Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2024 18:11
Static task
static1
Behavioral task
behavioral1
Sample
af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe
Resource
win10v2004-20241007-en
General
-
Target
af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe
-
Size
78KB
-
MD5
8b21473aab7cfe0c66f8c8e13d837390
-
SHA1
44b0d602c5d0e4b7690dba2470bcd411531bfb70
-
SHA256
af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45
-
SHA512
cd3707020715400af49fea51325af2b5f318b7cf850626efc9a759dbba5190a367be6e0daa0b62d719e98d15845240d463463898715645ae33014a2d49d7aac6
-
SSDEEP
1536:SCHHM3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtdx9/Q1dv:SCHs3xSyRxvY3md+dWWZyj9/c
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe -
Deletes itself 1 IoCs
pid Process 2860 tmpBE3F.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2860 tmpBE3F.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmpBE3F.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpBE3F.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1384 af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe Token: SeDebugPrivilege 2860 tmpBE3F.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1384 wrote to memory of 652 1384 af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe 83 PID 1384 wrote to memory of 652 1384 af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe 83 PID 1384 wrote to memory of 652 1384 af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe 83 PID 652 wrote to memory of 3420 652 vbc.exe 85 PID 652 wrote to memory of 3420 652 vbc.exe 85 PID 652 wrote to memory of 3420 652 vbc.exe 85 PID 1384 wrote to memory of 2860 1384 af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe 86 PID 1384 wrote to memory of 2860 1384 af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe 86 PID 1384 wrote to memory of 2860 1384 af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe"C:\Users\Admin\AppData\Local\Temp\af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dbpk6mtt.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC052.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc78E8AF189C0E4E82B3745768E07777AC.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:3420
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpBE3F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBE3F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\af327173b89bae0413e4195c724a097091dd6cc1c23d8a501f9e9718bd3f1c45N.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59f55d67e83663aec4581a5e8c21fe8da
SHA1d002bb0a7020baf9aa5b641893f7ba4247506488
SHA25655a3c7a2e384077465e7e7b42ebdf3ddd23276606ff0bbe4ef84cc03b737d577
SHA5127183323b5d9fb43e4803c0f6250b70e65bdbc278ff427b43be5fac291a05dc851bbf3609e16e6800047a34382d2a10e1123fa27b78d49e23b02ffcebe503d275
-
Filesize
15KB
MD55b2f812b1a6755b8057ee02aaccb74d9
SHA14230fd654afb303e822c1c848c35ef7b642288cb
SHA256bd734661e6c11a952c5a49dea2a894f03cc91e78ed3362bbb818820c0086cc7e
SHA51295668f0a48d3e1ed6c5779ac25c3e776e97895df34ad39017dcb00d900837f9abb256dc9e9c255432cedf7680d2adad735e1f3c6c814ff46ef2b25da6545cb6d
-
Filesize
266B
MD56d877ae38d9d18a990369017e74a17f3
SHA1be1a6313b738f0d2d3cd79e3a1eb740ac9aa67ef
SHA256c9e527e7cf996458a35a7ed9e5c5237bd5a789bd898dfb76386ad35595ee769f
SHA512a7295cbcbb18dd91291010cce7ae822ead4af17456b088f03ad5c6128695baf210f14c3cc33c0b78192475c7a680eddfa0a7cb2747ac0c41a0fd8d61f10031db
-
Filesize
78KB
MD57382be1bf6cdcce18729a62c5f5a8561
SHA155f317cfceef29edffb174623027e5857199d2b2
SHA25672e08d1bf8c328416ba4f85751c751649ae13c9f6c5c8cf366950cbd385a40d0
SHA5125ba0bdf98c8c3af0220e9a3d454f6414cbb6cd4155888f3760657a76849340fe430dafb1f34a30a2cfdd97c8dd1c10ef5066a5f0f27dae2774909dbae354901a
-
Filesize
660B
MD5226b969eda670968a08e6b3bdbf62a6f
SHA1fde6378d1d8d195b8199312aff33fc9a7c45198d
SHA256a56afb01677549e3b5a0af38c936422a193ce317cef955a3c70547a0304e5490
SHA5129a06646bb341bfc6144703d610d30d649a1e8dad22908d93d6a76d56f2ab34867125d89bad458081bb11eb7c91ccf2213cb5ea5f79e0ca284082f5a7f9c4432f
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107