Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 04:58
Static task
static1
Behavioral task
behavioral1
Sample
bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe
Resource
win10v2004-20241007-en
General
-
Target
bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe
-
Size
78KB
-
MD5
afc6fded921afb40f5e26ab338e8ad70
-
SHA1
0a2accb72355abc331bb8f569eebdfe61d41a38e
-
SHA256
bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930f
-
SHA512
73b03b7f756f5992024b787643a5cfdac64a88b9ef9cd28a70944ab82149fcf8c16fde01603a23fe3d4a1ccd605bd9bd96c9a9509395a5176f768016f2d11cfc
-
SSDEEP
1536:LtHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt869/C1Hd:LtHYnhASyRxvhTzXPvCbW2U869/e
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe -
Executes dropped EXE 1 IoCs
pid Process 4960 tmp8899.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmp8899.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8899.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2716 bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe Token: SeDebugPrivilege 4960 tmp8899.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2716 wrote to memory of 4520 2716 bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe 83 PID 2716 wrote to memory of 4520 2716 bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe 83 PID 2716 wrote to memory of 4520 2716 bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe 83 PID 4520 wrote to memory of 2292 4520 vbc.exe 85 PID 4520 wrote to memory of 2292 4520 vbc.exe 85 PID 4520 wrote to memory of 2292 4520 vbc.exe 85 PID 2716 wrote to memory of 4960 2716 bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe 86 PID 2716 wrote to memory of 4960 2716 bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe 86 PID 2716 wrote to memory of 4960 2716 bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe"C:\Users\Admin\AppData\Local\Temp\bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bu9mtrju.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89D1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc397E4FA05C3846F093F393517BFA70EB.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2292
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8899.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8899.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4960
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c9906e0e76a91d75c728a39ee5a64430
SHA154d46bb4825de53ee2d5b6afa63d641785e3ed54
SHA256d0b3e4164dfa078de30ee73df7962bf5f8f003c4c91874657c232fd08c7bc6a5
SHA512e15a689b0d89d1b112467d72e54fa67a27d650d0e5ac9c9062c0bdf3056fec7d4f79e86d2bfc8371abb7cd58d51ec08751ad0fdf314a11a8fe91428879f3fcd1
-
Filesize
15KB
MD5e0d48cd315324162c913982c362341ad
SHA11792f47985e22ae29ad3982b68efda88d4035835
SHA25683fbf0cfdd8ad07e62b91ed9974547b3a113380a5cb0e29e2e5b734cdcd7a3b4
SHA51290e41efb5a0516e14b08f80cc5c3e588215421a8a99de90d6962dde8bf66d5a3781595dccd5c180e1aac09f981fc621bf57d5f5492f5ef0c4fef174caae2ac28
-
Filesize
266B
MD59041f57cb761d9807a2b2f76d11879a6
SHA1463a5efb818de0d3d656d7114d3fb5a4d907e27e
SHA256693368feb55e6dd4061f0662ea4bb391954b10ad9d61be64d49aa6dd240bcf49
SHA512768c2456b50d0c58a0fa66047fefb2507a025af3f66e9c5dba24fc5348eb7755d96456b1f78686ceb64e61c65866e9a646e3271b2fecf19e7b2329d4b4490421
-
Filesize
78KB
MD57e0d9ca1573ef931b29f23be0c723913
SHA15fafc4273f18f8e49c783ed8e1051dbe6e61614a
SHA25606376e11aa9422ce3a0f55e425c1286a51ff28e161e6f09867b536568c1bd76a
SHA512ff462acf604386742a4d8b35b8848cb6030de7633edde31e6f11f43330872cd74e51edf6bba35d8f87bac3d94859a69c86dd8070e41a62fb175e7d225ca8648b
-
Filesize
660B
MD5ccb63d671f499a8199e18cca89084d54
SHA175bf1219e7df04f0b82452dfc774a1a437a1b703
SHA25626178556d70e58a0c22133895cd6f8fa3cef61370f0144e1674dc786ba93114c
SHA5129d339a4fbe7609b39b3a4af8d1662012bd1897cfeffb1be651e143e9c1c2eb2863e59a330dd80a89ff9f10f98995dd9a7f459f1ba16cfd3d0c37044833198513
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c