Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2024 19:22
Static task
static1
Behavioral task
behavioral1
Sample
ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe
Resource
win10v2004-20241007-en
General
-
Target
ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe
-
Size
78KB
-
MD5
88aae9275870cab6b6f3ad4ca7903be0
-
SHA1
9239596a234d770cb96047d5fa95e85cbd029711
-
SHA256
ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97
-
SHA512
859ca9dc2b071d0e5e823087c23968af4dcd91d1ff386577d043b3948986f03c6e292b67887afa901354679348b59e6942a8da9b30b601281a570cad59635399
-
SSDEEP
1536:C4V5jULT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtt6Vs9/e1Wp:C4V5jiE2EwR4uY41HyvY+s9/B
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe -
Deletes itself 1 IoCs
pid Process 3972 tmp86E3.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 3972 tmp86E3.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" tmp86E3.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp86E3.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4436 ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe Token: SeDebugPrivilege 3972 tmp86E3.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4436 wrote to memory of 2484 4436 ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe 82 PID 4436 wrote to memory of 2484 4436 ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe 82 PID 4436 wrote to memory of 2484 4436 ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe 82 PID 2484 wrote to memory of 4168 2484 vbc.exe 84 PID 2484 wrote to memory of 4168 2484 vbc.exe 84 PID 2484 wrote to memory of 4168 2484 vbc.exe 84 PID 4436 wrote to memory of 3972 4436 ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe 85 PID 4436 wrote to memory of 3972 4436 ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe 85 PID 4436 wrote to memory of 3972 4436 ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe"C:\Users\Admin\AppData\Local\Temp\ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\61aythej.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES886A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF19045594995431F973E15BDF47ED18A.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:4168
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp86E3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp86E3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3972
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD54dfafa034e6308ff79a1b87e3fb17db6
SHA145f439a4502ac05820754c3131544b384530506a
SHA2561fa87637462d01945262bdcf0b2c5f268fdd700ca8b0d26b78e122fe27fdfe2b
SHA512328cc892184ffbd2246a77cfb7a71c4ff7ad8364dd003f2084b209fe7df6c58d59865c0fe9f0b7a5ed6480194c5380ea31636cbfbc40b903ec1dc9cfb74cfedf
-
Filesize
266B
MD5ec2031fa155809cd052f8b67dae4a3a9
SHA136dc474a9eb106a8f449ec8b0cf21f612253dc2f
SHA256383ec5e06dccabe89bc77f66803e847ff5ad567356b71b7cdcc04c2b4a3f642c
SHA51219f72f1e5650a1950121465c7eca7948dad2638dbcd139a56d5d88b377368ed79c5051c6d63f2ad7ad5b1f277450d244be0a5f4f8d081885fb3cff5bd0b1e998
-
Filesize
1KB
MD5671cacef19359944db9e5c129f50bba2
SHA188108c82803541e11fe0b8e108bb2a2eaf29bed7
SHA256b6e347a596439b5cfbcd7f537bb5ed46e7e0d89e27e5cdf843be0f5a0773a342
SHA51249540e18dc88574856d60e7898f4061cb35b5484d29c3798373fb03e6cc16333d3275a25d3178238e2e5b6b9c543d72e37af938d082847ddb4b51f1b8d228536
-
Filesize
78KB
MD5cdd37aba1d81ca6ce379f92e7342e6a3
SHA1d806835bb77fca040ed753e726bc61e459a0e052
SHA2563e38b76cb454e4d6a2f70e4e8458fba2f960c2ae7a62790c45a22bc2f0926f2e
SHA512cded4ecb71613280093be1a9d7e74d869423d7b787053a43f00740155f396e60e52e50c4e39ab927812879486afec0f8d0806b041b1651615912b748eee94b76
-
Filesize
660B
MD59c218176e6ec03fb989d542cdc8298de
SHA18ff8bde77ecd682eb3b87f6b34f46546f99c7a54
SHA2560914289e33e4336d602e8a765ab03eeb0c288fdc793bfd3543f5f5b35a76c0e1
SHA512e4bfd1d4c0d40946fc1ceda230ca60e2dce75265a79da89b6547b5343ee075b3f62703d86ff5448c375cc115eae4414325353d567068de7b9e6c92ebaca8eead
-
Filesize
62KB
MD56870a276e0bed6dd5394d178156ebad0
SHA19b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA25669db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA5123b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809