Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2024 04:26
Static task
static1
Behavioral task
behavioral1
Sample
45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe
Resource
win10v2004-20241007-en
General
-
Target
45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe
-
Size
78KB
-
MD5
d4013599520de9c8b1ae67d9abaee087
-
SHA1
73e8c0b7b6f71cdc8c52b0d19904b3ca2d61e583
-
SHA256
45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd
-
SHA512
2b384517313bb0fd28eb876290f5d9e02bad92eb86ea3ed3de7c023a94d05ea248643847408072528d5fe46d6c2323d0e0e12c3b8c4833b4e681a2cb56bd579f
-
SSDEEP
1536:RsHHuaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtj9/f1GC2:RsH/3DJywQjDgTLopLwdCFJzj9/T2
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe -
Deletes itself 1 IoCs
pid Process 3992 tmp8E17.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 3992 tmp8E17.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8E17.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4820 45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe Token: SeDebugPrivilege 3992 tmp8E17.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4820 wrote to memory of 4232 4820 45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe 83 PID 4820 wrote to memory of 4232 4820 45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe 83 PID 4820 wrote to memory of 4232 4820 45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe 83 PID 4232 wrote to memory of 208 4232 vbc.exe 85 PID 4232 wrote to memory of 208 4232 vbc.exe 85 PID 4232 wrote to memory of 208 4232 vbc.exe 85 PID 4820 wrote to memory of 3992 4820 45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe 86 PID 4820 wrote to memory of 3992 4820 45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe 86 PID 4820 wrote to memory of 3992 4820 45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe"C:\Users\Admin\AppData\Local\Temp\45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d98ugrt_.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9097.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF20FF0C09E4E4340A1663075BB5ED5EF.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:208
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8E17.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8E17.tmp.exe" C:\Users\Admin\AppData\Local\Temp\45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3992
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d15f97f7e448abbb3f51d125e12404c4
SHA1944b4515aaa03d98c56cb787fe8295f5e9a0f41a
SHA2566fd46e2fb8c9d93758ce50cf3be0b52de2409feb7fddde7fc5e2a2d8991cbee2
SHA512ba907fac3e1c67855cc7ae6a2e35c8c96fe5c92077a1629e211f7c396527ce7920a04f2afc9e91a24734e2bcc029cc786de98ad268e4218c966d5d405831d654
-
Filesize
15KB
MD5afca6fcc37c66e5306e68fcee73b0ba5
SHA1e4890a806369fef1c2431f442881106949561592
SHA2565066816f2fae909440dc1b377b5b9273e9f7d99aeeb9b948eb0bd098adedba33
SHA512d79ab877fbd37ceb6598c9a3ded6219d3b90954e77c18844e70bae32184883f7aafa8e448338a5f1fbb488827b9a0a2f4ce9ba34cc7a8330f51a6d0d2490d2d0
-
Filesize
266B
MD52ed7b58b1bf8cf9ec10d0689d54169c1
SHA1b614b6b9367398823aa80cebf435504af370f597
SHA25678714223dab0b35652ea84af18634a7c20d64189812d725bb23d94f72c78a6b9
SHA512c305f433878eacfd7e2d46b7cb0b3f614e7621e9993e3cde9a2a67b5b5d590b1ddffaeaa3e52b4f93c522d0d1180c709cae38b6468e2247f7bfb366af0e6ec98
-
Filesize
78KB
MD527e40dc2c406af8c3943684bb5a32f73
SHA13074df64c6e82ae0a6b869667f5022beccda474b
SHA256cf8bfdd1e5d4c96d5a3ac8b39617d5dbb356df510a3d4e8690685f42cf464693
SHA512da7f03bc2cdbe75efffb9b681ce842bdcd310b848d7a1e27b57d231d790833d88343988cbdc07fa9925f6074a00a5e29c69e39e67f12904b4a0115afdbbe7a39
-
Filesize
660B
MD5e43069bef1cc1aed310b47393b11455b
SHA15e7b2540920dc8347bcc5606bcc7b3cc0c1336db
SHA256d1eb84235cb159d68b762b75425c3cee1609e51bb3b7c3b609e7690f53b4fe55
SHA51295b4ae929c0eb0b7a640358eaa2edd84bb811a4c0813de5507d07a11b0e48f830d304f8e15bf34f3ffdb9b971349ff6ab538e8429ffc3511ea026b0752730da1
-
Filesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7