Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2024 19:56
Static task
static1
Behavioral task
behavioral1
Sample
186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe
Resource
win10v2004-20241007-en
General
-
Target
186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe
-
Size
78KB
-
MD5
4a36dab75bd2f192ee8f10b272b63895
-
SHA1
beeaa38a9b06572fa3abee9964098afc17510d53
-
SHA256
186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525
-
SHA512
5d481f83d502f5c793712a7b346abde7e9ca8de4e8c8fe9e3954f984af14c167755bf5f65a9ad90a427f3b48d2235b290433cbb8bb5b886bd7959af919c98e99
-
SSDEEP
1536:i58HLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtd6c9/Vc1Ds:i58rE2EwR4uY41HyvYn9/X
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe -
Deletes itself 1 IoCs
pid Process 1140 tmpA095.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 1140 tmpA095.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" tmpA095.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpA095.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2220 186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe Token: SeDebugPrivilege 1140 tmpA095.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2220 wrote to memory of 4172 2220 186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe 82 PID 2220 wrote to memory of 4172 2220 186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe 82 PID 2220 wrote to memory of 4172 2220 186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe 82 PID 4172 wrote to memory of 2572 4172 vbc.exe 84 PID 4172 wrote to memory of 2572 4172 vbc.exe 84 PID 4172 wrote to memory of 2572 4172 vbc.exe 84 PID 2220 wrote to memory of 1140 2220 186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe 85 PID 2220 wrote to memory of 1140 2220 186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe 85 PID 2220 wrote to memory of 1140 2220 186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe"C:\Users\Admin\AppData\Local\Temp\186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ijlocowy.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA180.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDB33DC7F2F6345D78EC9F6A9BBC61123.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2572
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpA095.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA095.tmp.exe" C:\Users\Admin\AppData\Local\Temp\186b4997d6aebfd8cdfade1f43d52a64a981d444e3ca476675a5da092030c525.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51934f68d3c912e91e12965bcc7641460
SHA1ca9f0de7201a366507b8128229ca8127cea9bb29
SHA2565a34282064fa0f56794e0a26a42f159f96e1da34d64972d121861024a6bc04d5
SHA51278ec11896dd1d31d312b1f339771b7f3969501e94743f3c30b6861a8fd6cd990b985dbee2adaccd3014e585ee433a902157c4191abdf01da56e14c3b8293ff1e
-
Filesize
14KB
MD53f7696f2e028a6b3091669fd83e1bdb7
SHA1b4ab194d45919dbf407733dd0fe9b9993ccc3474
SHA25622d0cc6654963a1671eb5028f0e6a3b9eae291eb2b5869e2a328c5cc9c77d952
SHA512a0edd332c080c33ec922498042597b2ac6f5f14217a1c9602bb009c6d43d5dc497b18571d57f8ba525dea76a3713c6e156a545b7378ee0a06d70870a45ba3d19
-
Filesize
266B
MD519188293dd06ac507e478e706d0a870d
SHA1e2716169686aa2caebb3c22b6de08dc79ac186d5
SHA256536c98850011323a9f77b5d5ece04199458509de948cb4d7ab4386144fae0fdb
SHA5128dc1f4491ecf90059bc596e31c9022cf31ccd15b017e0161868c6cadff336c92274489cadf8fc044b440eeac4c867b7a7595eeecac7b09a5c29f52c422682555
-
Filesize
78KB
MD54a82fd7aecb251d572721ad36e95dc03
SHA13cfb64eb3e6e1c6bf9d02c8b675b536ca8e7b263
SHA25673263120e4fc904419579af501a751fabe84bc1d16addb2ab7ac8e4c89385a49
SHA51266a20cdacc4683b29d292fb91bc43ea30aa76e771338d6a3ae40c3ee54fa5fa425fbae6bd04b884a3701cbb98f0483ee3d45dd281c5225f0356abd5cc9dbd3b6
-
Filesize
660B
MD53901438f3aa13fe7e15914d0cfd4ce96
SHA143a18f20adba55c6f0e1940260c9cd5dcfc19364
SHA256968d4cd0807ceab8b787bc85e2e636c41c48bc6ad1bf850a252b7db31d61be2b
SHA512acd74c9b730b5f18dd051f5f5f22faacbe92eff01a7b3fdaf2307e035cb67cc84b5760f70288924a2c0acae1fdc8d9371c43c0e50edfc8e475636b7c4ab6afa0
-
Filesize
62KB
MD56870a276e0bed6dd5394d178156ebad0
SHA19b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA25669db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA5123b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809