Analysis
-
max time kernel
102s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2024 01:34
Static task
static1
Behavioral task
behavioral1
Sample
24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe
Resource
win10v2004-20241007-en
General
-
Target
24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe
-
Size
78KB
-
MD5
8a912d38b039ec348364f11af3af84fa
-
SHA1
cc7b234633b2b3e0473fdd3ab34cc942e601f7bd
-
SHA256
24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b
-
SHA512
e376b43328c8b45b5ad76e43d690d05bce7c69cf2af0a728544cf09093f3290c4fd3c86ae0e2293b63d5660458bd8ec3e28884030e56a48652f8f4125e576d38
-
SSDEEP
1536:SCHHM3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtdx9/Q1dvN:SCHs3xSyRxvY3md+dWWZyj9/cN
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe -
Executes dropped EXE 1 IoCs
pid Process 2192 tmpC3BD.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmpC3BD.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC3BD.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3212 24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe Token: SeDebugPrivilege 2192 tmpC3BD.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3212 wrote to memory of 4320 3212 24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe 85 PID 3212 wrote to memory of 4320 3212 24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe 85 PID 3212 wrote to memory of 4320 3212 24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe 85 PID 4320 wrote to memory of 1728 4320 vbc.exe 87 PID 4320 wrote to memory of 1728 4320 vbc.exe 87 PID 4320 wrote to memory of 1728 4320 vbc.exe 87 PID 3212 wrote to memory of 2192 3212 24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe 88 PID 3212 wrote to memory of 2192 3212 24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe 88 PID 3212 wrote to memory of 2192 3212 24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe"C:\Users\Admin\AppData\Local\Temp\24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ufhk1ipq.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4E6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDD93C5EA7E246E69E968F166BADF865.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:1728
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC3BD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC3BD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\24780a3789bdc0a7401467c175b95ef549f6b4de45dd6ad3d80626f62b91524b.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fa2d554a4a8effeabbd04dc5aa469fd5
SHA13fc2a166af9b34c36566a1dcc8ee6bd4f93bd165
SHA2560065a10ee27c60226cfb308a0e8dbaa9a78aca481280daad97147a55675e4603
SHA512ee63b43e22b54ce63ea1ed86a5ef21776ef04248c7371df1f8bd5a04a542151a3dd0b35419d2cd1789993b5b5f9b05340347c4093e14ed12896b41d92e9cc286
-
Filesize
78KB
MD5d69837a1e57a32c959db3edff89a17db
SHA1b473a2a58762a339e802ac5f83a15177ed1e1da2
SHA2564bfd54a9fbaf968d321199f36ad7f85b60d451a18061e416ae0b4258e9e6b154
SHA512f05ddfba682dc66d1256282685b7a88ad17f28738cf042c4869ba7ee28561c8e8412382031f09ba1ac859795a1305617abe9aab777b8ba530cf87693b30b1b80
-
Filesize
15KB
MD5944d8379ae55f43d6a8434d4c2b48c75
SHA10e36597838d07274a28fb05574b643d08f7646c2
SHA25680a61b6fc15409612bf5425cfaad59407e64f4f1cfcfdf9ab46140417068a084
SHA512b680707ec45916e63068d18e30cfe4151d4442505d23e3bdddbd7235820efbb47bec03084b98ff16a91c16689804fa6d218811f5035ce2f300f6a76cc757e6ae
-
Filesize
266B
MD5bb5c194de1b079bff9e63d1982bcf40c
SHA1fee4563669d024c29714aa729617d535bc610467
SHA2561e52b60cb983a3e1e66eec58ee8a1550d74c22c340ea0cf09fa280004bc88014
SHA512c9eb4a26df6977fa926841a14ddef40b0bbc3983eb886e99abe9be31a68ca28440823b92e72411442645173be4dbdae4c675c95f38e39b2c1ed09b6aafc7ab40
-
Filesize
660B
MD53991a1285982ca217a83a2934954348a
SHA1709c3d41e9130f37866081b2a89e9f486aa0e1da
SHA2569952782ca855c2b184b847e96352cde6cc22958e9ba42d40091c444ae5e6172a
SHA512185dc76bc13ddbb5564f6c5eecce041a41b0a95b2cf3f86021df447b2b50745dc24b41b6996da1de345b89e748267c604632f5326fb5164a1238c7a46746260e
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107