Analysis Overview
SHA256
6f4f5ee70f4857e18ac4561f1e7f18f2b64567fc1dac542b2eddf11c1230963f
Threat Level: Known bad
The file 6f4f5ee70f4857e18ac4561f1e7f18f2b64567fc1dac542b2eddf11c1230963fN was found to be: Known bad.
Malicious Activity Summary
MetamorpherRAT
Metamorpherrat family
Uses the VBS compiler for execution
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-06 09:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 09:49
Reported
2024-11-06 09:51
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
MetamorpherRAT
Metamorpherrat family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmpB00D.tmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6f4f5ee70f4857e18ac4561f1e7f18f2b64567fc1dac542b2eddf11c1230963fN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6f4f5ee70f4857e18ac4561f1e7f18f2b64567fc1dac542b2eddf11c1230963fN.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System.Management = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sbscmp20_mscorlib.exe\"" | C:\Users\Admin\AppData\Local\Temp\tmpB00D.tmp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6f4f5ee70f4857e18ac4561f1e7f18f2b64567fc1dac542b2eddf11c1230963fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tmpB00D.tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6f4f5ee70f4857e18ac4561f1e7f18f2b64567fc1dac542b2eddf11c1230963fN.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmpB00D.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6f4f5ee70f4857e18ac4561f1e7f18f2b64567fc1dac542b2eddf11c1230963fN.exe
"C:\Users\Admin\AppData\Local\Temp\6f4f5ee70f4857e18ac4561f1e7f18f2b64567fc1dac542b2eddf11c1230963fN.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1biorxq3.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1E2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB1E1.tmp"
C:\Users\Admin\AppData\Local\Temp\tmpB00D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpB00D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6f4f5ee70f4857e18ac4561f1e7f18f2b64567fc1dac542b2eddf11c1230963fN.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bejnz.com | udp |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| TR | 78.188.3.203:80 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| TR | 78.188.3.203:80 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| TR | 78.188.3.203:80 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
| TR | 78.188.3.203:80 | tcp | |
| US | 44.221.84.105:80 | bejnz.com | tcp |
Files
memory/1800-0-0x00000000741A1000-0x00000000741A2000-memory.dmp
memory/1800-1-0x00000000741A0000-0x000000007474B000-memory.dmp
memory/1800-3-0x00000000741A0000-0x000000007474B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1biorxq3.cmdline
| MD5 | cb25160e1c3ea39a6c2ed7e67baa8761 |
| SHA1 | 63c4fab1a43d0246fa3c7af59e88e72428db12e7 |
| SHA256 | 0299ba465826dbbdee1754cdbfd4e1073532f30ed3771da7fcf2fc84684d99eb |
| SHA512 | f705b8e1b21dca236b255adea4fef103cd9eb255611df2887a16650f96ba619edcf3afc7bfefd9246201db380e7ec14e1945c72304e3f72e3c3ee0d945aafdf7 |
memory/1140-8-0x00000000741A0000-0x000000007474B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1biorxq3.0.vb
| MD5 | dfcf8f45f88ac6a9d4958c6eca700de7 |
| SHA1 | a46c09dcb595af3ca3a3da4cd1c479ced289fa22 |
| SHA256 | dc58cd13e82c2d8c15bc046898a5a9671a5c917bdf7cbdaacd27295391d618a6 |
| SHA512 | 685a58156519fa13d3faba98f41e9a3437f5f7b04b5b5b994723179fbe5d6cf579cd670fbbd9146fa5f3d674b6ee68142af3eaf7918e7af080b3209a5930e90c |
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 8481b7e4924c14743ffc0d34075e2ce3 |
| SHA1 | e8e7ef480499ba85190b8d5f8e43f761850b0ef3 |
| SHA256 | 6110931ed1cb1b1a141d4a12044a062646f14be3566a286106e5f59ceaddc4ac |
| SHA512 | 3c4ee8221c5238aed57e4fdbcd74833edcf46d5ed602840b5265438538405b4378a1966e9cd0c34a5ce52d0afe7bd7e0d9aac6b420e515fe1ea52477f957a7e1 |
C:\Users\Admin\AppData\Local\Temp\vbcB1E1.tmp
| MD5 | 4b078cc031ac8e7e33df12369cb00be8 |
| SHA1 | 12e78a623ddad4569a9a351dbbcc50c69e5f2b09 |
| SHA256 | 36512b63d65ec642e866a2420e23f5978b3b2274d27c6d363e2970757956555f |
| SHA512 | 604f3a47842870e1a6bc4bcac229c3d83db7fe759463e245fff7badc5bb0a589f3978ad5b760f2f5f32567d2fb2dc8e6e7bc9803df6fdd8d1a84226a2dc9d6ee |
