Analysis
-
max time kernel
102s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2024 07:38
Static task
static1
Behavioral task
behavioral1
Sample
96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe
Resource
win10v2004-20241007-en
General
-
Target
96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe
-
Size
78KB
-
MD5
5e89b0338575ddd2be5c11790cef6610
-
SHA1
f0e5e9cbda347a1e7e30c4af945c3bc72c96d286
-
SHA256
96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596
-
SHA512
e5754a544c49b7441975c98bb1119a31fb531638d3307a438e882486e47534ba6d0bdf19ffe7b1ebd8cf7bd0bfe9451dafd705d030bbf52f6ef4c9daf5a1ba20
-
SSDEEP
1536:SvWV58/pJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti6d9/2K1Zg:sWV58BJywQjDgTLopLwdCFJzF9/2J
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe -
Deletes itself 1 IoCs
pid Process 3744 tmp9B36.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 3744 tmp9B36.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp9B36.tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4960 96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4960 wrote to memory of 2508 4960 96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe 82 PID 4960 wrote to memory of 2508 4960 96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe 82 PID 4960 wrote to memory of 2508 4960 96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe 82 PID 2508 wrote to memory of 2996 2508 vbc.exe 84 PID 2508 wrote to memory of 2996 2508 vbc.exe 84 PID 2508 wrote to memory of 2996 2508 vbc.exe 84 PID 4960 wrote to memory of 3744 4960 96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe 85 PID 4960 wrote to memory of 3744 4960 96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe 85 PID 4960 wrote to memory of 3744 4960 96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe"C:\Users\Admin\AppData\Local\Temp\96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yeu_bp60.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C30.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3F6BFA8BF2854E8C81D1B3B04E137D5.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2996
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp9B36.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9B36.tmp.exe" C:\Users\Admin\AppData\Local\Temp\96f00c2a0e521d6f9c3bb377b264735135130843dd4f31c017491f51808c6596N.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b30e0ec2234373ddabd9d7509db0f221
SHA1803b6f64ff8da67baace225d184dbe7d79a27af0
SHA256696c3a96d09cb6ffe649413daf56220cf7f3c2cea592690d0d212ebf1f7031b3
SHA512794bc64a089ce7eb9ade95aa78237dab76edefeb45635636ac5c7918d75993b22f5543245b74f28153e976022f51c99a0798d83f27500279eb51c96fa723f54b
-
Filesize
78KB
MD57a858c7fbd191dc1b23a7e5384c5a27d
SHA19335618ae1ea2e69604c2ed87d8b2ccb4821b16f
SHA256dcf7ca2d5b975302ca179884f0653a108fc8952f9c33620ef1382374c5ad6068
SHA51278090fb4af621daa3c98e8daad3bf7aa6a2860a5de7e0e65704e8c49fbdf0538b0488e2cb601d8eec431ad7a978c07a4c135f65456d5e53c13d9a7a6fd0a9208
-
Filesize
660B
MD50d9ac80cf4df857aa92bab1bd0b3e222
SHA12e57c949ce07e322867554cf6a54a68e59a93f3e
SHA2568e9533cec629f5d6f02735c19273fe00054d2dca610fc02531122a413e4ecced
SHA51290b53fed1d399c7e546cc5eaf26b7749a147f6f6e1fdf7e31e707094c30c8a45db90a3e6ad2bf47ff4c18e43f29f4ee5bcb504da63b53da58581edfbe72a6a75
-
Filesize
14KB
MD5842195ade94cce90e52afb46144e3cb7
SHA165254d02ecbcc3e588026de6d5e2c87f069126e9
SHA25635de17fbbf25289bed07477c0fe8e4f06de03694f8616133f01b0a91a31a5efa
SHA512964c00f707671e177f644b397efeec485205a4db406cbe31a49a0846e57e4f606bd5b37010c725eb832b4219f922603e346950422f0415b02c8381c6c5f1fe82
-
Filesize
266B
MD57676fd3875d75f24a8faba8dfdcebe90
SHA1199c68309c31816939d685decc2d24c040931080
SHA25696a6cb1b0346bb246846f326e04c80dd7e1bf3650c2acf0b8e657b4cb57dbb00
SHA512a4331769763c9feabb5b5f28f3a945a20c227b51d15dfae9bd3c94e49f81e811e07bf275bc47223de9b52560464d18241a2148298176fac01a34768782aa1424
-
Filesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7