Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2024 03:03
Static task
static1
Behavioral task
behavioral1
Sample
01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe
Resource
win10v2004-20241007-en
General
-
Target
01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe
-
Size
78KB
-
MD5
667d8b4cf55d8d417133c482d5c12860
-
SHA1
3388e21f716a6f84f7f4bd6f49416d5e135a674a
-
SHA256
01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3c
-
SHA512
fa9f6fc65101dca760ea21a63abd94b0158654d939c1e833c6b44acf4d2e31ae8c4ffe67a27395b93ccdeeb8d17f62dc2d552f1d91b2e8eecb271f95afb3c927
-
SSDEEP
1536:nRWtHF3rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtLM9/R4X:nRWtHFbdSE2EwR4uY41HyvYLM9/u
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe -
Deletes itself 1 IoCs
pid Process 392 tmpADD4.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 392 tmpADD4.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" tmpADD4.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpADD4.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1864 01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe Token: SeDebugPrivilege 392 tmpADD4.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1864 wrote to memory of 1228 1864 01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe 83 PID 1864 wrote to memory of 1228 1864 01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe 83 PID 1864 wrote to memory of 1228 1864 01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe 83 PID 1228 wrote to memory of 3768 1228 vbc.exe 85 PID 1228 wrote to memory of 3768 1228 vbc.exe 85 PID 1228 wrote to memory of 3768 1228 vbc.exe 85 PID 1864 wrote to memory of 392 1864 01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe 86 PID 1864 wrote to memory of 392 1864 01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe 86 PID 1864 wrote to memory of 392 1864 01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe"C:\Users\Admin\AppData\Local\Temp\01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9ilksish.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB006.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc97F0989BA33246FBBA70636DDBA49146.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:3768
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpADD4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpADD4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\01b551c4acceda6651f2c8f21a618fa57c6acd3342c33be303b2d28cfba9af3cN.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:392
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD516c73864f1b0468cfbecc145720298aa
SHA1692abc27ec1cd2e0d0fe92a3cf8d8eaf0470203c
SHA256f4f2a0f067a1938d314289e72b6a237dc9d4c2933730d75f5a527364210c71a4
SHA512bb7baae7a2b06d10b81a98d1557e6bc7e0ec8f1e5a06016a07848565ff3fe77e9d42332609759ddf17346a2cf826f1934b560c74d278204651afc3c7eae6c259
-
Filesize
266B
MD5ec7d66632bf91508e52045ff98efc08c
SHA1097a820fc29d1e5a8c9aa0b84333cf16c8e933a0
SHA2566bd86a6e6d091f6e0a4a29638375417faee7ddda83e0ca2b18161fa150ac8bb7
SHA512501ca26a2a175a2d0ec979780925f38bbb68c7e30fd0689208cb69d4f1b869be2e0d922dbd4db7766f248c408a561eb534e9040776864c6be0d2f5310512c648
-
Filesize
1KB
MD529aa796892daf146178824cc971bf8b8
SHA1c1b8b5f54e1253fc63dd074745d947808b210492
SHA2560932e52d905ab7c779e1d2701a306477173ec0c4e4b8a61dea905e0d5b513f9b
SHA51236bfcf133a4561dbab0dfa2800aead3821c61069cf098bafc026356ee94c8c2df5ad3acd52159bcdaf0b764c6f2bedaabade79ae677d88129c51f49c8ba668ef
-
Filesize
78KB
MD5f262531e8992769d61de9fb44adacb51
SHA1b7ff49c28a7e8183ac6b18041b0e3ef8175be49d
SHA256dc3ac93708ed5e518117546421424160720c72487bd083cda3b0a2d022859cb8
SHA512b8f875ed58f2a25cc8b974ed2cfe2441b97f895c0e65ff5d130a70d5128479e2a174584a0462c91462b69d527fa2cf9fb974ba2fd287fc65a81d5e42886b75ea
-
Filesize
660B
MD53b36ca3e03532bfe69928abb84b0c805
SHA14e23c5883dd1604ec25e2df7e96589d0d0a53b14
SHA25644d92d3a5dbb0f4e5a91fc39e37537bcf9d632d6c3295d3f27f101391ef34cc8
SHA5127ee1a4f85f3d2ae781c6caafa5b2100adcf0912a991a096238cd4eb00f2f0265a8f380377ae3733f83e1fdf1f3630e92a9cfbb8d63dfd57b84e40d2f07271be3
-
Filesize
62KB
MD56870a276e0bed6dd5394d178156ebad0
SHA19b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA25669db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA5123b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809