Analysis
-
max time kernel
136s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2024 13:07
Static task
static1
Behavioral task
behavioral1
Sample
3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe
Resource
win10v2004-20241007-en
General
-
Target
3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe
-
Size
78KB
-
MD5
07624ac00166d342ece8654baf2ab30b
-
SHA1
9cd9b504b176f9e08cd79af4122d3e1909b3c3b2
-
SHA256
3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499
-
SHA512
77e43d8d99e606bb9064a168316d21dbdf898d56400948fe8f1444ba0eced64d2492968938cefd3f7f4a5288e64c698d2fa9c5c3d672b6e0a3ec917e719b2677
-
SSDEEP
1536:158Ndy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQty6w9/F91n1j:158Yn7N041Qqhg49/zj
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe -
Executes dropped EXE 1 IoCs
pid Process 4780 tmpBCD8.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmpBCD8.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpBCD8.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4720 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe Token: SeDebugPrivilege 4780 tmpBCD8.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4720 wrote to memory of 3524 4720 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe 82 PID 4720 wrote to memory of 3524 4720 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe 82 PID 4720 wrote to memory of 3524 4720 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe 82 PID 3524 wrote to memory of 3816 3524 vbc.exe 84 PID 3524 wrote to memory of 3816 3524 vbc.exe 84 PID 3524 wrote to memory of 3816 3524 vbc.exe 84 PID 4720 wrote to memory of 4780 4720 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe 85 PID 4720 wrote to memory of 4780 4720 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe 85 PID 4720 wrote to memory of 4780 4720 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe"C:\Users\Admin\AppData\Local\Temp\3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3kvbz33q.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBFF4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF83D2DD021E045778A32CD9BC74A8712.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:3816
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpBCD8.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBCD8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4780
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD512f53b4d0eadde9265f22f0b8264751d
SHA17b0ed4f98631f5477d4f78ae377f2d6a727fe139
SHA2564a668b0f58e072488cf1e5eb592e23a6455082123c6dbbd563c99e632da6d073
SHA512e6e75a3f9db8ef42f368270a8529e15af4d3f23445b836a76f9669aebef157322e7e9e05a52b0c10b316858b822957d7796e58eb3ff4fa57afcaf4cea401cd94
-
Filesize
266B
MD561fb548c6acde872117ee6b16e08f409
SHA195f4e77031a4d977b1a4b0c31e21b391537dc681
SHA25660abbf556d78ce78120fa1127420c931551587cc241f738012552bee5a715526
SHA512961c667f844e47cd36c8564453ef7ccec4601ed32b5a66523ea5200dfacdd78252199b90a0eaedd8f1bc091b8408e9302239d6c5d35ea384246102413f6e85bb
-
Filesize
1KB
MD51880f60204ce46e68dcecfc493143714
SHA16cff5ce0454ca3886ae67e7d2e2f639239d85400
SHA25679b2e50169948dca4d76719bf572a71f2fcc7d984f6de4fdb70d205672ef055d
SHA5127f7669ec2a09b5d191ef076edf70cf3aa2729f7af5182abd54d17130c40edc777701850f42fdbf2434b88f284f2ebb58c25a6396f36fd1ef3ef7157150b3de8a
-
Filesize
78KB
MD5b996c4fe6d29681b78b73506733b1d35
SHA14d59c203b2aac59951a895144d3653117d17342f
SHA2567a923fbce95172e06b1378bb004f0ea9c4fedddf4a7f6e5d84ba325d8b7afed9
SHA51241ed258e4efe2d32c6b796b9d1ae8f0b25dd569273a07967b03df8bcc8bd7c82be19eec0d22bdf1ffa96eb6f4e6536c9c38709616597b2d1eb631c45c281dc0a
-
Filesize
660B
MD595cd46f8d7c2f77fb6492425c0b796ea
SHA1b73cd7ef29e0cda5f2a78640c537849929f02c3d
SHA256251dc265200727616e0c6810713f3bc4b3e4bbce344d502f4aa5b300ad14da36
SHA5121c552440a65b9902002c92d4340327a4f567322a26ec19cb7fdb903ab8ff8b853c4d4f67d1ca0c1c66183154e1797788f71fef47a86ed4e84c63ec68f0704e5a
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65