Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 12:00
Static task
static1
Behavioral task
behavioral1
Sample
cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe
Resource
win10v2004-20241007-en
General
-
Target
cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe
-
Size
78KB
-
MD5
2d945b53f667100d2e31633e89130f9c
-
SHA1
38eda96f053547cdd2aaaf83a8388348958670bf
-
SHA256
cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62
-
SHA512
d5ef0b44166562d4af1bbdf1226cef91e831155db8538aaccb0d0874ccb5ad9803416e43ad4f665039a5652c92c26458e3a0c8f2ca0bbd0c1b2d33a7a06194df
-
SSDEEP
1536:iPCHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtg9/B1HaM:iPCHF8hASyRxvhTzXPvCbW2Ug9/GM
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe -
Executes dropped EXE 1 IoCs
pid Process 1540 tmp6C85.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmp6C85.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp6C85.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4076 cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe Token: SeDebugPrivilege 1540 tmp6C85.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4076 wrote to memory of 3144 4076 cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe 82 PID 4076 wrote to memory of 3144 4076 cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe 82 PID 4076 wrote to memory of 3144 4076 cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe 82 PID 3144 wrote to memory of 888 3144 vbc.exe 84 PID 3144 wrote to memory of 888 3144 vbc.exe 84 PID 3144 wrote to memory of 888 3144 vbc.exe 84 PID 4076 wrote to memory of 1540 4076 cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe 85 PID 4076 wrote to memory of 1540 4076 cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe 85 PID 4076 wrote to memory of 1540 4076 cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe"C:\Users\Admin\AppData\Local\Temp\cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ziid_hwz.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D50.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8F524593F360442995B84411A3673FE.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:888
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp6C85.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6C85.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cf2466b2cd9669e659c7e3d7e5bfadc1546e97b5f116bebf55563ac53981ea62.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1540
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5730b632bfce82090e4c7f84fa6c7db1a
SHA18b4bb6cb03c019541bc239ecb192391395d68b16
SHA256e467b99cfc8d462370650ac57fdfa5c154bc92620572cca4b9d5689706d6f00b
SHA5129e659aac21a5a0a14011be6921a917741f476a77757310a0dc550d026d5153920af37434cd5b22c214be1ee9f29118b53deb03ad980b75484c9572bd549d61a5
-
Filesize
78KB
MD5c8917d225e39fca74caec27cd652c32b
SHA13e13700006f2d7a3588547301f969b9a3c28b515
SHA256ffdc57429968e7828a1d2d1890c4fac7a3f36ee5b59df17c25a639cad4c4b2e3
SHA51253e288e1404ba0b53e142bb1402ba9e9df87b448f6e8b29aac611c0c105eafa3b50e61219e19e893c6189eda97bcbfddb3b0fb03346bbf424a0744c024bcdd79
-
Filesize
660B
MD58aea4eb0eb5591ffb81f9f74175843b6
SHA1da695fabcaf7a0fea3bb0c2a788ef36e15421b9e
SHA2567d0728a1d461f8db15e1c36174369d9c08521f8d36cab27b6be8351c5657ea8f
SHA51287c7d4e3f94b341b8aff34b570390ab1cb55c65be07a8d44bcb630778709798844d4c90d873da5035706319e16c1f3a762a1a9cdd5b935c68d77424b9dd1433c
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c
-
Filesize
15KB
MD52f4a354478818f9aafe438ba82a43c98
SHA1be705ea8e897c8fa5468624094fde75bf0beeec4
SHA2561b1add3ff83c47fa087c8c175d885ec359a713529a24a4f5e5e2de97a8d1d6ee
SHA51219852f647e3ff35ec9bc489759142f0095322653387720e1cc75f1b58c0c6a9ece0e0b34be8c68200f532652ecb087a7b22d99b1cc692ab10c46f68a5330c897
-
Filesize
266B
MD5f3d3e3fc597ead3ec9b9260061d282a4
SHA18df4ac66c2897ca1e72b359f5d81ea3cdd2416ec
SHA2561551d9ca53d73169cddfc0d9183857e7c8ccc5b757ebc13a25a5f294f97b7c73
SHA5124f70bd5689002be545f7c9bc3de569151b23bf75d47a2d81b018ac6fce0f143ff8a6fe6cc48db0be35a29c67119fb8b8bbbff7f85e198f43f0265a8dbd5a5f8f