Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2024 22:27
Static task
static1
Behavioral task
behavioral1
Sample
e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe
Resource
win10v2004-20241007-en
General
-
Target
e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe
-
Size
78KB
-
MD5
23dafd8e528d068d04df141bcc9de510
-
SHA1
25c0b269b1ea02be114dee089d86b970fa631184
-
SHA256
e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e
-
SHA512
34a6070bca3c1f86c6a48e6b50dd81b84d4d32be500e92d344bd6a6695326affa26091626b0c0abcfeab166f2f811abada69e95761921c4f9aa80d0815a36257
-
SSDEEP
1536:EzWV59XT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQt96CV9/JN1uNL:qWV5tSyRxvY3md+dWWZyfV9/JaL
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe -
Executes dropped EXE 1 IoCs
pid Process 3116 tmpCA74.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmpCA74.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpCA74.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4996 e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe Token: SeDebugPrivilege 3116 tmpCA74.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4996 wrote to memory of 1736 4996 e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe 83 PID 4996 wrote to memory of 1736 4996 e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe 83 PID 4996 wrote to memory of 1736 4996 e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe 83 PID 1736 wrote to memory of 4216 1736 vbc.exe 85 PID 1736 wrote to memory of 4216 1736 vbc.exe 85 PID 1736 wrote to memory of 4216 1736 vbc.exe 85 PID 4996 wrote to memory of 3116 4996 e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe 86 PID 4996 wrote to memory of 3116 4996 e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe 86 PID 4996 wrote to memory of 3116 4996 e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe"C:\Users\Admin\AppData\Local\Temp\e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\majix680.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD72.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBDD90CC52F4D4BA39BD12E7D33B013F3.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:4216
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpCA74.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCA74.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e730b0f1927e5380d7ed505abbfaad0cc462dc33e7281ebd6cf74d92853c0d7e.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3116
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b01d18ca76fb93d2e966de3754e21b37
SHA1643acd8224b50f68a5ac58c0ae7a6fb4925172d6
SHA256c53e26d4103aeab9255d9fb03084ba1b3011baf5a71866c93256c7d1db2054f1
SHA512ddcbe558e6d54be4857e9d1cfe8246c58f6c7d985617aae702080332c33f8730c8ed8e6388d0e91393015de1bfd1aee2426fc81cc43bc1f0bb9edaf3546dee78
-
Filesize
14KB
MD59b6f41b484a038ffe3016f4ba54b1e4c
SHA15e99d327b824529114895e4f60f4aa68b212c303
SHA256f76898b352075c0bef00d5109bd557c0ec7cb68e41681261d649cb85b4776120
SHA512ea106d60d1bbcb107f0a1a5b90c3bbac9755f4cbef6777ae233273650cedf75ae59f4e111c781bd075cc840cd095200fe0be3d8646a5435a1820b25ed767ea77
-
Filesize
266B
MD5d8baf40555d0ec2bb258461c0afc4675
SHA118122e2047003e181134cc2920fe5e75b1c4240d
SHA2561e4d4526acd3a449ced87a818058417f5e7709708a072308046ea267acd973a1
SHA512f7f1aeed8df374dc3a7e3bb6a00468a86f1102a5b9168e163803de373944a8ef3d6ce9464d2bac3de214a542153727cd17b6852e59ec5003a661c04fd8252293
-
Filesize
78KB
MD528e3040f9e22eb05423bec812d942d8c
SHA1e1194dd8c15fc570fcd448e8f7394e24626dd31c
SHA256f051219e804a9af34f9ed4766fc0b913da0f689f90dd1a69c493148a76a3cd84
SHA512bf47046069a64b805e72c44e1fa56a6e531ce9a4677e8e60863a6d806025704426e75edcf9a0a76368e755422994d03b02cc3cc129d6f21ae2236f11797d8838
-
Filesize
660B
MD58a0b8b7b1db35f243f1f91f1d7b1794b
SHA149ec676317f9decb689601dc337672e093ca0c5f
SHA25669cd35e7644764628b376f2bbc2b3740a59f52630495db0a6630f43cd9b4c41a
SHA5127278ef6750a51911bd3c5fadc88d0e53c7b2728f1542e66a38c22287458dc952c6dc04e4106c559407364c49367096ad4c080394e40df526c2ee5f376c46853d
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107