Analysis
-
max time kernel
103s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 02:39
Static task
static1
Behavioral task
behavioral1
Sample
4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe
Resource
win10v2004-20241007-en
General
-
Target
4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe
-
Size
78KB
-
MD5
01658283871862263343db8c80526e20
-
SHA1
7304d9cf47d70ccd9a54892e53205ce8ed86d33e
-
SHA256
4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a
-
SHA512
3b62bd87ffd3910484728d3e21f2c7d759b823b0575ff9773ab33010581617e38646d3ce1733d4f7be80a26d7c72483720e86961803431364ad97a53f2693e66
-
SSDEEP
1536:UPy5jS6vZv0kH9gDDtWzYCnJPeoYrGQt96g9/qT1y+A:UPy5jS6l0Y9MDYrm7f9/qXA
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe -
Deletes itself 1 IoCs
pid Process 116 tmp7474.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 116 tmp7474.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\"" tmp7474.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp7474.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 552 4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe Token: SeDebugPrivilege 116 tmp7474.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 552 wrote to memory of 1052 552 4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe 82 PID 552 wrote to memory of 1052 552 4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe 82 PID 552 wrote to memory of 1052 552 4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe 82 PID 1052 wrote to memory of 4072 1052 vbc.exe 84 PID 1052 wrote to memory of 4072 1052 vbc.exe 84 PID 1052 wrote to memory of 4072 1052 vbc.exe 84 PID 552 wrote to memory of 116 552 4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe 85 PID 552 wrote to memory of 116 552 4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe 85 PID 552 wrote to memory of 116 552 4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe"C:\Users\Admin\AppData\Local\Temp\4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7zgvjfts.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75DC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4947623C831E445F90404EA5607560DD.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:4072
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp7474.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7474.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4827e34eeab28b1a411dba762296ffe236e9bd5f256443902037c0bbaa20fc9a.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:116
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD561a8d4ba1abac78b3c3d42230459db90
SHA1a4881cc2ecb890a8704ed100167081adbd13cc41
SHA25649e761021077811d9b2515582e6c8b1e1228590001c4795c984b7ffe12bbd016
SHA51241f46d6c4df44976426df86ce61953064a89810bc0ac55a2bfc8ea6c8373efdc8ef8677e0d78bcdba6958c1779e15644c018b94e73e8694e82452067118434a3
-
Filesize
266B
MD57fbf1009908a5e0ff5d2c6e6f0e2c114
SHA161bf211899b770f8812730780be5c9d4efc72225
SHA256acda48cb9e1de78a7d1dd8a26bc2878ba80a060f2d60c351552f709016aeffc4
SHA5120cf603e4aab71d98df471626b2dd87ff4e7ed17fd44d99a24109e3193d266c6606dde4f8a4802c3bdad4f38021b7a50284514a08b5ce609eb14b3dc2759a11fd
-
Filesize
1KB
MD525fe61d3fdef4790a782d2193f553304
SHA19f21d5a9e06664eb68f7fd8d030a6fdbf2b19662
SHA256f89a1d820e5f9aea58e31b95c8098180ec38e7021b2e0e78fb25647aae92d81e
SHA5124a8e6799df06a5c53b2c30bd1312ded7a860a2e52d610dab01d5135f9bbd10d2e37b4d6b2090aaccde98fb634c5747419bba950ef182c7389959f58164eb4dff
-
Filesize
78KB
MD56a79741fa39cbd6a7445c04bcc66cb4e
SHA1aa6141c3e7799003e61dfe1f318b37bb46f61688
SHA256ecb95656b4f068e6e16ccadf279176df4b7eabb4a6ee0f74b629e07a2028ea5e
SHA5123aa5529713981857010ed56123db9153031a37e421d13d8b26113c94b5c772763f87dfde498ffeb6000a71d52bec1cdaf2a46b57faa97390990e9950c85ac707
-
Filesize
660B
MD5f6736a501aa56132a8c7afd2bac5cfef
SHA19e697b344b3ec613a37354d5d6a5ced2ed237c1b
SHA256d821b0df28d9bb77668c3ccb7227526aa462bf4af80eb7f8bf74e06841b9c8d6
SHA51277ca0edba9c00e7f034604e8638bcad1cc97e3067c83472599e5a2cf2d5288c606ead2133b897c5e13b82968b1a9f5f78ac8e0686c3d5338daa3acaf045db342
-
Filesize
62KB
MD58b25b4d931908b4c77ce6c3d5b9a2910
SHA188b65fd9733484c8f8147dad9d0896918c7e37c7
SHA25679c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e
SHA5126d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d