Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
25-10-2024 21:28
General
-
Target
4b2e1060cff24415c0960351de6e6dbecb397378d6eeabedfebc182dc0bb5f53.exe
-
Size
78KB
-
MD5
132924522d6f601fdd5c7b3a68108e1f
-
SHA1
fcde9697427c4adaefbacf41c376d19e1a1cc38c
-
SHA256
4b2e1060cff24415c0960351de6e6dbecb397378d6eeabedfebc182dc0bb5f53
-
SHA512
0cdeeb277a1d2e8761c096a6d7cffe6dcb8461299d9099a72fe42269478d5e84458e0f6cf03544b6fa9fa8f4f6054e9536d0b5bd314e58a268ffd351e5927de1
-
SSDEEP
1536:K95jShvZv0kH9gDDtWzYCnJPeoYrGQtC6A9/f1T4:w5jShl0Y9MDYrm7I9/K
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b2e1060cff24415c0960351de6e6dbecb397378d6eeabedfebc182dc0bb5f53.exe"C:\Users\Admin\AppData\Local\Temp\4b2e1060cff24415c0960351de6e6dbecb397378d6eeabedfebc182dc0bb5f53.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dz0hvvt0.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC43A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE69A8BE27EA948A0AFCEF0D387FCB3.TMP"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC350.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC350.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4b2e1060cff24415c0960351de6e6dbecb397378d6eeabedfebc182dc0bb5f53.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a92d022eec9b91e5314a0b8f5d2d7257
SHA1a33fe9eece7f26909777f4a57e45e49349e7993a
SHA25668cf13784ccadf5f3571a75d5fc96b6a293eaa21b0d69c971c8863020b52ef9a
SHA51254093e58cf47c275daedc3042eaa4c9c0ba31798e769384e5beb14ff36f2e6a2bf6d4c58a68955d0b9b8e860b6a8a9a789db97ee2e454c477f7f34afba9683a3
-
Filesize
14KB
MD51f4d1672650f720704af5322e46bf3a9
SHA13e8546eb7dca8ffb7b4eb740c0fa3fa1b0a37bc9
SHA256c5a5cc91a7f0cdb217708447d3866940a3d8f5c90052e9218ff5ab50a7bb0744
SHA512f1802cd1be966a5ee50e69d0dbed534ae6a73536d90a394fada9fa79a43cf0c4afb0ec5d0d668f864f3e7fd38d982350be4dfa2d0b746e600fda9dce7c4f7250
-
Filesize
266B
MD56fb1dbe51722f3769b02b914fe1b0bcf
SHA128bbf6aa42c4ed874257e41c8cb536995afe9d1f
SHA256533420c42d9fd454f19208ca6a8d7d2b5623e8a3fd432249d3e1ddca080f8bc5
SHA512ad597579aa9f51e9b3625aaba9fdf7ecb1e7bad2e7c128f21b216ddafa02fcebbfbb7966271e466de558b8c5577efd15aa858c5fd46a4d1d2797020ab12e5e51
-
Filesize
78KB
MD5800b9329c932a49985c56f9ddec5dc2f
SHA192299dc13435be9fb03baa82c7409b88f65f4955
SHA256ede85124374c7b33dca947f9048ea7ed6bcd145e6effba598844e046ac61efa7
SHA51291c2deb7088a81d343c9edd3368b1b966ef9bea3d875c57dbee7cec80ff6a3120b374657e6ec4d94631d832d522bd2a1f4375e6656ca6558106c91ba2af5846a
-
Filesize
660B
MD51c6cf140814bb27b4dc4de460715f9a3
SHA12e875ffd244f2f6e28e30780298e67741622bfdd
SHA2562169d8ad74afcbcf5e28fb23d267c532ea7fc37fe32c92c9f28c13713aeb69b3
SHA512a25dbe4f8011a253a7ed8d7f00c1060ffc9be942207f583317d8519fc119e555762806843f007753627c1895df7bc63e0ca646b5b00f53c982e1dfdfcb9f9fc6
-
Filesize
62KB
MD58b25b4d931908b4c77ce6c3d5b9a2910
SHA188b65fd9733484c8f8147dad9d0896918c7e37c7
SHA25679c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e
SHA5126d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB