Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 19:35
Static task
static1
Behavioral task
behavioral1
Sample
0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe
Resource
win10v2004-20241007-en
General
-
Target
0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe
-
Size
78KB
-
MD5
581f9e5c8c590df7968f30199d0eb290
-
SHA1
f697c1b44cac00f00111d51ae8583940f93b0adc
-
SHA256
0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41f
-
SHA512
d369d37f4e5e393bf42c4661636750b0a74965056d02aba0c8346fa85e36da7ae7d13629a4534e519ba50b0c2c1fbdb1d409a0863ea28d5a876c8327c02d5b86
-
SSDEEP
1536:158Ndy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQty6w9/F91n1:158Yn7N041Qqhg49/z
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe -
Executes dropped EXE 1 IoCs
pid Process 3096 tmp7FBF.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp7FBF.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp7FBF.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3480 0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe Token: SeDebugPrivilege 3096 tmp7FBF.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3480 wrote to memory of 3516 3480 0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe 82 PID 3480 wrote to memory of 3516 3480 0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe 82 PID 3480 wrote to memory of 3516 3480 0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe 82 PID 3516 wrote to memory of 4636 3516 vbc.exe 84 PID 3516 wrote to memory of 4636 3516 vbc.exe 84 PID 3516 wrote to memory of 4636 3516 vbc.exe 84 PID 3480 wrote to memory of 3096 3480 0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe 85 PID 3480 wrote to memory of 3096 3480 0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe 85 PID 3480 wrote to memory of 3096 3480 0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe"C:\Users\Admin\AppData\Local\Temp\0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j7j2ueyi.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES807A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc254EC6208DA34994B7ED79B8C2B66DDA.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:4636
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp7FBF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7FBF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3096
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ee8e0293820c115f9f98af50e71d8ac2
SHA16fea37df005b866308280700ba3e606ab0d7203a
SHA2561b2f474bbe743302255f5a9f89d43eec03234a90d217cecdfc6a49ea7a1ac08b
SHA512a6398ca9a193ed035a0e2e528becaa3ba29eaa55f3747d63d4dd1916ea183182f55c89ed0c5ad83731f3788054c751a12cdd07516677b46b3a80e901c21e5cd8
-
Filesize
14KB
MD594ae35f1f5e22ddceb3c300e2f0f61c3
SHA13eb1a7c0bfed24ef14f2bbd4111f67c2998675ff
SHA25669de786a500eec5d4c7199cbfc43b85feda0851610f2cb87fd2e473eaa0e9412
SHA512b3dd7273712b36301f77e130225c9466068446d0d490666acef703d01b29b29cf61e2d18af8b5f6dc3d8d49e07cde3834a800422df2c345e18ef234cdcd45a6d
-
Filesize
266B
MD53e533c98eac704e04ba1c525622fc073
SHA1338401b167244c46026e9899145cf0454a8dd266
SHA256d6d4a40a96e41c101302163f136a59fbc7001d0464b642781cf330e06c7858fd
SHA51202ad4b6f066aaf0445308fbe9fecdb33475d2b029cf1a6f607490c7f862b33a382e3be1a95a95b471472e907dba9c50aca24a3992e6ae989f0e3d2d61116f78f
-
Filesize
78KB
MD502e5a1c45e56f6f244e4a309891005cd
SHA13a919f1e76838ea5ff1f4550aa040cbd3880d63b
SHA256e0e02ca7a4cc2737087ffb6605ce3ddd9b94c6280edf1e0a251d53165db47ae3
SHA512b076afa8f8a5d30ff98adc8a913c8f519de0454ccb4986ed655165bdf08479852465280501e4c3c0fc6f45b07f64aec2abc518e91fc2311283d5782603c2f521
-
Filesize
660B
MD54cdef1ae23beb1a4ee3f3225a4539fdb
SHA1ade6d603aefb7c532e593995060529be639a016d
SHA256fa159734af7279eac4d29bc1d5def6c0ae9a02e1bb6c993f3b3a22bf5dfcc64f
SHA51225367f05236ebfed3be6daf76f3a0cc11573af1658c0ce9e76bbaaa9976a382be689a5603d9d66ccb5a7638e6f4f275a08dd2b362dd4c3b38b211f84783436ef
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65