Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2024 02:13
Static task
static1
Behavioral task
behavioral1
Sample
dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe
Resource
win10v2004-20241007-en
General
-
Target
dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe
-
Size
78KB
-
MD5
3584d349a83e79620e77fbb65ac995e0
-
SHA1
066e6a2d4e7cf22c557fa0a7544cd958e7da69a2
-
SHA256
dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbc
-
SHA512
cb483d653e7d809e5123d4f4cdcdc66534d788ee390877bc6a7b3b7388d9b74be6e15b25997c93c3d602a8181bb39fd668e73ba0cf5103bce8bcaa7fa9c5479d
-
SSDEEP
1536:We5hXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtN6g9/F1hn:We5hSyRxvY3md+dWWZyP9/J
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe -
Executes dropped EXE 1 IoCs
pid Process 2004 tmp9366.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmp9366.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp9366.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3612 dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe Token: SeDebugPrivilege 2004 tmp9366.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3612 wrote to memory of 3416 3612 dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe 83 PID 3612 wrote to memory of 3416 3612 dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe 83 PID 3612 wrote to memory of 3416 3612 dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe 83 PID 3416 wrote to memory of 3256 3416 vbc.exe 85 PID 3416 wrote to memory of 3256 3416 vbc.exe 85 PID 3416 wrote to memory of 3256 3416 vbc.exe 85 PID 3612 wrote to memory of 2004 3612 dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe 86 PID 3612 wrote to memory of 2004 3612 dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe 86 PID 3612 wrote to memory of 2004 3612 dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe"C:\Users\Admin\AppData\Local\Temp\dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mvjbtcmv.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9625.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCC936193E41143118ED26A458965F71D.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:3256
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp9366.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9366.tmp.exe" C:\Users\Admin\AppData\Local\Temp\dab05827c1608d680f5a5990016c089d5f5bc9736a8f8cae2179f9b7ddecacbcN.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD552b2c6da060e58a339e6cfc663711cb9
SHA1cad34f10bef73c340387ee96cc603de3afbbe0e2
SHA256b06d90fa1c8d9db19f96b3bb09f02688e0467d3e642e14fb1d59b2b10ae14a67
SHA512b7c37452367b8db592f756f3f93418e0a01ae8e594943a13300f62ac72a728ca1bf3223e488a387552ea2674437b0e578e0ef3488a3bb423a813ce61f2b3be0b
-
Filesize
14KB
MD563a0a42df8da67469a3ab7257ab06631
SHA1887ca1b6d6bfb19d43ff8165eb81ce742a659ec2
SHA2568144111d7350a8918fb325b5c4598d57c141b5677c249a46a564fac413c7b3a9
SHA51294cfdf96153c7010213f83e9664c47aa3b3dd1e9d58be6aad8a98c11574f7da9b512c449e25df8b1c16a5de7c318be54683072fcff6d045de0b67dce2a269964
-
Filesize
266B
MD5a4b805eb96f05ac54b6f5a8f5818e6f0
SHA10021ed5aa8ba6c11b07bc07f507e0cd2d297a986
SHA256f8e26bfe01f67e56dd67332bb7eef83186b874fe40a41df0b763c676c2888ad2
SHA512c092e2118b215674471fbb478f80bc28c0316bc500cf5b75be17c9403ee5aa7cee97f1dbc5b363db22c4c0aa572545597a236546c9e110fbe2c95a57e86879cd
-
Filesize
78KB
MD5e082fb2658591dc24cd04ad7a42b1d25
SHA11f621ae11f0b9c453421976ee5b3f9040ba96076
SHA2568ec384e11bbd60b634e1135e4dc1cc831cbf8818a5843c4dd6f0d9c01f6e1386
SHA51249eccaac59afafdceef8499c821cc102d8dc105927ed3dfdf4f34d6871425bf2493310f8547e274da9765c756b3a08d9c323607a4ef424642ce25855134b096e
-
Filesize
660B
MD5163649c1958c8ff1534b91703fd2951c
SHA1d867adf861d55b3a85fce56e2bf9191d4606ad15
SHA256dfc6a0c3be19d4c94c1cd199f5e8d03b26804403023ab725f45302b27dc3f8d7
SHA512a2e6d72d4eb00bcaac6c68ac81db218ace5f1449e6d85e1b535ab091e4fa138dab37800424371c0df075f537164a312fc127dc652ed159a8ec88992430018d3f
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107