Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-11-2024 16:00
Static task
static1
Behavioral task
behavioral1
Sample
d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5.exe
Resource
win10v2004-20241007-en
General
-
Target
d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5.exe
-
Size
78KB
-
MD5
aa278ddc64eabce4672cf632f31cd4ff
-
SHA1
a30fd5c29fc9eaa4cddac9acc0f25dfb75179dd0
-
SHA256
d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5
-
SHA512
e586bebcc77ebe0672358955121dfaba0b68264c07fac0db3b224d283c8fa4ebe67b20f7c17e57eaf229c73fd8b6eec2d6f959c11245e672291f316f36df3f48
-
SSDEEP
1536:dRy58RXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtC6i9/L1X7:dRy58RSyRxvY3md+dWWZyK9/t
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5.exe -
Executes dropped EXE 1 IoCs
pid Process 4320 tmp7A50.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmp7A50.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp7A50.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 220 d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5.exe Token: SeDebugPrivilege 4320 tmp7A50.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 220 wrote to memory of 1348 220 d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5.exe 84 PID 220 wrote to memory of 1348 220 d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5.exe 84 PID 220 wrote to memory of 1348 220 d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5.exe 84 PID 1348 wrote to memory of 2104 1348 vbc.exe 88 PID 1348 wrote to memory of 2104 1348 vbc.exe 88 PID 1348 wrote to memory of 2104 1348 vbc.exe 88 PID 220 wrote to memory of 4320 220 d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5.exe 90 PID 220 wrote to memory of 4320 220 d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5.exe 90 PID 220 wrote to memory of 4320 220 d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5.exe"C:\Users\Admin\AppData\Local\Temp\d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lyxlnmrn.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C83.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEC64440D76494C05A81971A55A3BB74.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2104
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp7A50.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7A50.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d8bb242b667097169c2e9538185ce6b0a4c9af43a3837118e6f45d17296ec5b5.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4320
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5104335c2c50f941d9f7bc41048d78392
SHA10ce674f43952394bbcbefb38c68874598ccf53d6
SHA256f75c8b74acfc7579cc3fb3c86975d933e5dd4787d8d2a063800190642a7bbc63
SHA5122a02107f99ba59edbe14181fe77166ccdb4e361128717cfcfff30a1dc36242ac001e0313c2cf3f8d3f05e2bb86135440ed871536d306001455ff079d075ead0e
-
Filesize
14KB
MD5c8330ec979deb05a297fd39ea659b6c6
SHA10c90f8b03bc4c9ab242f7b11b9932e68327e5129
SHA256aa016718f760d2f729bae273f134fd90620956ca27ec7e87fb8055547c285089
SHA512a527e8a5c67e1e2f8cc534d2ae1e3b23111eb031bbacc990640cc47f40ca0b58b1321e4b38a6673d2d0b62c59047263da11adbde9673e4f95ff0b799826a8b19
-
Filesize
266B
MD54bc701adb6c3473eb83d47d1d6d7fa77
SHA1ff907566a80a3cc62029cd86f3a01aa51f088dcc
SHA25622fd77be8c2cbda7e71cade24683c2c7305affe8802d7050ce3e21fdd3e3d928
SHA512d044ba0a5567a531f0564077ee6e054258d86fac20c0313e368f7c051cb58fe17abf998326d23b19a6e411664c7f38e8863130bb626d55c4ead79fbeda6344fe
-
Filesize
78KB
MD5a90be595c5b76d4c8941c4bf3990bec9
SHA1c73b91f13aa267fea163fd7d2f3502301a43f003
SHA256d98d574faa2298a525f89330a4063d7d29f253a62eb772a521510ad565195edc
SHA5126e566dc36bbed105eba684cf76470d1aba9619769aa725cc86d98d328878b8ee0247eb995fa451228134ab037db58ad21fb27a5a0708ff457b4106c8768f97dd
-
Filesize
660B
MD5cfaa3beea2dd2952faa678cf1833df50
SHA1f96729eb64a0456436d2a5b49f871392daff844d
SHA2560a141d98bd3720d6ba13a1c1d80cb52bdfddeba66efa1ba9de2279093a8014e1
SHA51238d786a62d5a257ae650b9a532adc04e1a263d537baafc2461fb867748d1b863a441aa60a6cda198cb7ee89d0394a6f992ee8082751a084879faa5977c47d004
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107