Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2024 06:48
Static task
static1
Behavioral task
behavioral1
Sample
d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe
Resource
win10v2004-20241007-en
General
-
Target
d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe
-
Size
78KB
-
MD5
7afe3e8926bce1c2bc8a5b17ab2694a4
-
SHA1
71e7cb335cbf7285da9153aaa019417522240c75
-
SHA256
d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc
-
SHA512
c52202fed5e14f32745fa2a21d3f4a480347203dc4dc10dc47d03874d5a27ddc4e74a5cc997cc7723588b5461bdb499768b9eefc96102491e4a42564a146b448
-
SSDEEP
1536:CsHHuaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtkB9//1CYE:CsH/3DJywQjDgTLopLwdCFJzkB9/dE
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe -
Deletes itself 1 IoCs
pid Process 1620 tmp9BC3.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 1620 tmp9BC3.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp9BC3.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4280 d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe Token: SeDebugPrivilege 1620 tmp9BC3.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4280 wrote to memory of 3324 4280 d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe 83 PID 4280 wrote to memory of 3324 4280 d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe 83 PID 4280 wrote to memory of 3324 4280 d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe 83 PID 3324 wrote to memory of 3008 3324 vbc.exe 85 PID 3324 wrote to memory of 3008 3324 vbc.exe 85 PID 3324 wrote to memory of 3008 3324 vbc.exe 85 PID 4280 wrote to memory of 1620 4280 d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe 86 PID 4280 wrote to memory of 1620 4280 d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe 86 PID 4280 wrote to memory of 1620 4280 d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe"C:\Users\Admin\AppData\Local\Temp\d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dbymratz.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E24.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAECAB3C0C89043F9978FEE5C6D33ABF.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:3008
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp9BC3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9BC3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5852ac326a7f05a2c70fc64cc12cc6bd1
SHA17f0a0c418dd587b0f505ee2bdcbb5658337a7999
SHA256092c590eb041b65aea998c3723064b9fe299b2d54bc009982a1a5326be042343
SHA512eea9329dd718a9c8b43cb20986b5e45ab713a753be5b35ebc8b0c16ce4fb25e7f56afd6c72b1afef0206d6a1983f5275731cbad07fea63d21739c160522b5e03
-
Filesize
15KB
MD5e8676b6c83aabddf1b1c714b55904ba4
SHA12215b91d451bc238a6c7e60bb167a0941d1f9025
SHA2562e41f5e36b7c90e3dc7b5064d8457618ca3c926f1a0ad1886c61bf2fc18c4f3c
SHA5126e894175d71fc50cead24709c13fa62e6f731128ef9a934aee549286bb556b5c9c962eea52d28b261ad0a180fd9ec4d85cca6b308da03b54b8e515d720c5bd2c
-
Filesize
266B
MD5453cfbe3f0813e7cd95bd08279033600
SHA1dcce049ce4265c63786f9fd22b8ccb146d9be1f1
SHA256787e2a39da7c42ed9c06d98b92e80e327b1a9939bda409e56862d657acde83e2
SHA51296d05e81c1ce95bd3a08fcb89aa60f35f70d36c54dbe9606500697bb1676820f21b2f0c24de3a44787cafed13169c26d3bfd585a9a630c9b2ce05b6e4935dc5c
-
Filesize
78KB
MD5a784b6136e45b2389ff7f45e023bb573
SHA19439f804792549cf79e755a7a311892dda1d325e
SHA2563d6c36f36315025383d19ac8d85284ae4d3df6294d9cdf9a5bdc3b77a4573662
SHA512e54801f67b1745a149aead27450b162f6163e3ebcd69f0423cc2208992341468bd84b1448153bd95bd083ede2a5d288da4a1ac6555524e3b5f488160ec58b15d
-
Filesize
660B
MD5f0920405b25b8cba4d0f090011e04732
SHA11ad5887ac47a98c3fd3b67f8be50c1e3dd19b4f5
SHA2568f65a61a0f28ce5e8fa7e1273db90e9ce143b080cccedda056a6ca62eb7b844c
SHA512d15e7dfd0a9c7f07026996957c75cdc689a9bc4a7b6ecfb296fc396e1a0acaf6ef7a861177d0fd105945c750e67b6abf9658fd16a2bf3e490771fe09fbba6e34
-
Filesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7