Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2024 20:11
Static task
static1
Behavioral task
behavioral1
Sample
1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe
Resource
win10v2004-20241007-en
General
-
Target
1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe
-
Size
78KB
-
MD5
ae002c0f52fbeac0cb03c901b537c38b
-
SHA1
d2f3f8527b33e67a8079b2fdce154eff5e883ba7
-
SHA256
1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17
-
SHA512
e0cc49dcd2e9870b9caaa638809f1e42fc0a04cd24e4e150f04daf396f92a9a375dda758e009c8991f9d8e30d27e43f5c1a5cd7fd85d51faddb2980c65b7782e
-
SSDEEP
1536:zCHY6JIfpJywt04wbje37TazckwzW4UfSqRovPtoY0BQtS9/A1dJ:zCHYOIhJywQj2TLo4UJuXHhS9/+
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe -
Deletes itself 1 IoCs
pid Process 3500 tmp800D.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 3500 tmp800D.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp800D.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3672 1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe Token: SeDebugPrivilege 3500 tmp800D.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3672 wrote to memory of 3480 3672 1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe 83 PID 3672 wrote to memory of 3480 3672 1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe 83 PID 3672 wrote to memory of 3480 3672 1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe 83 PID 3480 wrote to memory of 4544 3480 vbc.exe 85 PID 3480 wrote to memory of 4544 3480 vbc.exe 85 PID 3480 wrote to memory of 4544 3480 vbc.exe 85 PID 3672 wrote to memory of 3500 3672 1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe 86 PID 3672 wrote to memory of 3500 3672 1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe 86 PID 3672 wrote to memory of 3500 3672 1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe"C:\Users\Admin\AppData\Local\Temp\1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ytddbybz.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8136.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDB063C03172748159DA761BF8A13FDBE.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:4544
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp800D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp800D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3500
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ef59e20d47ca45622169de7dd11b72d7
SHA1bfa6c40af5039dc807cfb82077912190f8df9beb
SHA2564038bb1f2bc0b9f9ee3797d8bf2e0a597781ae9cc8dc21327b197258ee312c9b
SHA5129ef65a4a8ceaa169bbf2a8d9684b354f70eea6632e7b4ce87140969244984dd579610b38d021bbe134a3e5d037e01cc1fa4b35670fc2a817350e5b83c321a4e9
-
Filesize
78KB
MD5c35d041591ea9a67cc0c809ffa3cc131
SHA170f883f4be0974c60a28932210cb956eb5cf6df7
SHA2565c71cd9f748731d1533de81b9df56146c58a322ff916328022108a5eb7a6e78e
SHA512a4675141d5af05fd1de2fd74f6a54fa87f0ed496d61f5fa9244b0b07bea106d39f090a11cb664822cddc8f09d0f566f7e4003e598c91ad2a36bf5b882f49c1b4
-
Filesize
660B
MD5feef4a7cace2df4942b76a4f82ae18bb
SHA13a2e1db4f19cda7ff08c437fd7ee732eebe62c82
SHA256207dd9925981358ce6ba0df599720c2d6ac965eef6d676c1d1a79c3ba65e9872
SHA5121390c5c1a889ff4f0cdcb1cb601c10f325e9a3df6fd699cac24a90a3c7968aa134ead75ebe63e938e722f2217e2381c937080508e93c347dd9670ec3d2ad0214
-
Filesize
15KB
MD50ae7394d6ab09551d46f3324bc6865f7
SHA1efaa42ce305d1696b22c0c9404e7c36b2b54143c
SHA256fc34db175b2a28750c92c52e5acdb0e04ae9fbef0c775b3d3e6c895e41e96b81
SHA512c04d088eaed62f3e8cef9206f249ad74a9aad776de196261b605daf14536b33b98cec3c9439273a4d25546a67c3f3f2b406359e950ecccd6bdaaa91b44a794e8
-
Filesize
266B
MD53140c580d10498783a7cd2fbdda70cc6
SHA132d8892b7b54022a303108e7de30284c777f7a63
SHA256a0982d55bb599e08ec97527d8e7b09810eb7ee3e9bae2652c67b7a9c290cae45
SHA51231ba54fcb137b76a367575f88b7690bf8fa40b4e0a09414af2fafbdb656d45712bb396fd1de35260d125483288989df568c77112963a3732ff39a18311c518c5
-
Filesize
62KB
MD58008b17644b64cea2613d47c30c6e9f4
SHA14cd2935358e7a306af6aac6d1c0e495535bd5b32
SHA256fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55
SHA5120c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea