Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-12-2024 13:39
Static task
static1
Behavioral task
behavioral1
Sample
90b1e08e656267ded360f49684fe1f9f247ee4023c63d1d6916995b2f1c626c3N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
90b1e08e656267ded360f49684fe1f9f247ee4023c63d1d6916995b2f1c626c3N.exe
Resource
win10v2004-20241007-en
General
-
Target
90b1e08e656267ded360f49684fe1f9f247ee4023c63d1d6916995b2f1c626c3N.exe
-
Size
78KB
-
MD5
6f54873510773c474fa0f9af709ddb40
-
SHA1
404b71810429191229cba8ef1111bac1770cba5e
-
SHA256
90b1e08e656267ded360f49684fe1f9f247ee4023c63d1d6916995b2f1c626c3
-
SHA512
a4b61e9ade76719ca3f6284274daf4a3f952925a2897b6da9b1ad2476ef1abaed82e4b8da32deefac197a4fd830f0c6bc3e93b49081f96c8fd3877b3a2b0f9c2
-
SSDEEP
1536:tc58pXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96R9/41Sh:tc58ZSyRxvhTzXPvCbW2Ui9/j
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 90b1e08e656267ded360f49684fe1f9f247ee4023c63d1d6916995b2f1c626c3N.exe -
Deletes itself 1 IoCs
pid Process 680 tmp75AD.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 680 tmp75AD.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmp75AD.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 90b1e08e656267ded360f49684fe1f9f247ee4023c63d1d6916995b2f1c626c3N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp75AD.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4944 90b1e08e656267ded360f49684fe1f9f247ee4023c63d1d6916995b2f1c626c3N.exe Token: SeDebugPrivilege 680 tmp75AD.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4944 wrote to memory of 976 4944 90b1e08e656267ded360f49684fe1f9f247ee4023c63d1d6916995b2f1c626c3N.exe 83 PID 4944 wrote to memory of 976 4944 90b1e08e656267ded360f49684fe1f9f247ee4023c63d1d6916995b2f1c626c3N.exe 83 PID 4944 wrote to memory of 976 4944 90b1e08e656267ded360f49684fe1f9f247ee4023c63d1d6916995b2f1c626c3N.exe 83 PID 976 wrote to memory of 1544 976 vbc.exe 85 PID 976 wrote to memory of 1544 976 vbc.exe 85 PID 976 wrote to memory of 1544 976 vbc.exe 85 PID 4944 wrote to memory of 680 4944 90b1e08e656267ded360f49684fe1f9f247ee4023c63d1d6916995b2f1c626c3N.exe 86 PID 4944 wrote to memory of 680 4944 90b1e08e656267ded360f49684fe1f9f247ee4023c63d1d6916995b2f1c626c3N.exe 86 PID 4944 wrote to memory of 680 4944 90b1e08e656267ded360f49684fe1f9f247ee4023c63d1d6916995b2f1c626c3N.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\90b1e08e656267ded360f49684fe1f9f247ee4023c63d1d6916995b2f1c626c3N.exe"C:\Users\Admin\AppData\Local\Temp\90b1e08e656267ded360f49684fe1f9f247ee4023c63d1d6916995b2f1c626c3N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cczkq3jv.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES76E5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDACDCD81E05448209547EDE0C5ECE6C0.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:1544
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp75AD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp75AD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\90b1e08e656267ded360f49684fe1f9f247ee4023c63d1d6916995b2f1c626c3N.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:680
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b6c5c84019005087594579786d2101d8
SHA1f8acde5c32be0dc70c6ba6b6c231d0ae750ce6a6
SHA25651420896a1287a5ee435b0f05eb18e65254fef2eca84f3e8f2760f906b165563
SHA5121de3ad3c96427cfc96272b410a6ab9920d8e6d3aaa153662dbdeadfd5d6ccb2297dedfdc82a042de4f6a8ce93949ff044326ea0db1ce9fc6eef792c7f72ad9c1
-
Filesize
14KB
MD592427b2a383a1d6c0583bc6b40ef906a
SHA1e43c0ab0df5453e6538ef36f8eb5b07fd4a88d80
SHA25627d66c797d1c94bc98823aa0bff973485635ced89482295ceb2e5e09bded21bc
SHA512c64e7908c31d092c153bd1daa37ebdfe11d6a31a804480df23fe6f248dec5eb062427eb791858ad0617d437cbd6820fa08fa4b720979c329e2e2b0e7d0c17381
-
Filesize
266B
MD52d155c66f868ecce51bda1077e6a811c
SHA15c6120759bf2be7baf02cb598d0a545ba939b443
SHA256076c5f6e89dd60921f1f486f44e1d28c7a02355c61bef3135a9435916c01492a
SHA512a0d4003f8caf07b9b6be779f78edc68bae39c331ed2d6421a0bb4fbc2769cdd17926da7649b6321d735a1c6475619900ac674af589db2bc2c740a6d7df7c13a2
-
Filesize
78KB
MD59b24a68de354eb0aa8bac0c1f5517950
SHA169a2e9935cd1e84d661363fe813a1cbcd5df4e6a
SHA256e3e4d927353a5cb6f941339ca87e1e2ed3850de3310f605fb1ed532ffb0821bf
SHA51247dad6a5da762c4d39cd86437acef2044198460e5b497a1fca94ebe74a0e728eb0753c4a5929128886732f24b66c484d1cb00dd70957ad67e2b5f7e6d9fc3168
-
Filesize
660B
MD53e9ebb367f9d9c890116d3f09ddd48be
SHA18e258461d60b018ecd5e1f1cd7004c0ba9905295
SHA2561ddeb103afa7964848b1d32921dcb77f4bbc19af8354bc3b7f26772c4526cbcf
SHA51288ea20587894addffff732419004e5449cde1abc925f7a603d0ced6189e7d1a1cd38917b303ea82bfaa4b7d7b41acd2fee7d8ff6137a346f2a238482ead591a5
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c