Analysis
-
max time kernel
103s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2024 06:45
Static task
static1
Behavioral task
behavioral1
Sample
d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe
Resource
win10v2004-20241007-en
General
-
Target
d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe
-
Size
78KB
-
MD5
7afe3e8926bce1c2bc8a5b17ab2694a4
-
SHA1
71e7cb335cbf7285da9153aaa019417522240c75
-
SHA256
d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc
-
SHA512
c52202fed5e14f32745fa2a21d3f4a480347203dc4dc10dc47d03874d5a27ddc4e74a5cc997cc7723588b5461bdb499768b9eefc96102491e4a42564a146b448
-
SSDEEP
1536:CsHHuaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtkB9//1CYE:CsH/3DJywQjDgTLopLwdCFJzkB9/dE
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe -
Deletes itself 1 IoCs
pid Process 968 tmp71F4.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 968 tmp71F4.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp71F4.tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4572 d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4572 wrote to memory of 4124 4572 d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe 82 PID 4572 wrote to memory of 4124 4572 d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe 82 PID 4572 wrote to memory of 4124 4572 d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe 82 PID 4124 wrote to memory of 4544 4124 vbc.exe 84 PID 4124 wrote to memory of 4544 4124 vbc.exe 84 PID 4124 wrote to memory of 4544 4124 vbc.exe 84 PID 4572 wrote to memory of 968 4572 d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe 85 PID 4572 wrote to memory of 968 4572 d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe 85 PID 4572 wrote to memory of 968 4572 d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe"C:\Users\Admin\AppData\Local\Temp\d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5m3llana.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES738A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc883100619EEE48D9B5E8126D2CDB21D1.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:4544
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp71F4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp71F4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:968
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD58c4a512868ce8189569faa74611a08f4
SHA1a5f744705a16539f8a7f596930a2e7a8cbd183d2
SHA256aee4e5412f7054a346c8c43f56310bf94252b8e8159e373ddcdc0e5c2c8277e2
SHA5128b1012680fc090644628351f9ae0e1c82e8b6d523da37478928dab945b0ab5a73dccad26266e4cafe222998ea484eed098989a6771d3ba8116f19102d9cb94dc
-
Filesize
266B
MD5b8a5c1c3608780a5a439681fb0c17cb3
SHA1579b799173a8abf818c7de42b2bd92b046f576d4
SHA256777d8498f11759ec4a194fe75f40977c203aa10f521d84095a0b959899e9f4e7
SHA512eafa5769442b296320e5bd8eb040f6a9addeb2347a51a270753eca1474fcc43406e3d02e027d10a7e1ceaed2a8e41c7873a799d93e58ed1618d6a79606e8e40f
-
Filesize
1KB
MD5f5398570b682ec2fb85a36cd356c4ac3
SHA1585484e4dbd42427cdc1cb70c2cbfb6634950b55
SHA2566e0df2812f1da825c9fdfdc8e595959b7947deef20c2b40371cc2cd4a15ad89f
SHA5124e7ea82a58830a0b901f8dede0507efc670c47aa9876af0eab18af838894c9fb060248092eb95027ecf811be31508f34b3abc1d37f74a2ec68cfa7642b99f279
-
Filesize
78KB
MD5012bddc5046a4ee597b0a913b4d7e163
SHA169c80dbd107990d00fcfb2c3691d9ae6e6100122
SHA256b9f3ecbfd4e7758406ff0e77353432f9c20da1db80a93a0997a83259ec5be434
SHA512cb12111c326661360994107cdce3e257176ff2e05d9d3c034683bb924740828ad0944e59be8e708c8e87e7b2243841a2e06c6a97c5ad971735bba2e4605c242e
-
Filesize
660B
MD57b9b8431ea1fd75c38bc7a98a7aae08c
SHA14bcb6d89a624843097afa4aa617b9bf59799b682
SHA256ad2ba44d7efc44cb46b853006fddae64aa9ff605d675188af1e61b4a6af9a481
SHA512ca276480bf280e520d0bb778543e82fe97e48dde119bdb92a77f2499a970741795a638cd7f97fdb732fe0bf9c15e25517a0abcd07c4a1982714d2bbfa626872a
-
Filesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7