Analysis
-
max time kernel
108s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 02:48
Static task
static1
Behavioral task
behavioral1
Sample
7243e77b0a9d256e70c2a857d02345f77082c37c565a150763953195951012eaN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
7243e77b0a9d256e70c2a857d02345f77082c37c565a150763953195951012eaN.exe
Resource
win10v2004-20241007-en
General
-
Target
7243e77b0a9d256e70c2a857d02345f77082c37c565a150763953195951012eaN.exe
-
Size
78KB
-
MD5
f01493130fc29ea00bc976e35c891050
-
SHA1
6edea3aef78ecfcce22d07cd19d7d297330bdfc2
-
SHA256
7243e77b0a9d256e70c2a857d02345f77082c37c565a150763953195951012ea
-
SHA512
732beb8a103b500697defb19ce11c5dbb836295ea0a50811ef0a63b0c5b024f7151aa479b4943261394024a9fc3c61efb68115f00815e0d1c7920ce82278ec08
-
SSDEEP
1536:jPy58wXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtN6O9/h1jn:jPy58oSyRxvY3md+dWWZyp9/P
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 7243e77b0a9d256e70c2a857d02345f77082c37c565a150763953195951012eaN.exe -
Deletes itself 1 IoCs
pid Process 3956 tmp8750.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 3956 tmp8750.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmp8750.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8750.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7243e77b0a9d256e70c2a857d02345f77082c37c565a150763953195951012eaN.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4860 7243e77b0a9d256e70c2a857d02345f77082c37c565a150763953195951012eaN.exe Token: SeDebugPrivilege 3956 tmp8750.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4860 wrote to memory of 4428 4860 7243e77b0a9d256e70c2a857d02345f77082c37c565a150763953195951012eaN.exe 85 PID 4860 wrote to memory of 4428 4860 7243e77b0a9d256e70c2a857d02345f77082c37c565a150763953195951012eaN.exe 85 PID 4860 wrote to memory of 4428 4860 7243e77b0a9d256e70c2a857d02345f77082c37c565a150763953195951012eaN.exe 85 PID 4428 wrote to memory of 2708 4428 vbc.exe 87 PID 4428 wrote to memory of 2708 4428 vbc.exe 87 PID 4428 wrote to memory of 2708 4428 vbc.exe 87 PID 4860 wrote to memory of 3956 4860 7243e77b0a9d256e70c2a857d02345f77082c37c565a150763953195951012eaN.exe 88 PID 4860 wrote to memory of 3956 4860 7243e77b0a9d256e70c2a857d02345f77082c37c565a150763953195951012eaN.exe 88 PID 4860 wrote to memory of 3956 4860 7243e77b0a9d256e70c2a857d02345f77082c37c565a150763953195951012eaN.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\7243e77b0a9d256e70c2a857d02345f77082c37c565a150763953195951012eaN.exe"C:\Users\Admin\AppData\Local\Temp\7243e77b0a9d256e70c2a857d02345f77082c37c565a150763953195951012eaN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xghpwf4p.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A10.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3513E9492C7F46C3A5CE6B3E614FF6D3.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2708
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8750.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8750.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7243e77b0a9d256e70c2a857d02345f77082c37c565a150763953195951012eaN.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3956
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD540a2d1b9e88954bcc806fe0ff3a428e6
SHA19eac3c78825133056e62fa15adc68f5d59b852d0
SHA2565875a33375e486017631edaa59b7d415575e53aeb7a9aa5f021bf1deaf841082
SHA512e0b414136753008a8181e4a48cf0cd3aca4968f01edee6bfee3c50ca51e5a7352ad1dabaeb490c5dc8c88c245844a1893e4d799a533b4a9822d48ee5ef8fa68b
-
Filesize
78KB
MD5f59b7cf23bcfebece67f319fa91ce184
SHA19725b1327397fd1bfaea6d7360b050ab18c188da
SHA256dd522d53b7fc14dd4a6515fd0d710ca2c7b396adfd6bb29bfa405b05dac8c8c4
SHA51296a5faae49d0eb2ab629d461073dfe2661945e9f837b4e34988e0ab58b97098fd87ad61c617033e439fb97720e64e1e75f74fa99b40b31bc2b9c4000a959f8c0
-
Filesize
660B
MD50d3241bea26d659491d943612fc841ab
SHA1e7aafb2ecbdf8acf1312123b9f7fc225ce120fd5
SHA256a68499567768ffb7a6c96b8653282376755be70a37206e1fb2e8eebf89a76bfa
SHA51259f089e854dc8b99b126eb15ec574bc659f68d97bda00b56f2f2a53e5a3ddbb1150294b4e602625844c42df6a482d9af545980054f7c63abed7f91be08e5199c
-
Filesize
14KB
MD56e0f59191fca4b4623c4e85cfbda0c22
SHA165b83c1be1edb74be411e87e4a79cea793654e78
SHA256af879835e7a7da9dc9a1781bcc96d2df802d7022d3c33d2908b227445b213558
SHA51282ae92bff99bc4631c499f4c37cf39d8e81ca7ed356081d0043e0618f4f92ef797afde785da3cf1ac93f34400ae3676f217714c2b3ecfbbc0c20ae86fdd005d5
-
Filesize
266B
MD52c720517d7c3cd341200285a3803370b
SHA138b8f8b53f724d6effe286946b9c735adb6d34ef
SHA256a2334f85b947c7b3844277d422d061fcaa4b6dcf496cab10f83dadeea98e2ad5
SHA512ac17394aada3f275439592866fc2db538704e7b6b1fcb3cba7ab978211ce9b7d2c1a3caf3c108668ab141b85c5b7d5b5628c7e47ea2f73f22d0f95afdcae12d3
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107