Analysis
-
max time kernel
101s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 13:11
Static task
static1
Behavioral task
behavioral1
Sample
4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe
Resource
win10v2004-20241007-en
General
-
Target
4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe
-
Size
78KB
-
MD5
425ca0a0d0e9bcca9812b5f48a56c955
-
SHA1
721290757978f2fddd1b3cc6f5f200344a20b38e
-
SHA256
4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1
-
SHA512
c9f86663fb8f3a700ef3357b505c97eec17a0ae45235cf693f5a6378c44e4d2e47e896753e9000cae59587db36961d7addb5cda8ee6bc61b43d697683a09f0a3
-
SSDEEP
1536:SvWV58/pJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti6d9/2K1Zgq:sWV58BJywQjDgTLopLwdCFJzF9/2Jq
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe -
Executes dropped EXE 1 IoCs
pid Process 2136 tmpF721.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpF721.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3344 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe Token: SeDebugPrivilege 2136 tmpF721.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3344 wrote to memory of 4932 3344 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 83 PID 3344 wrote to memory of 4932 3344 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 83 PID 3344 wrote to memory of 4932 3344 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 83 PID 4932 wrote to memory of 4864 4932 vbc.exe 85 PID 4932 wrote to memory of 4864 4932 vbc.exe 85 PID 4932 wrote to memory of 4864 4932 vbc.exe 85 PID 3344 wrote to memory of 2136 3344 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 86 PID 3344 wrote to memory of 2136 3344 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 86 PID 3344 wrote to memory of 2136 3344 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe"C:\Users\Admin\AppData\Local\Temp\4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l8lkjrlx.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF82B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEF569AF3B88440BCAAEF6ED148928F5.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:4864
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpF721.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF721.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b2f478062916042c73227162ab549e4c
SHA1fa26d41681e56441a7e0c0bf5e474f5857316816
SHA256eaeb9eb8944f5d17a0a10ebc361782cbea2331dafbaebc445863c33f87a49e72
SHA5127e6103b7d82c7a12bcec978deba62b3b9312230d84ef9cee6a18f514f1cac41d1442425fa9761eee44fae43714f6dd239929aad15d2f7c4ef0db7b433e1ae93c
-
Filesize
14KB
MD5d292c8fb0ca180ef2211455fa3d2936d
SHA10eec5ba526ba20cc4cb413bcf5780e219ceeeca8
SHA25656e0f14a51844ea17f63958ec3c1ee50ea5f3432d4406a320cca7fed52dccd07
SHA512edd816e84da21c9159b395256d81129612e8704e63ae550b1e177b17d5b560772617a916bb13ca7ed2a9b771048275fe806c405b4454e6c88360c1d57e718b01
-
Filesize
266B
MD5f11b9070ce5b54e3e6ce4b39e20b7522
SHA1dbae81eea714d116813629b1f08c4228183435b9
SHA256d54a4f9bf34eb67360fddc2bd38075ba7174ab4b768f3142aa551d5376c00727
SHA5121e885deef8b5260336d966302f768d75e35e07d6bb8f195d3671879beaa6bae1e2a34204ad4f4f2dd04c252daaf6c29052482e93fe5d2d8ad49209a11b4a1f99
-
Filesize
78KB
MD5afdfb4eb2b79106291438f1b9cdc7a2d
SHA12d6b783e58fbccc130a8c6c0f4df13bfa5327cbf
SHA256909be2202f158a529786e972260cefb6999be130ded06ed0707c91ff0ae09655
SHA5122a018a746b3c143e1ac92a9d3d1189fb1fa92fef145f5a56ddb7a871120bf1e4f3b73e4fc09bc3948d43f13fe53915812146e87b22713c3c80424b8df0439a5b
-
Filesize
660B
MD51dd61b72adaddbd0ba1eaf0d057a60e5
SHA14a83ae5ac2469b3c5f8af526e4c7d49ca93abe1c
SHA2567d032d232fbee81e1845794700b01e48c7cfdafb82e834cbde9ef77d4b61c547
SHA5120474c27df3f3459737a169e7b14d19f6bb7462b88bc16377fc986bee0208eac35a614473fdfde8d0566c8b43b528dda6a801813cf0fe6f0de898f675c81d9ce5
-
Filesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7