Analysis
-
max time kernel
111s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2024 02:17
Static task
static1
Behavioral task
behavioral1
Sample
2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe
Resource
win10v2004-20241007-en
General
-
Target
2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe
-
Size
78KB
-
MD5
e7b9e8d6e3f8c69f76f7a042ec752ec0
-
SHA1
2d57654a6483df30956d5ed8bcff49709dd7586f
-
SHA256
2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488a
-
SHA512
9544b6cb58d76fd5793d9274edfdcd2849986e9b2455c84309879998bd15cdb71ab0054ce673004b4634dcabf3ff9ef79e3c3eabeee620284fd502bbd8d617dd
-
SSDEEP
1536:yVc5fAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtS649/j11NE:oc5fAtWDDILJLovbicqOq3o+nw9/jq
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe -
Executes dropped EXE 1 IoCs
pid Process 5008 tmp8F6F.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" tmp8F6F.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8F6F.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2004 2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe Token: SeDebugPrivilege 5008 tmp8F6F.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2004 wrote to memory of 2968 2004 2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe 83 PID 2004 wrote to memory of 2968 2004 2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe 83 PID 2004 wrote to memory of 2968 2004 2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe 83 PID 2968 wrote to memory of 1972 2968 vbc.exe 85 PID 2968 wrote to memory of 1972 2968 vbc.exe 85 PID 2968 wrote to memory of 1972 2968 vbc.exe 85 PID 2004 wrote to memory of 5008 2004 2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe 86 PID 2004 wrote to memory of 5008 2004 2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe 86 PID 2004 wrote to memory of 5008 2004 2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe"C:\Users\Admin\AppData\Local\Temp\2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gvkjazwf.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9088.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC04755BFD954243877524627357B8A.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:1972
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8F6F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8F6F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5008
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e759ba2e74bff971ad09336e2cd8836a
SHA16f4ec4904faf2829674a32dd9f46ffdad555e193
SHA2562b698e7bf7b1cfbf1b486c31778cefae634ff5eac8f607f93b68cee835b0fb46
SHA512550165909c9723811ec71d000ba9f1b82eb6e6fa16a583a26d4b330ace6eeeb0b7bacd42dd9de2df34511c2db62948ffef2ab27fc8fb6eeef91866e89e1a48b1
-
Filesize
14KB
MD52f48605baf1d615c21222b8d0c2faa0a
SHA16d679aebe604919ac9df57d9f2d77dfb111141f8
SHA256567fec83d9243537731243ca0028023e8c32ccd9be0838d9747d9166e880c3f5
SHA512c06a178252c3017abc7e7e32e51e0beadcbaef225bc376ca110f7c94acc6777ccee43e076139f32b822b07855de000cbd10b5e391922fa150e295ea9d7c8f151
-
Filesize
266B
MD58bdb98f26de9084672fe8756104213fb
SHA10e0ab6c7db021b595ab347d6fa95a0f67df21084
SHA256a21cd00335e8a1ac21c2c4e2c738405b625db275275f520cede973fa9f900d43
SHA51263f379ae92da4231362fc25d58582b6e4b0d109752e4ba821687933788f136c5681a89daa868b3bddb4fa747a45ec6f90f621df9abe56b2f2a1f579ab4620efa
-
Filesize
78KB
MD533d80291217a0382cb670368595b81c3
SHA1647a514f7cc4e7266ed8bce588315138c26fd73f
SHA25604a497e88f9e11e698db4963199557f0b2771cd0bbd5e2cf97e9a8a42facd55b
SHA51279f0819f9d08da157e58ca3ff718e92a443d75ff1f2e139762824924b21ce5cc49b5207d71ea44229b6d4e33ce9e73e6741adcaa0ee3049b6e694f303fd2cabc
-
Filesize
660B
MD5bf7b737b6b11c2ae4789bc2e1e4801f6
SHA1f5b8f4c1ab17f12139beed65eefe7e6d56441aa0
SHA256c71dc7c3d16f5e775715f040a4ab33536bae9d9d25983a7c63bf457e76b7c043
SHA512e51f694fc443682a59fb2ef056e2621f055ca8724e92165e24ebeaf425481255c91266f469d8bbbd9a146b71bdc70c13a07bea5506e4fbde473e02634dbe819d
-
Filesize
62KB
MD5a26b0f78faa3881bb6307a944b096e91
SHA142b01830723bf07d14f3086fa83c4f74f5649368
SHA256b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c