Analysis
-
max time kernel
120s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2024 02:27
Static task
static1
Behavioral task
behavioral1
Sample
baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe
Resource
win10v2004-20241007-en
General
-
Target
baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe
-
Size
78KB
-
MD5
35419f1ef04bb0f1b76f9b96f3f8ce10
-
SHA1
1557d4d09d9f56d81035a65b331189b845dc81c1
-
SHA256
baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712
-
SHA512
90300c711954f902017af6252dd4d77c4a73b2cbcb472b3eff5508d86b3ef81636493ac860ad5f0323c9e29b0f806d62b815be658c73f16ca4f95810bfdcdbeb
-
SSDEEP
1536:VHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtz9/l1QXF:VHF8hASyRxvhTzXPvCbW2Uz9/4V
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe -
Deletes itself 1 IoCs
pid Process 3508 tmpADC4.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 3508 tmpADC4.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmpADC4.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpADC4.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1940 baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe Token: SeDebugPrivilege 3508 tmpADC4.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1940 wrote to memory of 1316 1940 baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe 82 PID 1940 wrote to memory of 1316 1940 baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe 82 PID 1940 wrote to memory of 1316 1940 baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe 82 PID 1316 wrote to memory of 2872 1316 vbc.exe 84 PID 1316 wrote to memory of 2872 1316 vbc.exe 84 PID 1316 wrote to memory of 2872 1316 vbc.exe 84 PID 1940 wrote to memory of 3508 1940 baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe 85 PID 1940 wrote to memory of 3508 1940 baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe 85 PID 1940 wrote to memory of 3508 1940 baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe"C:\Users\Admin\AppData\Local\Temp\baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aluwlsl4.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF5A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEDC3B4C6B7EB40F9B83BC57A61991025.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2872
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpADC4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpADC4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\baaf54b05f102a10e3dd0e44c11c988fc97cc5e796ca631378b7e4f25715e712N.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3508
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD573565436cb04af17bb8702449284aac3
SHA1748ca92cb00c20c4027c2043524881abc639a4c2
SHA256b27d24a78a12e93023bdba0367b97a689b103e438e10f82d1fb556d6da5eb1ea
SHA5122fec04fcc72d8777c66dea7f6c8ba7f7d9588c767516539978b531dad3a4cf44a241fdf2a5dbacc06486a479f57891ad9aa34fcc560d378a3e3156bb18bc9ae8
-
Filesize
15KB
MD53c67c8fc7ec033b6c86d6d7a96881508
SHA1137212af4b77a76f3c839898f9f5937a46c46ebb
SHA25606f502411007440b7614fd5a1e965c073a4fda38ce84e4ad3d5439059def4c24
SHA5126fbd31acc2a1b6c0b2f352a0a81ef1c3a7b5957e7b55750c904ea3e4fae6d98dcf1ca599b29c29535ce033b86a0f74757c03a23f781c4bed8940d56c4dcfce5c
-
Filesize
266B
MD57a3df437c1a942a7c564aa6158349231
SHA1ee382f2c7fce378805304b81d545f8d9586839ec
SHA2568ebb3ae333ef93bed352b03fad68772ad89527060f597e33fff445725c1bdc0d
SHA5126e5782eebe0992c6990a95b685f3e1cd9fff556b972be95e19b45121eac8e2318aadd06c92ab0c91cf4614eab849b5ccfda7b1eadc1d65bd10b2414e9fc3110d
-
Filesize
78KB
MD50859525e01d4a2777d9a9d6eaf9807ca
SHA1393a76e48570108d684a75663fd3a595d007cee9
SHA25694ca37027c704dc987a69b5811b5785beacf284757f976c6a166f4d8471d9e75
SHA512e9d5591894fa291e17a1113f5b3b04df2656269e0769d78b282d392b1d8142a723b186e255a94026c101291c9127e192ec00a3821029efbb150c5e6c182369b1
-
Filesize
660B
MD5e0db59a1dc2e139dec8fb503d581d4a8
SHA10e51ff540123560fee24f96c3c28bc97de6eaaa3
SHA256285f968ee47dfbf112c6f9aab9861418bd04239060006ee1f18f8407fefa813b
SHA512a7828e7bb6d4d20565ae5c0bb7e9858469774c1feade33895965da4b3ebdf3fc0596de943ccf6777819279b83c7abe515742764dd613865b649605eeaf983118
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c