Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2024 08:42
Static task
static1
Behavioral task
behavioral1
Sample
d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe
Resource
win10v2004-20241007-en
General
-
Target
d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe
-
Size
78KB
-
MD5
c2c5d0ef549670f2df92a41b047e8bdf
-
SHA1
10775205638556dc83fcc2e0f8b272099a67d13d
-
SHA256
d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943
-
SHA512
cef24ed209d0ea122130f9fdf526659485fadb0621ef077486356ddef8a0588b923def50cbe9f0f0fe1166a496a3e4953b886f962c98e1e807728257303163f5
-
SSDEEP
1536:OPWtHFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtS9/K1+mO:OPWtHFon3xSyRxvY3md+dWWZyS9/yO
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe -
Deletes itself 1 IoCs
pid Process 3160 tmpF973.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 3160 tmpF973.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmpF973.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpF973.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2420 d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe Token: SeDebugPrivilege 3160 tmpF973.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2420 wrote to memory of 960 2420 d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe 83 PID 2420 wrote to memory of 960 2420 d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe 83 PID 2420 wrote to memory of 960 2420 d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe 83 PID 960 wrote to memory of 4616 960 vbc.exe 85 PID 960 wrote to memory of 4616 960 vbc.exe 85 PID 960 wrote to memory of 4616 960 vbc.exe 85 PID 2420 wrote to memory of 3160 2420 d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe 86 PID 2420 wrote to memory of 3160 2420 d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe 86 PID 2420 wrote to memory of 3160 2420 d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe"C:\Users\Admin\AppData\Local\Temp\d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wtke23np.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC13.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc527C3664B3774292BE76EEDD9A459DB2.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:4616
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpF973.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF973.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d395b9fcd1d819bd0d58451c543f972c27a5e0f7258ca965944f06e5d979f943.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3160
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c2975280249167d5f26d9112b9a3951c
SHA18fb282834973229daa0a7fb727a54d0a3c8aa987
SHA2568134132dc6b112a882efa2e7ec77b1440de6933c0aa76054f3fb9d7bffd163a8
SHA5122a17ffa1499ae00fdb2bbb60c1d41969e8dc439371eb1e069c8f517f9f0e66e13a9d7535004d6bc6e6e216629de981758d86e94cdb9ab856c318847d4053710f
-
Filesize
78KB
MD5373aa5329e97a3f9c3446130cdce7117
SHA11f67ede1a3f70d08355ff479357e48390d8e17ff
SHA256158412a36a6ebaf2728da8830da602390c3ca438e363aad06579fc51b240ac39
SHA5125daf7477f11d91166feeb466bccd4fe699ab97a9e73205a51f4c9ab4a2b6a65c08c920c9633c3c80d3fbb575780ee7e6ef6c9fbb25494037c78c142f99b4112f
-
Filesize
660B
MD5b146c4d6240b8fbf4b191fcb5a977727
SHA12bc2380fd8040fcec2d83317f6583be31513382e
SHA2566a26565d6b015a32b124c8269dd94abfcc8fd3b3c7c8c9696f68b8ea2bbffb62
SHA512accc144f35ff3536493104158dd2c0c2a937be51c649627b8b94d4087bae85d522fa79c7558b8b114c9c469f557417ba2b473f4e017e10d5b4008b0bc32e24bf
-
Filesize
15KB
MD531c2649983ca9e7e7e330e53586844db
SHA19d0b377518d3f2df5f07ffef57f565ae5e90cefd
SHA256dcff52f1a258d6a77f96eabd3d74a873b0aaf114e0dd65af20a31aa7724fc936
SHA51247bcb2f9d76bb7404e6446872c653d7137a1d1c22dbc90fa0c687cfd5acddc1057b30365074c179e6d39efbb3e03f14616257551bc2a7fa2f9e208bec45f48f7
-
Filesize
266B
MD565e754246c6ce5675e5aed96097e2fea
SHA18a272e1dad83f29823f6f627fffd0c6cf8a3cdee
SHA25644ece7979d1aa01abbdbe62c3cd94ed975dd739ae6b43e20f752fcae665221a3
SHA512993b6d8e4eec9b53692100b82696b8fa114f14b34364cca61f0644e283f2eefcc7ff7e158faeedaad5c8980957f28410e13818d903fa6526d338a11bcedbaacb
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107