Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 18:33
Static task
static1
Behavioral task
behavioral1
Sample
fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe
Resource
win10v2004-20241007-en
General
-
Target
fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe
-
Size
78KB
-
MD5
fa1f726c2bd7e3e3053ec9c9f2b2fcda
-
SHA1
4f7eaa0f880d1cbe4c48a8dd8ff11f1f3ec97dd0
-
SHA256
fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81
-
SHA512
140f7b066c9654e55ae7c842a3a6bba3e016848f19e0dc22162371c47afbd103edc7365201115dd40047167192c68a4c35ec52066f9c8d0718cd76c544e32d47
-
SSDEEP
1536:oV5jS6XT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtC6zP9/p1qhC:oV5jSiSyRxvY3md+dWWZybP9/eC
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe -
Deletes itself 1 IoCs
pid Process 432 tmp736B.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 432 tmp736B.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmp736B.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp736B.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1020 fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe Token: SeDebugPrivilege 432 tmp736B.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1020 wrote to memory of 1724 1020 fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe 82 PID 1020 wrote to memory of 1724 1020 fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe 82 PID 1020 wrote to memory of 1724 1020 fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe 82 PID 1724 wrote to memory of 4544 1724 vbc.exe 84 PID 1724 wrote to memory of 4544 1724 vbc.exe 84 PID 1724 wrote to memory of 4544 1724 vbc.exe 84 PID 1020 wrote to memory of 432 1020 fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe 85 PID 1020 wrote to memory of 432 1020 fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe 85 PID 1020 wrote to memory of 432 1020 fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe"C:\Users\Admin\AppData\Local\Temp\fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3y8zgxrt.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE920F51CAC4D4AB9A46A6B141B80957D.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:4544
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp736B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp736B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fca0eba34eab4134aa1856cfe5df3b5099af5a580d45f695abc886e31d125b81.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:432
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD57d980007f2badc03a0309df203866718
SHA1abb5b14cd48d5676d0319106527de15b21bb416b
SHA256857873981c05464730681d52d20af37edb55e29083264ed2a7663b4b6d758c3d
SHA5128dec58f2e4a0311854829da0d7749af09460bf003dffbce1a27c80b17be6d88d9c8008d943b0c6bdc2ee5fa1e6bae3640162fcfa9300e31091987b87dada48bf
-
Filesize
266B
MD55920ca6251a16ed7d1503a5b9fd33956
SHA134ea89673bcaea937099c4b665119cc042ac4f3d
SHA256efbfede496068c11d381cc1cffca7b995e712d6c2a728536a9cdd6831a7787d1
SHA51246e02bbafedffa7208bc766c667a062597d0a81930d3d8333d7889c8a473301d7a53bbc440aefa7c0384534ab6adb8e20df9ffeb605456837c2e0be35e4a96a2
-
Filesize
1KB
MD59f7d2fde3de8855384d71d995e18be0a
SHA15c6c434881c5f71c065822234235e5bc963d80a6
SHA256686c944f8b15f74e195fee4114577c7fe29dd16d3e65bc7212bcbb9f4e31eb6b
SHA512e910516978912d7966f17117c0b6e947b16c8ef6bd3d2e82beaf10269f7d613bb8e701dcd1db6c43864e7c23a5ce92d9ff663eb055ff21b0a1e173c14f89bd3d
-
Filesize
78KB
MD5d2dad5a7554ed814b34fd26bcd9637ec
SHA12fb547ae5d341b46fbe1e2d71d090db0f1e28110
SHA25638cafb36872acb0828f664c332c6e753fa5468f21ec1b78a1f81e99b44fff365
SHA51220f9d073956f0b4d8855d4a42e197aac0fed274696a5aa2ca5f7dbea743fe3940695f6fcc8f0028067fdfa048010ba5b0d394aef0ce542ef31309266f069b350
-
Filesize
660B
MD582ee0b0364f2a6ead9e7631461db68ce
SHA17e58ce553bb8fbe9c0e50ee0a022942589e37063
SHA256c9991898a97fb4a406f8092ac954fcb7c40f0a802760c53f9ee68bab52d31a26
SHA512ba4c8b10b1ec28faf9aab178c1c77e1255f275bda456815018b988d54214e810ee3be3c8ec639f30d1e2e659ff90a08bf9c3acefda931a69bc862b3f287a1cde
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107