Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 18:29
Static task
static1
Behavioral task
behavioral1
Sample
fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe
Resource
win10v2004-20241007-en
General
-
Target
fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe
-
Size
78KB
-
MD5
fa1f726c2bd7e3e3053ec9c9f2b2fcda
-
SHA1
4f7eaa0f880d1cbe4c48a8dd8ff11f1f3ec97dd0
-
SHA256
fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81
-
SHA512
140f7b066c9654e55ae7c842a3a6bba3e016848f19e0dc22162371c47afbd103edc7365201115dd40047167192c68a4c35ec52066f9c8d0718cd76c544e32d47
-
SSDEEP
1536:oV5jS6XT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtC6zP9/p1qhC:oV5jSiSyRxvY3md+dWWZybP9/eC
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe -
Executes dropped EXE 1 IoCs
pid Process 3100 tmp75EB.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmp75EB.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp75EB.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2244 fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe Token: SeDebugPrivilege 3100 tmp75EB.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2244 wrote to memory of 4668 2244 fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe 82 PID 2244 wrote to memory of 4668 2244 fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe 82 PID 2244 wrote to memory of 4668 2244 fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe 82 PID 4668 wrote to memory of 4876 4668 vbc.exe 84 PID 4668 wrote to memory of 4876 4668 vbc.exe 84 PID 4668 wrote to memory of 4876 4668 vbc.exe 84 PID 2244 wrote to memory of 3100 2244 fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe 85 PID 2244 wrote to memory of 3100 2244 fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe 85 PID 2244 wrote to memory of 3100 2244 fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe"C:\Users\Admin\AppData\Local\Temp\fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h8alrkuh.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7753.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9958E2C7FF540DD9D18967DF8B5B8E7.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:4876
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp75EB.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp75EB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3100
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51b390a1bdc5b0fc065ff23a1aea1013b
SHA11dc2e23e40a61907022a5875f62225a8de22dfa4
SHA256e1017521ef84f8c70fd12cf2c3539a5ec2e01dc8b26b5777a3068fe49df59dc0
SHA512d4474ebe744db64e82f147543eb92b31fafe8144c017181b72ed3cf35e1dd76fb23389076bcd629ba27b2756d7b56ec1ae50b6fdad5692d8a34975155e7594ef
-
Filesize
14KB
MD5481f0f6c7d94880261985ccb3619e65c
SHA19bd07e937f366f0f8c28c378f70650f51a61f113
SHA256d37b74353fa161031204dec36949d655416b8c8e2adc8a56ca1f0d6424629606
SHA5128248fb4b3e386c4afe795bf6ba89b1e96cb8184bd667c472fbc911b54eb38f68da01f1a94726b84a138af8a5ae1a0d112fc292db2d2f5c2739c8c6ae5e698246
-
Filesize
266B
MD5a94d20f22993e70ca84f527228c38eac
SHA17e0645f99810e57e2954679b0a58262a55bb68ca
SHA256414234699af1551233809881a525f0ac26819c2b7ff8f779363c45edfcdd47b5
SHA512ea13eb0bb5365c6f8cf90d7d586e40f4180dc01558fe8b0c7e8beb299ff476549adf47e630d1733209f943e5e768562482fdc7d995192e419ed7f73d229c1d03
-
Filesize
78KB
MD5ed763d589bb282db21c43bb805dcd3ac
SHA102d0a26f3f6700d8aba22f498d7762855bb459ee
SHA25669b7c0e654d2b69f3eb7067e13ac48d28b64a28eddb9a8c4e3cf43d9b3268ebc
SHA51216d2e58fc78c55dbbdbf7907a49016b02e6ec9643f01f253a5b273fb889928cc0a39d10cce1cc2f13c5d06ba7f229a7b1857929f916d1ac3ae756fc3ff050ea4
-
Filesize
660B
MD5a24474f143f66823703b6fec6ab74dc3
SHA1435ab165769adc58fcf7bc53fa5962ec1d8a6af2
SHA25615495faa239c6fd0ed7e1d26b04fb39bb6fb527499fb265654e59d3de07c8ae5
SHA5123ac33e60bde573c28fd1873bf3c804ebbd895f96aa97d704ff184a0f8ba38cb81bc68fe6035cbef0e0f08888486b0cd0c19e78a9fa4e2900a9a1f2654d39144c
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107