Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-11-2024 04:42

General

  • Target

    25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe

  • Size

    78KB

  • MD5

    d440bae961f4557a1bb93cedd786ee25

  • SHA1

    7e3fd7de63df6e9cd6c5a585575a817e3c9361a3

  • SHA256

    25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7

  • SHA512

    9d6e6bfb03a9531d8791b1aa7bb95f77f32dcae2b012d1e480f845c98b1b8e12848d2163ed9c587de5db0554a2b8a9004da453a23aefb2f5fea240555a65efdc

  • SSDEEP

    1536:Qy5xpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtd6z9/m1oxH:Qy5HJywQjDgTLopLwdCFJz49/XH

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe
    "C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ic_newhd.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4916
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78BA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF57E8BD453CE43989F8B5AB0665586D4.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2272
    • C:\Users\Admin\AppData\Local\Temp\tmp76E5.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp76E5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2388

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES78BA.tmp

    Filesize

    1KB

    MD5

    dbd68386bbd240981d216ceca729bcb8

    SHA1

    e185e3144306df86ad3cb85de5b72f121bed7abb

    SHA256

    51487161d5aa5e5657ef1a56414594b8fb8c067ca0a074ed1b7e90ef9ebdd823

    SHA512

    fec14bebfb48402abe71e5ecb759e26d49e828b5ea1c39c2b8a003c4dcd96399e2d0311b26ef986a0cfc7bdb49fd9f6e44c2f6364b405fd76018c56a05888e93

  • C:\Users\Admin\AppData\Local\Temp\ic_newhd.0.vb

    Filesize

    14KB

    MD5

    bac0467574e6b1d230de001a09f3b9ca

    SHA1

    1f83f858761398c33ab6a5530517db8a50202a28

    SHA256

    bf2fea91b8767dcc1037388f4be71a8e0b08a0381075327087750b23bfa50073

    SHA512

    82d678b9ad135deae6da900319f02bd91d3c40d3a6cf59077b490162b876104d5d21b165e4afc138c960278dc97fe03a409049239247ccd21f4cd1fa2e8f3fc4

  • C:\Users\Admin\AppData\Local\Temp\ic_newhd.cmdline

    Filesize

    266B

    MD5

    f0914c9ec11c9e956563ae1387ca291e

    SHA1

    2472a8bc4e4b180f7ce4397a1fbea47d40797c9b

    SHA256

    6da8ac7f60c10cf7c14b584a87978e907a74dfbcaf89f6d1913d92da17ad05a6

    SHA512

    8fc049513e24a90efaac7e8a129c2567435ecfc722693b0857cc3401a5f9484659fe8ffa5213297f5ed359b63dc72be8d02761083922f6ac9f6d3f2db31f4ab2

  • C:\Users\Admin\AppData\Local\Temp\tmp76E5.tmp.exe

    Filesize

    78KB

    MD5

    5409f928300529601f7c9d7b67058672

    SHA1

    98ed297a3faffc0fc2971004addce27ab935fec1

    SHA256

    30dd4c59d143ef605f84eb8025ac4c18cb60606778a64bc53dca78e36148f90f

    SHA512

    933204d03dc709739bd22080dc3b831785babfeaebc64eaa1af9b50cec0465f7bf7217b6cce34828a85c88a09382245668d7f64ac22aa080bac91c8522c2c6f6

  • C:\Users\Admin\AppData\Local\Temp\vbcF57E8BD453CE43989F8B5AB0665586D4.TMP

    Filesize

    660B

    MD5

    6466d4aca48fc165a0ef43297f108e74

    SHA1

    1fb5a3c8fd19e3afa9b7b96f6dec0f714fc9919a

    SHA256

    329d3225e69f85423a777ed69542614724ba1a01f47fba2b8a65caf8f8e9b148

    SHA512

    3f4879254ba67190dc613cb666b52fcf287db0c5e18b76276d8a94b16855334fc298a61ab1054a3e3ab21b776912a8dc7d383ae99279e6af248f76679ad3c60f

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    484967ab9def8ff17dd55476ca137721

    SHA1

    a84012f673fe1ac9041e7827cc3de4b20a1194e2

    SHA256

    9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

    SHA512

    1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

  • memory/2160-22-0x0000000075090000-0x0000000075641000-memory.dmp

    Filesize

    5.7MB

  • memory/2160-2-0x0000000075090000-0x0000000075641000-memory.dmp

    Filesize

    5.7MB

  • memory/2160-1-0x0000000075090000-0x0000000075641000-memory.dmp

    Filesize

    5.7MB

  • memory/2160-0-0x0000000075092000-0x0000000075093000-memory.dmp

    Filesize

    4KB

  • memory/2388-23-0x0000000075090000-0x0000000075641000-memory.dmp

    Filesize

    5.7MB

  • memory/2388-24-0x0000000075090000-0x0000000075641000-memory.dmp

    Filesize

    5.7MB

  • memory/2388-25-0x0000000075090000-0x0000000075641000-memory.dmp

    Filesize

    5.7MB

  • memory/2388-26-0x0000000075090000-0x0000000075641000-memory.dmp

    Filesize

    5.7MB

  • memory/2388-27-0x0000000075090000-0x0000000075641000-memory.dmp

    Filesize

    5.7MB

  • memory/2388-28-0x0000000075090000-0x0000000075641000-memory.dmp

    Filesize

    5.7MB

  • memory/4916-9-0x0000000075090000-0x0000000075641000-memory.dmp

    Filesize

    5.7MB

  • memory/4916-18-0x0000000075090000-0x0000000075641000-memory.dmp

    Filesize

    5.7MB