Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2024 22:27
Static task
static1
Behavioral task
behavioral1
Sample
448e099e41b0730f0b736f603e4d8f2d802692da572ca58f09d98833fef1ab96.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
448e099e41b0730f0b736f603e4d8f2d802692da572ca58f09d98833fef1ab96.exe
Resource
win10v2004-20241007-en
General
-
Target
448e099e41b0730f0b736f603e4d8f2d802692da572ca58f09d98833fef1ab96.exe
-
Size
78KB
-
MD5
e81f39af6852661c5d7af31cb16eefe6
-
SHA1
90150edd2d02c688e2de190e3187a3d2e45aae23
-
SHA256
448e099e41b0730f0b736f603e4d8f2d802692da572ca58f09d98833fef1ab96
-
SHA512
e37661771cecc969af48f10472911201a4d2c849a9e9bc1931d22a5b3dd765f10529485a08502fad931292c80d6a6ea771be4733bce9a20f690ba638f3bca4f7
-
SSDEEP
1536:whHFo6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtM9/M1I:cHFoI3ZAtWDDILJLovbicqOq3o+nM9/M
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 448e099e41b0730f0b736f603e4d8f2d802692da572ca58f09d98833fef1ab96.exe -
Executes dropped EXE 1 IoCs
pid Process 2340 tmp8879.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" tmp8879.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8879.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 448e099e41b0730f0b736f603e4d8f2d802692da572ca58f09d98833fef1ab96.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4432 448e099e41b0730f0b736f603e4d8f2d802692da572ca58f09d98833fef1ab96.exe Token: SeDebugPrivilege 2340 tmp8879.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4432 wrote to memory of 2264 4432 448e099e41b0730f0b736f603e4d8f2d802692da572ca58f09d98833fef1ab96.exe 83 PID 4432 wrote to memory of 2264 4432 448e099e41b0730f0b736f603e4d8f2d802692da572ca58f09d98833fef1ab96.exe 83 PID 4432 wrote to memory of 2264 4432 448e099e41b0730f0b736f603e4d8f2d802692da572ca58f09d98833fef1ab96.exe 83 PID 2264 wrote to memory of 632 2264 vbc.exe 85 PID 2264 wrote to memory of 632 2264 vbc.exe 85 PID 2264 wrote to memory of 632 2264 vbc.exe 85 PID 4432 wrote to memory of 2340 4432 448e099e41b0730f0b736f603e4d8f2d802692da572ca58f09d98833fef1ab96.exe 86 PID 4432 wrote to memory of 2340 4432 448e099e41b0730f0b736f603e4d8f2d802692da572ca58f09d98833fef1ab96.exe 86 PID 4432 wrote to memory of 2340 4432 448e099e41b0730f0b736f603e4d8f2d802692da572ca58f09d98833fef1ab96.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\448e099e41b0730f0b736f603e4d8f2d802692da572ca58f09d98833fef1ab96.exe"C:\Users\Admin\AppData\Local\Temp\448e099e41b0730f0b736f603e4d8f2d802692da572ca58f09d98833fef1ab96.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pkbbdfqb.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8954.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6E6A380234DC437287FE937D54B4C9C4.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:632
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8879.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8879.tmp.exe" C:\Users\Admin\AppData\Local\Temp\448e099e41b0730f0b736f603e4d8f2d802692da572ca58f09d98833fef1ab96.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2340
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57692f1a744166db0ffb731eb966bf3ad
SHA1a562c0b4e1505d323e4e0ba10f72f69bf24d7041
SHA256385b114df605691b21d785da3a9788d3fba750c64f43dd2ebf813a9afd13073c
SHA51294b699f97cc9db55f7b6505a10f4a1da5ff2139c28b79be1c2f9d2f5c12ce7eb066ce0266740215d85cf4439f8a20aadf40218d75505878cb67baae8c9a6ff07
-
Filesize
15KB
MD5ff7b5a516c5a1cbe19457cf56508e36a
SHA1351f671cbddea94f131f7f4113518e55b0517710
SHA256e341615d34a8aaea11b75555584ae2746cd4ef9c4925337e6a8aa0f6d13d10de
SHA512a63233d54890987f2c3d11196de3d107fda3e0c9ec522a600155bc907725bcb4c6e7fdcfe5dc0e727651c60760cac5d44f337a556c84a64dee666a1b4d31c12d
-
Filesize
266B
MD5b9c0f40f33854a76b678141155d9ca47
SHA1e3f154c897ab3f8032b087ba0abbb76d10029603
SHA25616e3b07bdb0ee27d255decb39381ceaaf6660aefd707bcef4edd20caa9d6f183
SHA512585aee09ffc74b1471f3589343c6b4dd41a1e836cea964cb0bef70e3b98d784c3094c216cba067f180bb4df0cce867ffef438186b0eb07099926c670dca2921c
-
Filesize
78KB
MD5a17ab494a23a4c5630511ab19b52a7b3
SHA1487d88ac47f515c31f5f81505e8ef2475cd13c6c
SHA256c454f4c1a3e7fae3378015b99782a89e5f394bef1aa28a0264e2d6e1f8362deb
SHA51249aea4cea63a3f1425fed119bc7d3780b5866010c47a252ccdcd2dc32b96f91da2c2823741d5fd3c78d9d7539e4373a99244d5af01dca88eb819110fbcaca8d9
-
Filesize
660B
MD572b9ed99927edb2ab26350feb2f25523
SHA147c948c29339a959a1a409e0d5cbc7e31f1c1071
SHA2564aa3e6bd48234e0938d55d10b5d14a40fbdffa1344d81c09f481a8da74cbc66d
SHA512b150aa88cfce0160d702a63f42d07087f4b3d90bb744c4b133340dea03c41ee68e5dc4f68302b299184442dd7794691936f3ab3b7f705db569d7a54dfffe8e6f
-
Filesize
62KB
MD5a26b0f78faa3881bb6307a944b096e91
SHA142b01830723bf07d14f3086fa83c4f74f5649368
SHA256b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c