Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2024 23:12
Static task
static1
Behavioral task
behavioral1
Sample
6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe
Resource
win10v2004-20241007-en
General
-
Target
6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe
-
Size
78KB
-
MD5
572af0c2681ed64595528c7bcb1f22b8
-
SHA1
42a3442c0b9f911a3c7cf4848d0a32c0e4abc795
-
SHA256
6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6
-
SHA512
d14f3acf669745ca895c89f2fd8c3a6b4bf0a3c590ccf8b5d328e6f7cd3558dd58d5e3ae7a04f760b46f09d82792615e678fc7486d34afd1361152413c9e4357
-
SSDEEP
1536:/Py5jSfXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96V9/H1AS:/Py5jS/SyRxvhTzXPvCbW2Ua9/R
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe -
Executes dropped EXE 1 IoCs
pid Process 1788 tmpAD57.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmpAD57.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpAD57.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3668 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe Token: SeDebugPrivilege 1788 tmpAD57.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3668 wrote to memory of 1892 3668 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe 83 PID 3668 wrote to memory of 1892 3668 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe 83 PID 3668 wrote to memory of 1892 3668 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe 83 PID 1892 wrote to memory of 4040 1892 vbc.exe 85 PID 1892 wrote to memory of 4040 1892 vbc.exe 85 PID 1892 wrote to memory of 4040 1892 vbc.exe 85 PID 3668 wrote to memory of 1788 3668 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe 86 PID 3668 wrote to memory of 1788 3668 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe 86 PID 3668 wrote to memory of 1788 3668 6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe"C:\Users\Admin\AppData\Local\Temp\6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qnxs793b.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF0C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8132AE77BCDB41899BE8B0CAA47A9924.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:4040
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpAD57.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAD57.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6c502ee0e70a630ab83a03ebcaf9c84ad1a833aa9424975d7c664f9014db7dc6.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD537b324fa63b1b97f38124f2c80a6af31
SHA14f6e4456a328a1effbe499f2f865ae7fd7c97030
SHA25605979b1ef92b8b45843580f0ce5666ecc521af12b158ca8cb36b13714b4c5283
SHA51261893041d9d573a2ada4566f6a97715c81944cc2a242c5cfba34e06ed2f0da5e00c4bb7bc777f6ab7be1898928a939be4efd80a74c02dbe49e1fa4bc8e9e6c6c
-
Filesize
14KB
MD5208f4b7633b35e2311074061777e4db6
SHA19299d67ace27ead3ca47d09ddeb0d50f467c3708
SHA256b152212da66f56b87676219bc1483fcddbdcfb62fd1fcc5b48752eead8ff6e1a
SHA512c7720d298dbe692fa78bbb6b2756108ebae300b251d39323f6adf75323b88c986a211b7c099f4c5c0cc914d0107660de855af3971196455770d4a3dc0852dbd7
-
Filesize
266B
MD53b8017670a6753a6401066fed8952222
SHA1bce6a8e85cb0bc71cf25afe1e76742fc382f3185
SHA256f471633d26b5f9d729252939052a1883e6d55a628591633d747da957b8c8ea01
SHA5128aee9511cd7dedbae1fc1595ffaeb2455d1937de63bf77dec67ae79ba8fdbb8b7906ea5764963da65b71c1e4d0664f527155b91f829c97a4e89c47f93368911e
-
Filesize
78KB
MD57d8545c3d59526e16dfcfdb131e87eb0
SHA15c5daeac792b591808755adc2446f0914e861314
SHA256a80fdb5bf6e412cee7e194dfdb480d06289b630e2f7860136f0bf07a0143f227
SHA5126c96d26b41473db212ad9aa8a9056afd63d091964a8b6927803cf107705276d4b3a105061c17d76b7147a9e2c19ac77891777d052f2029537439d2fc237493cf
-
Filesize
660B
MD576e7848c5cb28c9e0514d5e4cca7895c
SHA18cc61e8ea5da1538895f98caaca364b4ad4f82b5
SHA2562f669020c8187e11f2529f484e61d6e78a666d8df7c6295fb72438392c456986
SHA51226f0dc16e30b9aad75802b2dceb8e9821c31eca57055468391448fae449a3994a3bf10969af3f2139436ac9ad2c29dd6cde869d9df852f92988bd7922c96240b
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c