabcbe491ad957bcfa047dbeb11a83a5
-
C:\Users\Admin\AppData\Local\Temp\vbcD246494BF4D44482A034A1173C3C98.TMPFilesize
660B
MD5e1efbb7095f3bddfdac0465aa4208f97
SHA1b03d989a200c8a36d54288e216d595a72a89bd66
SHA2569bf9faa3254bde28eccc92e45c58c05b2c6a438ab87c1a145e1127999e220ea0
SHA512ea2a8f58bcb39d75cb9f268c622e01efbc7951b5d7b8394cb951a58c68dcdc706fa4bc970e87b36587d86c82d157c05c21c341fe08347c8deb05af60f7391f00
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c
-
memory/2752-18-0x00000000750F0000-0x00000000756A1000-memory.dmpFilesize
5.7MB
-
memory/2752-9-0x00000000750F0000-0x00000000756A1000-memory.dmpFilesize
5.7MB
-
memory/3284-23-0x00000000750F0000-0x00000000756A1000-memory.dmpFilesize
5.7MB
-
memory/3284-24-0x00000000750F0000-0x00000000756A1000-memory.dmpFilesize
5.7MB
-
memory/3284-26-0x00000000750F0000-0x00000000756A1000-memory.dmpFilesize
5.7MB
-
memory/3284-27-0x00000000750F0000-0x00000000756A1000-memory.dmpFilesize
5.7MB
-
memory/3284-28-0x00000000750F0000-0x00000000756A1000-memory.dmpFilesize
5.7MB
-
memory/4696-2-0x00000000750F0000-0x00000000756A1000-memory.dmpFilesize
5.7MB
-
memory/4696-1-0x00000000750F0000-0x00000000756A1000-memory.dmpFilesize
5.7MB
-
memory/4696-0-0x00000000750F2000-0x00000000750F3000-memory.dmpFilesize
4KB
-
memory/4696-22-0x00000000750F0000-0x00000000756A1000-memory.dmpFilesize
5.7MB