Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2024 06:07
Static task
static1
Behavioral task
behavioral1
Sample
875aa8aeeb28f3646c22208934098420N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
875aa8aeeb28f3646c22208934098420N.exe
Resource
win10v2004-20240709-en
General
-
Target
875aa8aeeb28f3646c22208934098420N.exe
-
Size
78KB
-
MD5
875aa8aeeb28f3646c22208934098420
-
SHA1
7d8851d051042a454e26c1f31e540b21b8fc250c
-
SHA256
da8bcbbbf398154b18c1f9d8a4c2799af67aff835ee82c8f65365376d236b74c
-
SHA512
a577e9215c42f166e0c441792825412d9586d4edc7c3392c18942a108c40251ae77f4650e7444a031f64a620f3cd4a33014ca408a697db163481a8420e5f0e9a
-
SSDEEP
1536:xBWV5jSuAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6o9/I1Td:rWV5jSuAtWDDILJLovbicqOq3o+nA9/4
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
875aa8aeeb28f3646c22208934098420N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 875aa8aeeb28f3646c22208934098420N.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp9F4D.tmp.exepid process 3996 tmp9F4D.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp9F4D.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" tmp9F4D.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
875aa8aeeb28f3646c22208934098420N.exevbc.execvtres.exetmp9F4D.tmp.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 875aa8aeeb28f3646c22208934098420N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp9F4D.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
875aa8aeeb28f3646c22208934098420N.exetmp9F4D.tmp.exedescription pid process Token: SeDebugPrivilege 4632 875aa8aeeb28f3646c22208934098420N.exe Token: SeDebugPrivilege 3996 tmp9F4D.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
875aa8aeeb28f3646c22208934098420N.exevbc.exedescription pid process target process PID 4632 wrote to memory of 2456 4632 875aa8aeeb28f3646c22208934098420N.exe vbc.exe PID 4632 wrote to memory of 2456 4632 875aa8aeeb28f3646c22208934098420N.exe vbc.exe PID 4632 wrote to memory of 2456 4632 875aa8aeeb28f3646c22208934098420N.exe vbc.exe PID 2456 wrote to memory of 2228 2456 vbc.exe cvtres.exe PID 2456 wrote to memory of 2228 2456 vbc.exe cvtres.exe PID 2456 wrote to memory of 2228 2456 vbc.exe cvtres.exe PID 4632 wrote to memory of 3996 4632 875aa8aeeb28f3646c22208934098420N.exe tmp9F4D.tmp.exe PID 4632 wrote to memory of 3996 4632 875aa8aeeb28f3646c22208934098420N.exe tmp9F4D.tmp.exe PID 4632 wrote to memory of 3996 4632 875aa8aeeb28f3646c22208934098420N.exe tmp9F4D.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe"C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uobhuyvl.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA0A5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc251E96B36A474761B81AEA78C4A734A.TMP"3⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp9F4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9F4D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESA0A5.tmpFilesize
1KB
MD5174c94e34bf0041b7f2a5ab532078791
SHA122e3946748ed58461ab9407c0b91aaab8e1bc0d6
SHA256316e25f054188b167af7876102edab82a6fc8824f5c2ba830382ec4cb8ac60b8
SHA5122df292258413b17d5a8fa96e90cb3af0339038da9c328a08a46f038ca07449c38bc1fb80b80c72139bfcdd80a9fd483947c982bd25b6054b6a982fdb54018801
-
C:\Users\Admin\AppData\Local\Temp\tmp9F4D.tmp.exeFilesize
78KB
MD54e06db424331cd41293feed531d8e553
SHA1a1daf139e034966324ac5999e0e8937af5c2e208
SHA256b6d8ac59ccdfadf6e6bf7fccad47578799dccf69bb23ed66c6fffaf44ace50a6
SHA5129940f81708ee6d54c5a5fcd21ebae29e166d106d62f407ec67a90bf2c7fe82c06b9817af98f8d96217f3f43d664ba14328dfc2ed815e6dcd40293888481d01c9
-
C:\Users\Admin\AppData\Local\Temp\uobhuyvl.0.vbFilesize
14KB
MD57aefd80ae67a6654cfc81aec95b89bfd
SHA17905015f47aca81cd268fea2586ce8f6c9db3755
SHA256ef7025caa044c483c7c034f0d3291486ab3f56417b670609b250e1b4b851939c
SHA51246ee1d9c198d1aea07f760670ccd7e9767af1fef367e214aca93fe96a75a52f5b9cd1e8a9b64143720b6ded7b14f5f4b9487b91af989f942d40f6cb4d12be763
-
C:\Users\Admin\AppData\Local\Temp\uobhuyvl.cmdlineFilesize
266B
MD58b5eeb1cdf5b4cce747b7ee47d6f192a
SHA16940ae5e5f5c46cd2b7ac7fb4c1c02cc4d57e9ee
SHA256068353ee77d78078b7a26448df7be1d6eaba1e8818e40a13bbfdcf8a5a926d8d
SHA512f3d538c97c87aa48853ee66632063c79040722f94f08daaf30d0bc0ac076d03674bf42cd71c97a530ac81a8e52ae2de0e63ba4f8ba1e038066a6b4948cf98fbc
-
C:\Users\Admin\AppData\Local\Temp\vbc251E96B36A474761B81AEA78C4A734A.TMPFilesize
660B
MD5eca07a75b2ef93d5e32a656d0f573db2
SHA1ec22e3bcff4b85928f2d1b5cd2c05ef304a7170d
SHA256d977b636abc1ec8c3a3fa19786ad0733e51e80222254bc4eda893953b594dd40
SHA512fe980821fd68fe0833078da1478bffb7bc4af2e56c2204fb6a9101905eea3a7fdf9d44e7948af13b0804a035617fa39be3b1fd69c8904cace121d5060168cb80
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5a26b0f78faa3881bb6307a944b096e91
SHA142b01830723bf07d14f3086fa83c4f74f5649368
SHA256b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c
-
memory/2456-18-0x0000000074C60000-0x0000000075211000-memory.dmpFilesize
5.7MB
-
memory/2456-9-0x0000000074C60000-0x0000000075211000-memory.dmpFilesize
5.7MB
-
memory/3996-23-0x0000000074C60000-0x0000000075211000-memory.dmpFilesize
5.7MB
-
memory/3996-24-0x0000000074C60000-0x0000000075211000-memory.dmpFilesize
5.7MB
-
memory/3996-25-0x0000000074C60000-0x0000000075211000-memory.dmpFilesize
5.7MB
-
memory/3996-26-0x0000000074C60000-0x0000000075211000-memory.dmpFilesize
5.7MB
-
memory/3996-27-0x0000000074C60000-0x0000000075211000-memory.dmpFilesize
5.7MB
-
memory/4632-2-0x0000000074C60000-0x0000000075211000-memory.dmpFilesize
5.7MB
-
memory/4632-0-0x0000000074C62000-0x0000000074C63000-memory.dmpFilesize
4KB
-
memory/4632-1-0x0000000074C60000-0x0000000075211000-memory.dmpFilesize
5.7MB
-
memory/4632-22-0x0000000074C60000-0x0000000075211000-memory.dmpFilesize
5.7MB