Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2024 23:49
Static task
static1
Behavioral task
behavioral1
Sample
4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe
Resource
win10v2004-20241007-en
General
-
Target
4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe
-
Size
78KB
-
MD5
c3a1198b17e210186d0f8d4d59965880
-
SHA1
beae2dcb7ac5d4da4025f1ad6afd559a726d2453
-
SHA256
4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837
-
SHA512
f72add240e530c845129fcd10548c20b6e7c6ee6378be469317eda123d91d0081341836c915ceb41eacb53ccc529a1a7fbbc1481fb3a7d03f2f52858870e7787
-
SSDEEP
1536:mHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC9/t18G:mHFonhASyRxvhTzXPvCbW2UC9/b
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe -
Deletes itself 1 IoCs
pid Process 4572 tmp803C.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 4572 tmp803C.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmp803C.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp803C.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3116 4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe Token: SeDebugPrivilege 4572 tmp803C.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3116 wrote to memory of 3976 3116 4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe 83 PID 3116 wrote to memory of 3976 3116 4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe 83 PID 3116 wrote to memory of 3976 3116 4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe 83 PID 3976 wrote to memory of 5052 3976 vbc.exe 85 PID 3976 wrote to memory of 5052 3976 vbc.exe 85 PID 3976 wrote to memory of 5052 3976 vbc.exe 85 PID 3116 wrote to memory of 4572 3116 4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe 86 PID 3116 wrote to memory of 4572 3116 4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe 86 PID 3116 wrote to memory of 4572 3116 4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe"C:\Users\Admin\AppData\Local\Temp\4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qnwncdzf.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8146.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2C2EA679241A462BAFD749C17AC86DD.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:5052
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp803C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp803C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4c184591659cd508490638fce2759a6896c3a7870ae62b251498ee0578784837N.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4572
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5dd98cfad5b8220aeca3659a8c7b8eda1
SHA106a5173590c8f9cdea1a438f78b26ed56ae94056
SHA256505c53766c0d048d7bd92e703dc6064960314f17da7e56482b90c5f825da361e
SHA512f80982a755bc09f45cea7b7928eff33319a0e8b6910bebe41bb83f64c9f6db4e19a70792f5f50f897b7aafec0f07f47f6ca7a95b7ba1d948a0d70db3c7359cdc
-
Filesize
15KB
MD5250fbf567e35c6bd5f0502880489bee2
SHA17452681f3f3ff68c47df2b81165405f8c8e3c08c
SHA256007ce2e9a8433ef1803a74c83e9f554af5e1bba42a9b234e5aadef335577d7eb
SHA512ac9183d8877aaa0a3b95bff9c678a075256aa14362f0afe8aff46309a821f5c297f4a24e452bff0fcc1174f4d68df83881e1d671a0fb9fd74b106053e6339425
-
Filesize
266B
MD5663a8fc72a31f11987c0c661dc7c6c02
SHA1ccfe873493226e8788b4899bb0a5700bc8c6cbb0
SHA25688e002c4d509a2da53269a8a24567bceeaa26efbd2b1855b53d28e9539c5dd66
SHA5128380d3e461e60f61adc00fc5ec3b78bfc9262ffcc51a41d612990b38dff3a8137addf3a806b11cd6b3b47977dcf60c42521eb40009cdfdf6a93c035ed14ba39b
-
Filesize
78KB
MD5c2d22eef09553ecefc0089aa086bdd08
SHA12816b60dc811daf4671481bad53e4a061a5d3674
SHA25656f9659655697e8ec07c6f5a2e0c9973841db8be1d384befae1d9eb1e728e86d
SHA512b610b33abaab411ac268dbd01e753e0425b42fc6ff172e35099b93983b52d0bd14504e5bbc448effde487b23e5d8af6f23992ee4db9a17fa63b0375b6ac5a836
-
Filesize
660B
MD586c3c7d554b76e05157d76c39f5fa1f9
SHA186c3c0c2f7a2d8127765f8b41cf48fb06c619a74
SHA2562b6a2e1cef12face84dbb015400357f377cf5954bfe06d75ea5e98c918f5a2c9
SHA51261ace03d1940bc57458319398bb2b7291f0ebc4b9d80220d23aa1eefb9cbe3fc1ff535404d71340d8488e232c62bcad823a367508ee52ce9980bea579ee7e25c
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c