Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2024 00:29
Static task
static1
Behavioral task
behavioral1
Sample
d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe
Resource
win10v2004-20241007-en
General
-
Target
d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe
-
Size
78KB
-
MD5
92e31cdf5b80c13dd2ce3eb15a26e140
-
SHA1
6fc45160397fded95b5a6b989013cf42d28cc4bf
-
SHA256
d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5a
-
SHA512
d98bca07a3792308fa3eb433ae664cd80559f28c815b2d2b6f80c6677c07cac0621624e43cbe8cc58b31243a0772cc1e431041bb337c0093b8b9d16aef77964e
-
SSDEEP
1536:7Py58eXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtN629/m1YB:7Py58WSyRxvhTzXPvCbW2UZ9/X
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe -
Deletes itself 1 IoCs
pid Process 4920 tmp88F6.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 4920 tmp88F6.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmp88F6.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp88F6.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4768 d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe Token: SeDebugPrivilege 4920 tmp88F6.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4768 wrote to memory of 3892 4768 d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe 82 PID 4768 wrote to memory of 3892 4768 d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe 82 PID 4768 wrote to memory of 3892 4768 d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe 82 PID 3892 wrote to memory of 5056 3892 vbc.exe 84 PID 3892 wrote to memory of 5056 3892 vbc.exe 84 PID 3892 wrote to memory of 5056 3892 vbc.exe 84 PID 4768 wrote to memory of 4920 4768 d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe 85 PID 4768 wrote to memory of 4920 4768 d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe 85 PID 4768 wrote to memory of 4920 4768 d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe"C:\Users\Admin\AppData\Local\Temp\d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jtcmnksc.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A7D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc12A917AAEC674067909ECBB8DA8F581A.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:5056
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp88F6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp88F6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d9aa41b41a2ee065685cafbb1843a4d97f08352a8199009657b88d6007535b5aN.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5993e4b759f0fb2e5d33627f47cb35dbe
SHA1320f0f80805569e8fbcf29e3fb7b0d4051f2416b
SHA256097b57726aff91f65ef691a816a3e61eb698d83dc6d3a0f18f8ef3fa1deb3d65
SHA51231904fe8eaa22eec2f916e526402f866cf1bf4f0f34ab81eb043c8a2d9755278e23087ca7d5688b669e6ed62aac2f88baf46680a54d46ec87cb0e34c3db946ae
-
Filesize
14KB
MD50b4a6dfe39b9ffa83ac045e4467ffc96
SHA1747f4533c3d3658b868396c2456d8649833bffb8
SHA2565e4f4bf47ffeed1707af15e32fc907f0bde17887677b860e5adb9b8cdeee7b5a
SHA5120b8e26564c72aa587ec3157d2efcf1aa9778fcda332e7dc22d0c58cce9b8ee6b8fb357d72f4d8560f657dce28513fd1d5c2a932610fb4d28e0e90a8086a5b317
-
Filesize
266B
MD5ca688f737483faba8d77403cdecb6e61
SHA170c96bae08c429ccfd5576a8e42828bd14a2d3d6
SHA256a695c60947451c7a3d53294ebf064378c2955904971ba03c0a067b2952c05aac
SHA512165c98efbfe95ee07ccd40b903b336b6fd5df8aeabc41538429483b39da0513b3c375acf6b80256d2b3e2ee2998b85536c04bee961cad898ee8ddcab891320ae
-
Filesize
78KB
MD53f0c5771a1c4e6fadd36f0a495935477
SHA16e04684d0c8acb79e2b51f034205f8149cb1bc95
SHA256db571ecd37c4b391bee9c17031910f0503fef3c6b65d3e50cdbe8426213ad150
SHA5129c8ac720b69588a173f1f20db1579b827aa92f17ad8e26938ab9df3e93763c00b3db9cd7aedd88ca8fa02f68079dc5f96fdc301857c5287e360f79c1e2e2c460
-
Filesize
660B
MD5d7abf01b039a3ae9062f6bf1466ee2d7
SHA1b4d65cb4cca25e649de4b1d35a371ce58f034189
SHA256e0e8c5f8d3aa1650ec1bcd0e3d90443761d9ac9f506c21a0450ffcb05d0ee0a6
SHA5121dbd4c615719afb62ab1bdf88d834e8f0b9644b7a0c74cdd992c3931183986b38b994af26c9f694af4d8ccb44048d61173aa70ee8ead0ce44062392ca6f0a29a
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c