Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2024 17:39
Static task
static1
Behavioral task
behavioral1
Sample
88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe
Resource
win10v2004-20241007-en
General
-
Target
88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe
-
Size
78KB
-
MD5
54238da5a72ed01d7db296cf40b3340e
-
SHA1
fc6b5244a5d5dcdde315e875a85a905aacf07d32
-
SHA256
88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201
-
SHA512
243750bc65586b57dc0c5fba7111f407f0ecbad4192539f6b800e1f396f9eacde398a9c5c2aa73ba1291cfb604de74deb4e16405eeedacb88be613d490cb3dbd
-
SSDEEP
1536:aCHF3M7t/vZv0kH9gDDtWzYCnJPeoYrGQtG9/cc1o3x:aCHF8h/l0Y9MDYrm7G9/sx
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe -
Executes dropped EXE 1 IoCs
pid Process 4268 tmp96D1.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\"" tmp96D1.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp96D1.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1264 88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe Token: SeDebugPrivilege 4268 tmp96D1.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1264 wrote to memory of 4524 1264 88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe 82 PID 1264 wrote to memory of 4524 1264 88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe 82 PID 1264 wrote to memory of 4524 1264 88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe 82 PID 4524 wrote to memory of 2420 4524 vbc.exe 84 PID 4524 wrote to memory of 2420 4524 vbc.exe 84 PID 4524 wrote to memory of 2420 4524 vbc.exe 84 PID 1264 wrote to memory of 4268 1264 88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe 85 PID 1264 wrote to memory of 4268 1264 88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe 85 PID 1264 wrote to memory of 4268 1264 88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe"C:\Users\Admin\AppData\Local\Temp\88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pels8r9i.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9933.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc62943426FC544D6EA7C712448D8D53F2.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2420
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp96D1.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp96D1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4268
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56955d70f36648543d781b3fe5e66c34c
SHA1edffdf5a3b8f4fd66d7c10f7f46def301e746711
SHA25695dea128df4a50d5449d1865065e7521a3d728bfff0c6a8e6bbbfa9c7bb41a54
SHA512cbf289aed215110b4ba0a8b53c1bac21a925d0dc5e2459fc7d2a3407bfebcf2b9a5fd0dab5ab5a1078789c60fa810c15869c7213d21e5691e57ec12260b8eaab
-
Filesize
15KB
MD50eab769cc0bf4532101d3f10c5848947
SHA1e1ff1d4701cfc789e9513b80e19923909ee4eaaa
SHA256cd660565504bba980dd1661dc33ac69d20026a1ee61cc139d04eaa33ced6ee19
SHA512989eaeb9e26d938069f488a4bf542aa93c58712d877729b8a78f8c8b424e5ce3d5b768f2dd0e53e6772af75363b239bcb7c1e1062fcd760f712666fe63938340
-
Filesize
266B
MD5c04cedd3077e819965c975958d46372c
SHA159109e9a3210753beda93e98f640e7d37c03ff75
SHA2561cf7b96a6d9fa9ff6e146338f67fc086f63df5394f7704e304d12d9230fae925
SHA512dba68917496fda7bc9ad3f04652b7b6fbd2108f3ef85edca0644639329d00eada4ba3264af0ea69881685456686e827bc9be95bf5754ca6cafd7127eb735c75f
-
Filesize
78KB
MD53afb32811521add4fe73cc982d072ee2
SHA12a6eda3034906f2bd9250e87533f69440d64d5cf
SHA256b30cd2eb55219beaefef3faad646345e03ba99a40b58b55b333fb7c6e943c8ac
SHA512b11de0a9255a6655a261ffa31b4886b1715fb193e1891fd5adc5799befdafb796d8607bce8ab4d405f6cbea956a3ef379f8acb9f7ac82b03fdcd878e9f697dc0
-
Filesize
660B
MD50f4670cec95e4c669d62288ee8d220a3
SHA1a7d44c558bc70c9e4503798a78bd6b11d3966311
SHA256590279cfc3b827989147376dbdb19324d2320b9f872dc6e15c2000e53eb0d120
SHA5120af07aaed63a4045ef88e720862e98c0ac4a6f66a4a42dcaaab75010277695aef6f862342580afe183833cf9abb98d7bbc4ba2c3038c1ae630af063f8be8c60c
-
Filesize
62KB
MD58b25b4d931908b4c77ce6c3d5b9a2910
SHA188b65fd9733484c8f8147dad9d0896918c7e37c7
SHA25679c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e
SHA5126d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d