Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2024 02:53
Static task
static1
Behavioral task
behavioral1
Sample
cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe
Resource
win10v2004-20241007-en
General
-
Target
cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe
-
Size
78KB
-
MD5
c50fecd6605ba752a20c774a20cc37e4
-
SHA1
a9b6162bc193847b01bde02000a95c76211e9d18
-
SHA256
cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf
-
SHA512
bf83caad2b50c6f308b24f7c8dce9d5950b79af82fa647d8f6df2a3f4206be13213b606eaec6c983b8f8d2d0281887c9b3a03f7bc36c8f90c0779922d7bb2eb3
-
SSDEEP
1536:sj584vZv0kH9gDDtWzYCnJPeoYrGQtC6K9/R18G:4584l0Y9MDYrm7y9/7
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe -
Executes dropped EXE 1 IoCs
pid Process 3388 tmp77DF.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\"" tmp77DF.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp77DF.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 528 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe Token: SeDebugPrivilege 3388 tmp77DF.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 528 wrote to memory of 1892 528 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe 82 PID 528 wrote to memory of 1892 528 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe 82 PID 528 wrote to memory of 1892 528 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe 82 PID 1892 wrote to memory of 2364 1892 vbc.exe 84 PID 1892 wrote to memory of 2364 1892 vbc.exe 84 PID 1892 wrote to memory of 2364 1892 vbc.exe 84 PID 528 wrote to memory of 3388 528 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe 85 PID 528 wrote to memory of 3388 528 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe 85 PID 528 wrote to memory of 3388 528 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe"C:\Users\Admin\AppData\Local\Temp\cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ffzrdyvc.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES79D3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1506F471E81B445580B2761B62C5CE5C.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2364
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp77DF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp77DF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3388
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5525d2483c326eaaa99524cd55aeb7bef
SHA16bd2970e3757ebb7f55670d785b5afabc2ab6e7c
SHA2566ea1a6215072c98d695e673008571e154359d46a43fe89a4a6cfeedddbcb226a
SHA51228725411981f3ff8fd4da0815986f6b794728e3a633f13a3fb1530e8fa91b2119e8227a8dd853ae16bb9b661646bc0b82f8ef9accff7257eb29f07a4cf672c9c
-
Filesize
14KB
MD52b1d8373c2f04965fd1e1c9670f65b90
SHA15b24282713a474c24ab32aef42fa06c39377df88
SHA256e081597294e2b22ae42d89928a00b548f2e2304751e8ecd1d96c0875139d3e63
SHA512381934a9e272a0c894e875237ff037058ca3809fa047a33e14e681c01481c07feee8a3907de64721e5692a280b9f8091b310d46f1e1a33ae60c1110fedc775f1
-
Filesize
266B
MD54508dac7f3e624c96621bb7640d5142a
SHA10839efd2f41d400224fa3ce632d743d03ccb3f85
SHA2569e6a93dfd0a4ba51caa43964766abc6e4665d5a21c6642c5dfabfc38d5727d5f
SHA51291dc4066154de4517db1e6c3179d9f4cb53410b35a2fc3e274aa6860eec98ac48f7459c91d33d5484350510035531ad2ef7152f886a9b257c3331ba6e264537a
-
Filesize
78KB
MD541b2a1be5a3addfdd973a14e57791c42
SHA1ce3bb45312af7df26eb83406f734ebdd517201a2
SHA256a7c63abdb41531c938199e9473a5f779af71909d1242d43ca5b10a3992a2db78
SHA5128eb70e0829e8d995c6173bec525b5c109b322e199ccb3fcc084136c19cc6a5f3fc5c3b4fd7072e867b8f09f05b8cc314c75b6b026b75238792404ac4e224cbd8
-
Filesize
660B
MD58ed50f04b613ab44453ff8bc80346625
SHA19d7eca084c3051c650e0c02cd230ac8ff9396095
SHA2566a7025846fb128fd8881103d874306e238c6c3ec10aaafd32e75cc784a5ab726
SHA51204524eb5db777322b32682fcfc8b9da6a9eea1ca727ef14afc5e15be9b115f3f49caacb05c5213291e411ebe77f8d043c5a63a847f4914817336480abcecc961
-
Filesize
62KB
MD58b25b4d931908b4c77ce6c3d5b9a2910
SHA188b65fd9733484c8f8147dad9d0896918c7e37c7
SHA25679c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e
SHA5126d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d