Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 01:25
Static task
static1
Behavioral task
behavioral1
Sample
6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe
Resource
win10v2004-20241007-en
General
-
Target
6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe
-
Size
78KB
-
MD5
2d1040cbb7d90db8d32d9e9d98cfe41c
-
SHA1
b20f3369032316407495a6e6a032033549417a48
-
SHA256
6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586
-
SHA512
29326b444beef438e5923e5c4750e14f71112a43340d340c74bec258e29ce598e4dc20cf93c5a2b893bad940b645e8221df7f9557267013c9e383ac9a68caa90
-
SSDEEP
1536:VVe55AlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qtd6TS9/D14qU:3e55AtWDDILJLovbicqOq3o+nh9/5U
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe -
Executes dropped EXE 1 IoCs
pid Process 4252 tmpBE6E.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" tmpBE6E.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpBE6E.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4688 6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe Token: SeDebugPrivilege 4252 tmpBE6E.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4688 wrote to memory of 388 4688 6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe 83 PID 4688 wrote to memory of 388 4688 6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe 83 PID 4688 wrote to memory of 388 4688 6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe 83 PID 388 wrote to memory of 3700 388 vbc.exe 85 PID 388 wrote to memory of 3700 388 vbc.exe 85 PID 388 wrote to memory of 3700 388 vbc.exe 85 PID 4688 wrote to memory of 4252 4688 6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe 86 PID 4688 wrote to memory of 4252 4688 6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe 86 PID 4688 wrote to memory of 4252 4688 6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe"C:\Users\Admin\AppData\Local\Temp\6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ur9y8j5x.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF97.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc84522D4648A242E1ADC6617176721C8C.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:3700
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBE6E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6be68aa963e0002cf776c791b2fb5386c81d5c2d0f074b6688759bab02461586.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4252
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf53dbd9c9d4ce652b1b7e4a04e6a28
SHA1734a34831072282124f4be744ecbdcc270f95e30
SHA2569d9a533508b70ea5b10373b0810ce1025266725dfa218bd2750dfd83348cc635
SHA5122ea97e27eb119a2c42bb05e45d70eb5424682e57b3f5526f4be417211a0cb4ed5949f3eca199770ec3eb9fe1843af643d307a03c0ec5b4c4fda1da1b84392155
-
Filesize
78KB
MD5c51bafbc563198fb5daef5e5e03f4405
SHA10e503c75ced2b99201f2344e217a726156dbe4c4
SHA25629c2a1d1eedf8e3f7f2e100a9ca2d981d5324c6036391d6982fad5dd950a82c2
SHA512810304df87f3c0415d855378d1f2f439f559400bc1d4cfb6cabc33a1c016eb9af48a0d04edac07bbd7761afcd9108f5e906cf3ae87aa077ecddf75018e8a1f5c
-
Filesize
14KB
MD5b547b27022a404415f950bb1e93fe6ce
SHA1037ee2d35625285ebc33e0043fefcad2c87b10d4
SHA256b36689f50ab08e7f8f8f3be8444634909e4394e81f64f6224538aba9d6831254
SHA512068b27e2e2e653a5b87d98dc655a968d1508bcf7cbeff5e3196b678a3e4d7a9a4cb9656c29b5cddb9a10fb90670b0b9d57779cde3c52d5745db0384e8b82f8e1
-
Filesize
266B
MD5745ede96d8603a6eeb61841d214a655d
SHA18823de894364d629834ea37d5b126340150374e9
SHA256bfe6a64f6d444d8465cc71888e47b7799acf17e01fd7bc2bf9678a635331646a
SHA512d9182c3b27d588cb6c2dfc6494a95150eba01831dfa21f7310da554bd0dd1cf82e14c9420dea3f8ddca2c173c47296617a9a94e56dbc74858f381b6a92857ee0
-
Filesize
660B
MD5c589af1511ddb4d83a64f4ab4975b502
SHA1b0aabf9afc028654eccd9f8e4872a90a4c56c991
SHA2562f3cefae35fb5c56322ce521ce09668e31ef942bebb45dee337962fe357479b6
SHA512938ceb5e82f1e23f81577910b1f4b8f694179bf67ee8a586e25d502ef78a532a6a6ffd5f351dc5c571b55c52de680bc43f10fa65312caf92b14d52afdace7fe8
-
Filesize
62KB
MD5a26b0f78faa3881bb6307a944b096e91
SHA142b01830723bf07d14f3086fa83c4f74f5649368
SHA256b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c