C:\Users\Admin\AppData\Local\Temp\RESB1E2.tmp
| MD5 | b906ef195ed6d0380337ca9903f1ef48 |
| SHA1 | ff2fd05b751d3d89296de7d859ff2047eb78aa7c |
| SHA256 | b1e4ed487c9e70ab0ab7c6694b0afbcd47d80cbaab8b8c56363a592462872fec |
| SHA512 | d826dd49a2f8dd1848c89c1b7c0e060e490e1213b9af840bc2e0d1069fe760a1e3aa5f93d1fccf7b7157dc68368d38b29baf4454bb01b1715c0e86681809f49c |
memory/1140-18-0x00000000741A0000-0x000000007474B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB00D.tmp.exe
| MD5 | e79f608e61a5d6442530368667da06c0 |
| SHA1 | 99a08e91b0539f7066ef4014c0646ef01a0262df |
| SHA256 | b110f2b8f3767935ed02e495913f325c1ee874cea6f63dfbcc6174e26ae0bb69 |
| SHA512 | a951b265f8d0aef0e384e1bd438012f87d220c67880786d04e4d6901fd9ecdb812aff6eb0ca360c0adfea2b284de58fa882b982b235a191c8d44952b89d91177 |
memory/1800-24-0x00000000741A0000-0x000000007474B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-06 09:49
Reported
2024-11-06 09:51
Platform
win10v2004-20241007-en
Max time kernel
102s
Max time network
102s
Command Line
Signatures
Uses the VBS compiler for execution
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6f4f5ee70f4857e18ac4561f1e7f18f2b64567fc1dac542b2eddf11c1230963fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6f4f5ee70f4857e18ac4561f1e7f18f2b64567fc1dac542b2eddf11c1230963fN.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6f4f5ee70f4857e18ac4561f1e7f18f2b64567fc1dac542b2eddf11c1230963fN.exe
"C:\Users\Admin\AppData\Local\Temp\6f4f5ee70f4857e18ac4561f1e7f18f2b64567fc1dac542b2eddf11c1230963fN.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3v-bllh0.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA75C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF53A58C8B20541B79389557A856F2F56.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 948
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/3560-0-0x0000000074DA2000-0x0000000074DA3000-memory.dmp
memory/3560-1-0x0000000074DA0000-0x0000000075351000-memory.dmp
memory/3560-2-0x0000000074DA0000-0x0000000075351000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3v-bllh0.cmdline
| MD5 | d910399728a67ba8b8fbaddc8604bf4d |
| SHA1 | 45595ac696d3bd319b640c7b075625d529a24db7 |
| SHA256 | 95ae17cef5005b3deecbe65ce2a1aefbf6d072cde90a98c444dd5063333b12e5 |
| SHA512 | 7e22bcffbf77f6754a2a3d17eb93efe47b10fd208813acf3101829aaea4a09c7fc7ba961817f1d35be00644dacb00bafbb75d4a45ee13b12a71f955f6deddb6d |
C:\Users\Admin\AppData\Local\Temp\3v-bllh0.0.vb
| MD5 | 5595df5737a454cd8096298a7762ff7c |
| SHA1 | 0b550611bccab0fef70c61c74d63b1ec4c388883 |
| SHA256 | 6ef5a1403ddd140d854c04147398ad49bce5c1aa32755099b1f4c83ebbd525c2 |
| SHA512 | e66eb4afcc9cad69bf10861aed1582581393d446d0494a39597b89c18e2a09c9ad2e2221737e5c10a5654f75ddeec549274d27715a0a2f41b06b7d5548b20ce9 |
memory/4060-9-0x0000000074DA0000-0x0000000075351000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zCom.resources
| MD5 | 8481b7e4924c14743ffc0d34075e2ce3 |
| SHA1 | e8e7ef480499ba85190b8d5f8e43f761850b0ef3 |
| SHA256 | 6110931ed1cb1b1a141d4a12044a062646f14be3566a286106e5f59ceaddc4ac |
| SHA512 | 3c4ee8221c5238aed57e4fdbcd74833edcf46d5ed602840b5265438538405b4378a1966e9cd0c34a5ce52d0afe7bd7e0d9aac6b420e515fe1ea52477f957a7e1 |
C:\Users\Admin\AppData\Local\Temp\vbcF53A58C8B20541B79389557A856F2F56.TMP
| MD5 | a40b2d067a295339be7f3697b17ad163 |
| SHA1 | 69e91058626f9bcbda2d27cc3dd36789000251b3 |
| SHA256 | 6e09e442ed93c6fbf4b9eebfc367f5da12f9e0e2f94a349f6defdb80a04d3afb |
| SHA512 | bd3a8c3bed36aa99887d6e7e2e50a4c9251563908fbac36aad9eb2ac6dfc8ae6b0f7480fbc3fc94a7fa77ccb3a4a65d306a77f9e983260376db862254ed2cdeb |
C:\Users\Admin\AppData\Local\Temp\RESA75C.tmp
| MD5 | 35d03afd1956ae43c656f350a4dadbf7 |
| SHA1 | b0a801177e4a1372b4a996cc29257b356996aaed |
| SHA256 | 4d25a7871932ca1fb7b4d958726858385859df4fa55b5a93ac8d6dd7e5f2a728 |
| SHA512 | 0bfdd109718a868c817989d13d4d0c728ee012772325b347e14641da6d753df7d1b706d3df93ad92631a91fc115a6a35feb074fefa88645e15dd05153aff3907 |
memory/4060-18-0x0000000074DA0000-0x0000000075351000-memory.dmp
memory/3560-26-0x0000000074DA0000-0x0000000075351000-memory.dmp