Analysis
-
max time kernel
110s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2024 19:46
Static task
static1
Behavioral task
behavioral1
Sample
c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe
Resource
win10v2004-20241007-en
General
-
Target
c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe
-
Size
78KB
-
MD5
7eec8047ab601bd58f2c3bb8c8567d50
-
SHA1
4e68de6596162bf302c33712c013d4ab98957fdb
-
SHA256
c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219e
-
SHA512
23a960119a828a0d1a17ab20fd092ce1565796877a1a60c1012ecff7b37ce7440b76bd15c61d3b79248e80a976fedf47500e2a92407a0b18d4e54733e062585c
-
SSDEEP
1536:EzWV59XT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQt96CV9/JN1uN:qWV5tSyRxvY3md+dWWZyfV9/Ja
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe -
Executes dropped EXE 1 IoCs
pid Process 1324 tmp808A.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmp808A.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp808A.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4016 c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe Token: SeDebugPrivilege 1324 tmp808A.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4016 wrote to memory of 4780 4016 c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe 83 PID 4016 wrote to memory of 4780 4016 c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe 83 PID 4016 wrote to memory of 4780 4016 c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe 83 PID 4780 wrote to memory of 2216 4780 vbc.exe 85 PID 4780 wrote to memory of 2216 4780 vbc.exe 85 PID 4780 wrote to memory of 2216 4780 vbc.exe 85 PID 4016 wrote to memory of 1324 4016 c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe 86 PID 4016 wrote to memory of 1324 4016 c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe 86 PID 4016 wrote to memory of 1324 4016 c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe"C:\Users\Admin\AppData\Local\Temp\c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tmmzxs__.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8126.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc85729AC370FF41E2B7E537A9B343095.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2216
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp808A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp808A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c35ed95ba7840798c78c686fb075697d21b3b3d4a88c58be68493b12d237219eN.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1324
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d0ac6aaa74d102d45eca0e90e5be9815
SHA11a26d09880263413d8b5b10e5aee05e9cfde23b7
SHA25689d97b4a225605ddca3b6e3bb42160fcd2450d183477cb55a225e15a3145722e
SHA512ea15e6e4f2597b383d0515c3d3eb2c5eb105f1eb96a4ed7878a591f146067bc31223a7b2c5b3c9675e9aff84c5fcab94b2140fc920ccded18832d1e7d0e60237
-
Filesize
14KB
MD502a103c4afe7fbe77d46e821b6510bc1
SHA1184a60b16896fa5ba97a5b9e936acf098db19dbd
SHA25634a0282ddfd9484e4ec14512be23319c4dbef5379d7c6b9bc258349bb7cbcf89
SHA512b2b96abf7fd2e5b2a2596e4b3d3cb642463c9aa0f7e3788f53e54cf54f366d92f3fca56258f3ed9a1d92f4fdb2f4ab37b089305d0635a7859e9b47d071591a9b
-
Filesize
266B
MD5e9387cc6f630b3335a5096e1d97dae82
SHA19eb054b7b83c996ac7a57235606acde67884dde6
SHA256d3b78ca8695c0a2606af299bd7bed10b8db7946158f2d5e224bc5ad0c3b37496
SHA512c9700ecb6a38694a7e6a8e7206eb56d49f3f9b26ce89c3d631f0ab233df94d8bd7018c7d0e615c4a24137f61e12e3e990ae85fc4e3dd40938704262c82d7506f
-
Filesize
78KB
MD5189eb5fb5d85c440a13b7a47aea8ca9e
SHA14f185383e6841b30de961d84446f36e64e49f07c
SHA256827ae94fdf4cae6939976c85ea2983e39d47791bad86e46f54a81cdc8c7a177e
SHA5120c99e7535d199650d89ef47c3605c0c384fb98df0f89c7248c63835e50c068ecf17aeca45a5da0dc00d4691da8d3be89baba523efba7e71d6ec3be086b0cad03
-
Filesize
660B
MD5219fea2574ca4ff8f0507eb1dfe1392f
SHA1244b5c7a89c1d1cdec2839d5b49ddaa44942d0a9
SHA256c89fa65af3063fe789a8852ae22e6043601f00ced53810c5becfc01ffcf2b6c3
SHA512ed8bbfa5fba3e8fa7c73a51ccfcecf09300c36489879b63cead17cbc00c33a22bed178459a092cb931bed464133c39bf599c801044bae5dc2329f7ac4b91eb2b
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107