Analysis
-
max time kernel
112s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 22:26
Static task
static1
Behavioral task
behavioral1
Sample
b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe
Resource
win10v2004-20241007-en
General
-
Target
b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe
-
Size
78KB
-
MD5
c8410b400bb6749891d425553e408d60
-
SHA1
d0833742443c6353faef910a585288e93bdeec99
-
SHA256
b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22
-
SHA512
798164b84064b3c3cca36c89a2cf79dfbecd5e4b66759dbdb3f10bcab4c4021b5d6e2fe78da2033a5938eb7214dbe62ff6e319adba52383cdf9ba35fd65d0c59
-
SSDEEP
1536:XuHFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtRK9/nM1Gy:XuHFon3xSyRxvY3md+dWWZyRK9/nI
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe -
Executes dropped EXE 1 IoCs
pid Process 2844 tmpF7ED.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmpF7ED.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpF7ED.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 840 b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe Token: SeDebugPrivilege 2844 tmpF7ED.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 840 wrote to memory of 2592 840 b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe 83 PID 840 wrote to memory of 2592 840 b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe 83 PID 840 wrote to memory of 2592 840 b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe 83 PID 2592 wrote to memory of 832 2592 vbc.exe 85 PID 2592 wrote to memory of 832 2592 vbc.exe 85 PID 2592 wrote to memory of 832 2592 vbc.exe 85 PID 840 wrote to memory of 2844 840 b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe 86 PID 840 wrote to memory of 2844 840 b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe 86 PID 840 wrote to memory of 2844 840 b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe"C:\Users\Admin\AppData\Local\Temp\b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kmg6dron.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA8C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8FAEE6B671B14445B8F28ED4347FBE47.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:832
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpF7ED.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF7ED.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b2e89434a5bdcb9b59913cd60c19731f07c5c188868e8a5ae640abbcee5b4a22N.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57d1c88e2c4516296703154332b1c28ce
SHA19e894615959fa93b25b6ac5c633aaf461c9f308a
SHA25679d16e4b8ab7427ef96d3f5e6bd568309effda410bfff03f2a866e97298c1202
SHA51217972d2ca7fcca58a7730ae4b2d2089deffc066357a2f80cfe767b3d4b1f961fabe5bda26522e43eb41dd2f0ca45679ceb3826be1acff63a45d2762b4233d68e
-
Filesize
15KB
MD54078bbb5eb7097d6b326e17c5dbe6d16
SHA1b2bcb8af91945cad299cea4e3d7ca1ab66bee0b5
SHA256825742350eafff9df5dafc66ab7dff32018d8ab792f6d2a3d71b68ae856ca330
SHA512a802ae60a619abef344e48042c79f453dceaf4672de956a5eade2cf6ddf7bbf10cfa08c5109914c4d8791c84dafb3e45ead8a6ebd311977d7619735951acaf35
-
Filesize
266B
MD54cbb84ddd27e0b67419e69b81617ad45
SHA10314a08b582be8629b1eb0af53de47e198b4d88f
SHA256d09f257d3a04e2c859506d3df63b138b2043c227699b15cbc170d5693b143384
SHA5121d54187f55e4700148d0b802976c66e3cfef245e839f38d689a2fdf7219da6b9b2249869f6579cec2f67ba01139508225fde186c0a6ed54698cc018b7b9e246c
-
Filesize
78KB
MD5e9fac307a684b3bb6b478036fada01d8
SHA1c12d1df42256e0022ca00bf3996c30581f9fcb71
SHA2562fe69ebe679ad06584f9d4a365018b4be4e5d81af6976a8a957767788740a5a5
SHA51277ee2d1b98187f71c2b3b095faff771184b2881b648c604b93a2907db3066c270dc999cfa7f78e156d41be36b4e51888571140f3f2e575639dc44ee79494a3e8
-
Filesize
660B
MD5c7cb500cc686c5686b2df521ad54e9d7
SHA118eedd1a57e1caef02bf71f35ba84fc7d39a407f
SHA2560e3cbd7e88bd298cf47042d799927f3929f372ba26d930045bb82496e4fbc097
SHA512b3f118cde789d5b40513c522478485dc337f229b2139dcaa6ee898c091ef2fbe1c76972d60d1c4970da5119b26c2758864568fd066eb980368f85ac15dc78c76
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107