Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2024 05:27
Static task
static1
Behavioral task
behavioral1
Sample
f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe
Resource
win10v2004-20240709-en
General
-
Target
f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe
-
Size
78KB
-
MD5
6decbc4c1e25065e0b08cd3cc00c5193
-
SHA1
582f4c9820129ce54bd5c74e545099a0d5eb2c68
-
SHA256
f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff
-
SHA512
7ae6290028171de3f86d2cf9e174c6604e57f5e5cb3e19e091ee5aceeab8547c063cc92d74834a35447db47538331b9fdc2d85501555618681df50941d7d2071
-
SSDEEP
1536:mHY6rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtLI9/9O1Yv:mHY8dSE2EwR4uY41HyvYLI9/H
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe -
Executes dropped EXE 1 IoCs
Processes:
tmpB035.tmp.exepid process 1316 tmpB035.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmpB035.tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" tmpB035.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exevbc.execvtres.exetmpB035.tmp.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB035.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exetmpB035.tmp.exedescription pid process Token: SeDebugPrivilege 1756 f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe Token: SeDebugPrivilege 1316 tmpB035.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exevbc.exedescription pid process target process PID 1756 wrote to memory of 1964 1756 f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe vbc.exe PID 1756 wrote to memory of 1964 1756 f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe vbc.exe PID 1756 wrote to memory of 1964 1756 f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe vbc.exe PID 1964 wrote to memory of 4780 1964 vbc.exe cvtres.exe PID 1964 wrote to memory of 4780 1964 vbc.exe cvtres.exe PID 1964 wrote to memory of 4780 1964 vbc.exe cvtres.exe PID 1756 wrote to memory of 1316 1756 f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe tmpB035.tmp.exe PID 1756 wrote to memory of 1316 1756 f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe tmpB035.tmp.exe PID 1756 wrote to memory of 1316 1756 f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe tmpB035.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe"C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\etflx7_s.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB16E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7B58DEAC7A2B41089190DBC0AA458C7D.TMP"3⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f09c1ec858431fd0d2462cbe0e9eb5363e5564e8a709f1eb8c0cd3b681037dff.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESB16E.tmpFilesize
1KB
MD5cccd1afad03e6d6c6b6c756ae943ea09
SHA1740fd4744f1c27b311167f3b23e0b2e5367d9a8f
SHA256ef06eb833b90ea025446ddff566d0c234689c2a9be10c75e15a4f8e8a0140ccd
SHA512dd8edcda325e433e71fbb905e0639da39e38375a4046bdb57d38cf614d7bcb8fc8e7ab3ed371ca50f462e3388d8a4d618498bd4fc8736d47ade0398257e2143d
-
C:\Users\Admin\AppData\Local\Temp\etflx7_s.0.vbFilesize
15KB
MD5b6e076569014c1504f10f402b4500bf1
SHA12d946dde31e3cac560dd3695a8c0d928c547c45b
SHA256840b439b955f3aade074b149ccb1bc49d6e2bed72599a9cadeafdecb1008043e
SHA512d5cfefb7372d8df28296b26d88d160c3ddadac05d746bb8fa5840590ed19b4b3233aca0e3941916b2ccbd8c9de16a0526aca118ac51ebcee0c3caf75da60a814
-
C:\Users\Admin\AppData\Local\Temp\etflx7_s.cmdlineFilesize
266B
MD5de6785abee22a787c242bb23c60568d6
SHA10cfc2c20e1b8227bc074fd63baab7be179e7e2c9
SHA2563bb0a7f3eaf624fda9feb401c9f763036174f13068e16137145bdd8d362a26f7
SHA512d55c5feb6b12e317a38c7bbff1b35587e44c03d720307e7d1d12acb5f479aec140508675f82b6a5fffc45bb4c4c72020a538b427cdf1f866e55f4cc2edba7298
-
C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exeFilesize
78KB
MD53bea4c1dab266d43a2c2b145ccdb570a
SHA1a1f64d4fe16970ddb52a101e3aa052fd628efcae
SHA2568e20258dfac87f7906abb66111616d0baf0cd08db4944c84766a9629846a2369
SHA512e3e61c53126af8669c767b0371a13f25bfba88fd6376da52f9401071977c469c690fcda2ae4f356afd0d9d96ae8efd4b161ecaa255f2074e445d00c3a7699431
-
C:\Users\Admin\AppData\Local\Temp\vbc7B58DEAC7A2B41089190DBC0AA458C7D.TMPFilesize
660B
MD531786bb106ce27678c8cf47292f6e23e
SHA18a1a798561a172f4a31c2a05ebb53f971ae0ddca
SHA256e6e7babc0014aae8eeacf913253a4700ba363a2ea37926169bea56a923c80ac0
SHA5127a20a8b02d9d51e1442da55877bd67a79201ff4bc4efed796512f45463fc26f67cbfc7dba662609c98f382a359ca6ba6e373f3b64d37b34c4d79f7924c34c726
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD56870a276e0bed6dd5394d178156ebad0
SHA19b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA25669db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA5123b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809
-
memory/1316-28-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/1316-27-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/1316-22-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/1316-24-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/1316-23-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/1316-26-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/1756-0-0x0000000074842000-0x0000000074843000-memory.dmpFilesize
4KB
-
memory/1756-1-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/1756-21-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/1964-8-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB
-
memory/1964-17-0x0000000074840000-0x0000000074DF1000-memory.dmpFilesize
5.7MB