Analysis
-
max time kernel
113s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 15:34
Static task
static1
Behavioral task
behavioral1
Sample
d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe
Resource
win10v2004-20241007-en
General
-
Target
d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe
-
Size
78KB
-
MD5
c3188ef20600f037fa5bec196cfa86d0
-
SHA1
4f90a91d9c70bb6b67a1d0257f0bd83aa3e4ef02
-
SHA256
d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5d
-
SHA512
56bf2c793e6299c3c1f8d929d99003082f3fbc9f9b96e16ba3da657ae63eb40491b2eb56f86c0b83bb95a8fb608bb03e93e60ecbbd25236a157fd535bb9877f4
-
SSDEEP
1536:o5jS5XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96+9/9t1m6:o5jSpSyRxvhTzXPvCbW2UZ9/9p
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe -
Executes dropped EXE 1 IoCs
pid Process 1668 tmp6C08.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmp6C08.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp6C08.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3508 d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe Token: SeDebugPrivilege 1668 tmp6C08.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3508 wrote to memory of 4780 3508 d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe 82 PID 3508 wrote to memory of 4780 3508 d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe 82 PID 3508 wrote to memory of 4780 3508 d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe 82 PID 4780 wrote to memory of 2444 4780 vbc.exe 84 PID 4780 wrote to memory of 2444 4780 vbc.exe 84 PID 4780 wrote to memory of 2444 4780 vbc.exe 84 PID 3508 wrote to memory of 1668 3508 d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe 85 PID 3508 wrote to memory of 1668 3508 d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe 85 PID 3508 wrote to memory of 1668 3508 d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe"C:\Users\Admin\AppData\Local\Temp\d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cvmr6pyx.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6CE3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4FD7C701905543B094D040AF76B95B79.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2444
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp6C08.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6C08.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD519d1880f1d5015a3aa55264dff1b5f2b
SHA177222e7dccbfcacb26d1cf8f46cecb4393496841
SHA256248547be7110a08475b81d431acbc57a76ab1b2a0ba82da0f2f7b55fd697856e
SHA512604364d9c16caa6ba7dc493ebaca06d01e91acec4e6bb7fb7f95d528b2f7973e2c1aeffd5ede8408223eaa44c28f29bec23c4f1517408b09253710283902de05
-
Filesize
14KB
MD5f0148c3bc63d20ee804491df468fe202
SHA1396d39cc1439d52a7898ca34a0bca847e659837e
SHA2561c61fa9a03aedc4ef577b59a3890b8edbc6a59377ac1e157dd47598b6558d078
SHA51233693f3740e086b893d1fec26721ceee149c978d5c2159da639cca8bfc0c45f941e49163f57f12883ecbe7815719f0130793ac71eafb8c78e7f4b06faa431852
-
Filesize
266B
MD5b7ac2d76b797afd733d76da982bf8711
SHA1cf891e82dc86647f42feb34dfbc70cfb62a30753
SHA256caf2f1213777fb10e25c11d937c33b7b3f8cac3411857d582f552ef05737838e
SHA512732dc839b55dd3a307a49097a75b9e373d1042cfb05cc9832815acb0df4997c5757a298dbfa8fee0db5b9a9822f33784c740dc4cb02226b4a6ce8e477a5e26f8
-
Filesize
78KB
MD5aaf95af3426e71912d52e3d09ce5e88f
SHA11720d19207c9b07ab8078aa49138ba91cb5e74a0
SHA256dff581cc32c88e7070dad3aeb1e0a6b6799647fd134e621a0d497a4337db2d05
SHA512c4164057670ca54ec890a4f4a0f09082413a7109d03ebd3f6f3a011a9607962472be4151efdb3ab2fbb11472f138ac1aecc4d1655c1d85c279ec0656b214263c
-
Filesize
660B
MD54ab3ad36a42b00119ad2ba5e4c8c023e
SHA126b78e4c736d8304a8726852f04f35ee4082e82f
SHA2565039e494bcb04be451236eac3f75c704c44fc740bf9145f3e7e09206c1a89158
SHA5126bf24719d4a705918320cc1bb64ff8c988f574cd48246fdf97fe2a50e6200e799ed183a8b82a0ad2a264a6cdc3a8205a2686c7bccf20fa4d6fec319990b151d1
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c