Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2024 18:56
Static task
static1
Behavioral task
behavioral1
Sample
1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe
Resource
win10v2004-20240709-en
General
-
Target
1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe
-
Size
78KB
-
MD5
6720be5e3ae5ab893f0a2c5a882a1299
-
SHA1
4e6839b86611b77164e8c0916c92e9365ec19f86
-
SHA256
1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0
-
SHA512
6d5d61ad6578702a7cb0ca155863454857fb4a78dcff542633e52d781388d8418cbb5144ec6de028404293d528f465da71f2b5277708a8f7faab8b7f942cfdf6
-
SSDEEP
1536:wc58sXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC6n9/dw1mN:wc58USyRxvhTzXPvCbW2Uv9/V
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation 1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe -
Deletes itself 1 IoCs
Processes:
tmpBFB6.tmp.exepid process 4088 tmpBFB6.tmp.exe -
Executes dropped EXE 1 IoCs
Processes:
tmpBFB6.tmp.exepid process 4088 tmpBFB6.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmpBFB6.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmpBFB6.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exetmpBFB6.tmp.exedescription pid process Token: SeDebugPrivilege 4832 1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe Token: SeDebugPrivilege 4088 tmpBFB6.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exevbc.exedescription pid process target process PID 4832 wrote to memory of 2184 4832 1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe vbc.exe PID 4832 wrote to memory of 2184 4832 1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe vbc.exe PID 4832 wrote to memory of 2184 4832 1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe vbc.exe PID 2184 wrote to memory of 2304 2184 vbc.exe cvtres.exe PID 2184 wrote to memory of 2304 2184 vbc.exe cvtres.exe PID 2184 wrote to memory of 2304 2184 vbc.exe cvtres.exe PID 4832 wrote to memory of 4088 4832 1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe tmpBFB6.tmp.exe PID 4832 wrote to memory of 4088 4832 1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe tmpBFB6.tmp.exe PID 4832 wrote to memory of 4088 4832 1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe tmpBFB6.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe"C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bkyzu9v5.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC18B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6F5935E293E4DD68C2BCDBB9DEAA4.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpBFB6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBFB6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1666438ef3b2cedd0a586b0c673f803db06ff729e72a1ae5bf206b1df2bcb4e0.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESC18B.tmpFilesize
1KB
MD57c2c5c8589e2f22456390bd8f1b9ee48
SHA18ecb1ed3b82a8ebe5ca813e776002a377eb9fc41
SHA256f0f6ed3e5860daa0809e511f30f77697d9cfff9723e8420b5cde689dcbf76c8e
SHA512a454f988857a5707c17550c6d5c66bebd0c5da16b4cced011ccaab1dedce5ac6c311947728b883ad21803ae6ab034254e7f64c85be1380288842fbc08cf18361
-
C:\Users\Admin\AppData\Local\Temp\bkyzu9v5.0.vbFilesize
14KB
MD58f778391b1234b4e3bb9c0d959b6e8d6
SHA165a65d8bc52fb6b0001a27763ebad00a6c38bc44
SHA256229a1905faeb8cd8e68ba6321e2cbf7a86cc180c166c3fd5bf793c1ed7618aba
SHA51280bbffce44d1fbf1ad7f87b0ee199b47891fc6e3899803b2760d9c0ec8829e7479664193cc083dbe32eb6697f5e7a8a8337d1dda43896fc217ae9b822fcefad8
-
C:\Users\Admin\AppData\Local\Temp\bkyzu9v5.cmdlineFilesize
266B
MD53f1b759e9be1ef0d102eb999bd8dc4e6
SHA1d4121d00af8ba6e4769f1ca02b6bc15d7a5115ff
SHA256f9016cb79596ffc162a9e43359b343904d48b1e43ae3bf5e7ef8efc26dfe354b
SHA51261285f1fc5c856a227f7398df9cc3cfe73b0764c42ee4f28dd6db227781d903ecbbe8a41f626c12bdca00d94ea1b3c3d3518f8a217b64a81f5c9251d759c3d66
-
C:\Users\Admin\AppData\Local\Temp\tmpBFB6.tmp.exeFilesize
78KB
MD577bece14d2fc91bb861648c99f856c10
SHA193d819e04c290002f77cd2b14706f5fc3410c297
SHA256ca479aeefc42f7dd4358cba7d44227e934370b378598aa0d73f362e1307ae16d
SHA51230d07ee917786efe4ef1c3d4d82018136968a32b991a645151304e1be3bd66e6802fbe4c992f5c703bb372af0b964076fdf67f7a6b3a9e32bc447fdaf378cbde
-
C:\Users\Admin\AppData\Local\Temp\vbc6F5935E293E4DD68C2BCDBB9DEAA4.TMPFilesize
660B
MD55ba9f4cbc96ba3097d284292d045c7da
SHA13ef23512a501a43dd06dd40922d88f57b3385b80
SHA256bf325084b67bf5ec8755dc57ad7dcc03a41ec8a0a8b51104700ed80e4988bea7
SHA5126aacf2ef01bde92e95dacb5df3d2a60f95efdfb9c540a08f1ac8df4475e945d9f99df5b213f99da1636034aea69299275c6da7ecc7a5c02e9470e0e350992dd3
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c
-
memory/2184-18-0x0000000074760000-0x0000000074D11000-memory.dmpFilesize
5.7MB
-
memory/2184-9-0x0000000074760000-0x0000000074D11000-memory.dmpFilesize
5.7MB
-
memory/4088-23-0x0000000074760000-0x0000000074D11000-memory.dmpFilesize
5.7MB
-
memory/4088-24-0x0000000074760000-0x0000000074D11000-memory.dmpFilesize
5.7MB
-
memory/4088-26-0x0000000074760000-0x0000000074D11000-memory.dmpFilesize
5.7MB
-
memory/4088-27-0x0000000074760000-0x0000000074D11000-memory.dmpFilesize
5.7MB
-
memory/4088-28-0x0000000074760000-0x0000000074D11000-memory.dmpFilesize
5.7MB
-
memory/4832-2-0x0000000074760000-0x0000000074D11000-memory.dmpFilesize
5.7MB
-
memory/4832-1-0x0000000074760000-0x0000000074D11000-memory.dmpFilesize
5.7MB
-
memory/4832-0-0x0000000074762000-0x0000000074763000-memory.dmpFilesize
4KB
-
memory/4832-22-0x0000000074760000-0x0000000074D11000-memory.dmpFilesize
5.7MB