Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-11-2024 04:42
Static task
static1
Behavioral task
behavioral1
Sample
25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe
Resource
win10v2004-20241007-en
General
-
Target
25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe
-
Size
78KB
-
MD5
d440bae961f4557a1bb93cedd786ee25
-
SHA1
7e3fd7de63df6e9cd6c5a585575a817e3c9361a3
-
SHA256
25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7
-
SHA512
9d6e6bfb03a9531d8791b1aa7bb95f77f32dcae2b012d1e480f845c98b1b8e12848d2163ed9c587de5db0554a2b8a9004da453a23aefb2f5fea240555a65efdc
-
SSDEEP
1536:Qy5xpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtd6z9/m1oxH:Qy5HJywQjDgTLopLwdCFJz49/XH
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp76E5.tmp.exepid process 2388 tmp76E5.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exevbc.execvtres.exetmp76E5.tmp.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp76E5.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exetmp76E5.tmp.exedescription pid process Token: SeDebugPrivilege 2160 25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe Token: SeDebugPrivilege 2388 tmp76E5.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exevbc.exedescription pid process target process PID 2160 wrote to memory of 4916 2160 25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe vbc.exe PID 2160 wrote to memory of 4916 2160 25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe vbc.exe PID 2160 wrote to memory of 4916 2160 25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe vbc.exe PID 4916 wrote to memory of 2272 4916 vbc.exe cvtres.exe PID 4916 wrote to memory of 2272 4916 vbc.exe cvtres.exe PID 4916 wrote to memory of 2272 4916 vbc.exe cvtres.exe PID 2160 wrote to memory of 2388 2160 25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe tmp76E5.tmp.exe PID 2160 wrote to memory of 2388 2160 25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe tmp76E5.tmp.exe PID 2160 wrote to memory of 2388 2160 25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe tmp76E5.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe"C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ic_newhd.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78BA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF57E8BD453CE43989F8B5AB0665586D4.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2272
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp76E5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp76E5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5dbd68386bbd240981d216ceca729bcb8
SHA1e185e3144306df86ad3cb85de5b72f121bed7abb
SHA25651487161d5aa5e5657ef1a56414594b8fb8c067ca0a074ed1b7e90ef9ebdd823
SHA512fec14bebfb48402abe71e5ecb759e26d49e828b5ea1c39c2b8a003c4dcd96399e2d0311b26ef986a0cfc7bdb49fd9f6e44c2f6364b405fd76018c56a05888e93
-
Filesize
14KB
MD5bac0467574e6b1d230de001a09f3b9ca
SHA11f83f858761398c33ab6a5530517db8a50202a28
SHA256bf2fea91b8767dcc1037388f4be71a8e0b08a0381075327087750b23bfa50073
SHA51282d678b9ad135deae6da900319f02bd91d3c40d3a6cf59077b490162b876104d5d21b165e4afc138c960278dc97fe03a409049239247ccd21f4cd1fa2e8f3fc4
-
Filesize
266B
MD5f0914c9ec11c9e956563ae1387ca291e
SHA12472a8bc4e4b180f7ce4397a1fbea47d40797c9b
SHA2566da8ac7f60c10cf7c14b584a87978e907a74dfbcaf89f6d1913d92da17ad05a6
SHA5128fc049513e24a90efaac7e8a129c2567435ecfc722693b0857cc3401a5f9484659fe8ffa5213297f5ed359b63dc72be8d02761083922f6ac9f6d3f2db31f4ab2
-
Filesize
78KB
MD55409f928300529601f7c9d7b67058672
SHA198ed297a3faffc0fc2971004addce27ab935fec1
SHA25630dd4c59d143ef605f84eb8025ac4c18cb60606778a64bc53dca78e36148f90f
SHA512933204d03dc709739bd22080dc3b831785babfeaebc64eaa1af9b50cec0465f7bf7217b6cce34828a85c88a09382245668d7f64ac22aa080bac91c8522c2c6f6
-
Filesize
660B
MD56466d4aca48fc165a0ef43297f108e74
SHA11fb5a3c8fd19e3afa9b7b96f6dec0f714fc9919a
SHA256329d3225e69f85423a777ed69542614724ba1a01f47fba2b8a65caf8f8e9b148
SHA5123f4879254ba67190dc613cb666b52fcf287db0c5e18b76276d8a94b16855334fc298a61ab1054a3e3ab21b776912a8dc7d383ae99279e6af248f76679ad3c60f
-
Filesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7