Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2024 19:11
Static task
static1
Behavioral task
behavioral1
Sample
03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe
Resource
win10v2004-20241007-en
General
-
Target
03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe
-
Size
78KB
-
MD5
7b897c71632a4d68cc3cdcdc0657373f
-
SHA1
e564b4af6dcc1350babf302a607fca45d00fa483
-
SHA256
03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0
-
SHA512
03c4a933fb35e5452601565b7fcb3dbdfb20dd17c42efa29a8ee22f818053f54522284a296d366ec6dbce5d2c1d1c06d997504f3b2ba25b9d5a79fbd819bdafe
-
SSDEEP
1536:mVc5jKpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti61o9/Nx1ig:+c5jEJywQjDgTLopLwdCFJzu9/9
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe -
Executes dropped EXE 1 IoCs
pid Process 1908 tmpB0B2.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB0B2.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4420 03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe Token: SeDebugPrivilege 1908 tmpB0B2.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4420 wrote to memory of 1384 4420 03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe 83 PID 4420 wrote to memory of 1384 4420 03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe 83 PID 4420 wrote to memory of 1384 4420 03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe 83 PID 1384 wrote to memory of 4780 1384 vbc.exe 85 PID 1384 wrote to memory of 4780 1384 vbc.exe 85 PID 1384 wrote to memory of 4780 1384 vbc.exe 85 PID 4420 wrote to memory of 1908 4420 03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe 86 PID 4420 wrote to memory of 1908 4420 03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe 86 PID 4420 wrote to memory of 1908 4420 03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe"C:\Users\Admin\AppData\Local\Temp\03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fsmgw7dx.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB21A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3F33CC3D808E4455B04DC4DFE5291579.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:4780
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB0B2.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB0B2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1908
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50d48d544b37a8647e1bef79c890b6612
SHA1b5f732501107a9131e5a5afb1a71d3b50c5e3a5c
SHA256acae5cb320d138af818032f6058fab7bb9384f9754890bf6459d31f814bba272
SHA5123dfd239d566cdac4ffcdaa80aa0d078e87da5bdcadc8f815f66a4b8fc4a91113062c9591cebd3820f5859b01fd9242acd39b4185eb699f37ade56a4f55ab0831
-
Filesize
14KB
MD5b6ef4ec1b25d908db7ed4f63373fc5a1
SHA1873788229a5bbb1133544b0ebee6bf9cdcc02e1f
SHA25659f594763e1330bfcdcae6d319a7198a5fe4ccb753f17897b98cf709a094709c
SHA5128ca782a6a20278c967c98e474e50bf844a8fcb32f1e7a1500671fc2ffbb68fe280c86de634fa8037033ad784e9b35843efc122f4cd5f5cf99bce4f5f0f7e71f3
-
Filesize
266B
MD5a6de00606681ae9e1f46ada3da613e87
SHA1447173aec6363a45abb7c1760c60866fc813842d
SHA256d6e9ad314502c9f33c9ba3baecc03d7bdb38480cc930c932ae640696502b2b59
SHA512fb7c2ed6d352e5ec76fff7a76d4e0e27e63fd9e15d3661a3783d90f8aa96f3b3dc8f2e81243f09b96643fb430042c7d47c266cb11769831301459e85fbe3f24e
-
Filesize
78KB
MD53b80061c155ce6b0411808f6d33d6bd9
SHA17966430ffab6213186da4f633010ffa06cb448aa
SHA256cc828bbbefb2b271995b842b639d8eb344c3f65c27bd8c463679ec82cb2f6c76
SHA5128ea50f0bf784a93fc3b57287eba20082db85524662f8db566fcdc5e2704672e8f1d2262e681a8c622fd5771e4391b1de0cafd5b649b6e28a8ced3f566b0d8152
-
Filesize
660B
MD553239c31109d0fc93e0e0fa23eef462e
SHA1436ec3d0c81c1de26fd189afdfa2bdca41e0b50a
SHA256ce49ce1a2fd29b4fae5b70778507e39d27867aa7f5cd19b0ee5e18167df750e6
SHA512c7f9872d02c305d7bd6be2b5eaa3b5646798b42c01f1b56f2a9b5bcbd79eb3dc0d27bd50d2f97366947a9b81285067225f7a8ce5009bf0cc7fda343a9f8e8cce
-
Filesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7