Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 00:25
Static task
static1
Behavioral task
behavioral1
Sample
752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe
Resource
win10v2004-20241007-en
General
-
Target
752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe
-
Size
78KB
-
MD5
cb5bbd667e2c154fae05fd0ed65383d5
-
SHA1
dea41a84703c4cedf9ed7701beae4e10c7f20705
-
SHA256
752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee
-
SHA512
c5bd8555e26c4136fbaf2680ee3a2e8054b0f2c54b0fd027e5d6fb2cdcf559c0712bf3d8283368a70c37d1ed6214244eaf42dcec1794f3f24b9dff0721392660
-
SSDEEP
1536:D4V58EpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtd6T9/S1YQu:D4V586JywQjDgTLopLwdCFJzg9/Gu
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe -
Executes dropped EXE 1 IoCs
pid Process 1956 tmp9F8C.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp9F8C.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 956 752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe Token: SeDebugPrivilege 1956 tmp9F8C.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 956 wrote to memory of 2436 956 752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe 83 PID 956 wrote to memory of 2436 956 752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe 83 PID 956 wrote to memory of 2436 956 752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe 83 PID 2436 wrote to memory of 4788 2436 vbc.exe 85 PID 2436 wrote to memory of 4788 2436 vbc.exe 85 PID 2436 wrote to memory of 4788 2436 vbc.exe 85 PID 956 wrote to memory of 1956 956 752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe 86 PID 956 wrote to memory of 1956 956 752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe 86 PID 956 wrote to memory of 1956 956 752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe"C:\Users\Admin\AppData\Local\Temp\752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vm7kvqjf.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA0C4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA94609C321D45098F1A674A72FFB5C2.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:4788
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp9F8C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9F8C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\752b81c9ba41ce8bb3351db7ed72513bd56ba82f9edc13baf266ac76f17f31ee.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD572062ae46c7b24e65d8b87a1ad481939
SHA1dd3f35da88791c06acf80125d8221f4e16c9ec3e
SHA256897f5c7c8feebe054715196543652d74c3b5bb604a6ab0c0c714f9cdef44f8ad
SHA51222789a7f88a74b88a3b32002d369606ae083cb5cd387de969944ee106e65c69c75edcb45031df92d991692c8f1b1d141919fff8065dd8a44737bdf6fd3072c96
-
Filesize
78KB
MD5b8007c692493699075136b0cc8170891
SHA1bfd0881e8469babea5b27d75b1935fc240fa56f7
SHA256fedf4d8f7d0c57cced3370237c652bd93adc0b2afb45fc934d3d5bb474742c11
SHA512bbbe3f6a834d9c677897765cf4a3926b42c111e5e566bf5fa90f0c5a13767c8d5540a26aafca5722f58f521c2b2889d31eb8d5592ff2d71e859bd900375b3f1a
-
Filesize
660B
MD5c085923ee25b6f717d26e01a8a30f39d
SHA1231469d9da95b946faf3ca5472c87c7d93a0367c
SHA25600846429e400e187231b928eb5bdb40cc5d91101806e7de067642927ed91544e
SHA512c95b0077a5dd020865729f5e6f2e8eeb9ca87c4a9237fca7d36f406334d13fbae24236b148320b80853778d2db79c0103a7b48ea95370f8fe47499c8fdd55ce4
-
Filesize
14KB
MD5db18af1bb13ecbdf74ec7a3b01ec16ee
SHA190fefd66658d63a99b07b1b5ce2ad9bb0e258ad4
SHA2560e24858a718e14b46004b20c24424632cfef378b9adf58c5a57c19c3771be8ef
SHA5129ba423a9cf2c63385c30c4e8f9d1b37d15810693a1a7064b49e003223866629bb4169d067b2fd9a636bef88f6a61254c6e6ddf49d334eb511ef6bfbb5e2b6857
-
Filesize
266B
MD5fbc5d532747755b5e53ad0dd5c25b931
SHA16453dd9e7810b85c661d81a8ee1a0abf82311be4
SHA256c649167bdb3434ebd11f1b3178657e2e4d6a46d110e0192870249b7ff2be631e
SHA512f7d3938837dea476e951e35ad755652c90a751eb3f6f4fa5e223fdfb25affe76b992a0b2f976e25dfb7a805be123b230ad6d5bdacd0096527cf1f2795c5245a1
-
Filesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7