Analysis
-
max time kernel
114s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 02:32
Static task
static1
Behavioral task
behavioral1
Sample
66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe
Resource
win10v2004-20241007-en
General
-
Target
66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe
-
Size
78KB
-
MD5
c9990768388e8ffdd4f7644aed366fa0
-
SHA1
9df1027572a239bdc6c7a05049cb24333a14be30
-
SHA256
66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00c
-
SHA512
ac6989db1d9c5f2def9e5fe2a8fa040eaac02d7cebc024ad3c11cb0ccfa202d117e6142e4c473966e3652a276b3059fe7239d841b043a3a42042bc5595963214
-
SSDEEP
1536:9PWV5jcXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96Z9/Bc16X:9PWV5jESyRxvhTzXPvCbW2Ua9/BF
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe -
Deletes itself 1 IoCs
pid Process 4772 tmp920E.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 4772 tmp920E.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmp920E.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp920E.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1056 66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe Token: SeDebugPrivilege 4772 tmp920E.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1056 wrote to memory of 832 1056 66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe 82 PID 1056 wrote to memory of 832 1056 66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe 82 PID 1056 wrote to memory of 832 1056 66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe 82 PID 832 wrote to memory of 4408 832 vbc.exe 84 PID 832 wrote to memory of 4408 832 vbc.exe 84 PID 832 wrote to memory of 4408 832 vbc.exe 84 PID 1056 wrote to memory of 4772 1056 66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe 85 PID 1056 wrote to memory of 4772 1056 66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe 85 PID 1056 wrote to memory of 4772 1056 66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe"C:\Users\Admin\AppData\Local\Temp\66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ql5f52th.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES954B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBAC82D9D92FC4B6EBBD2ACD83E8F121D.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:4408
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp920E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp920E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\66831ac1d830e25614682b8bb307d63a602a98a1db1a433e321256d8d533d00cN.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fe1c995c8959e1024a7b7ee9cd618aa0
SHA1f9188f32201a532c1216bff76f19074fa4aa9c94
SHA25675fafd99bacbcb564793301df884231533130ca80825a97a3e4c6e4e181b0498
SHA512c6143d537bf372df55d1b1fac53a20038afddb428709ccdcc16b54dad974e64f60b976f6694614d15b3b6ccd632de3ac16bdd4f4bce97d99bbbd4b4daa675afc
-
Filesize
14KB
MD53b8695821ba2d56387f1e676724776be
SHA1a48e159d76d26ff563109ab648c5a065afa9398e
SHA2565f18bcd1822d8f68b990809334d1e212e062688101e99a75fab1b662583b26ca
SHA512892385411e35f94ac5dd6a2f8334e60772f3d87009482a4ef6494647fd16b029a684850261ff1f511bc9f38cc16fe21f9d237995a2d35243878585f70c4cfd19
-
Filesize
266B
MD54a846558bb30b136d6924b39154f4ccb
SHA1e06f5c6a91a80d2c320c51d82bcce74208382f52
SHA25639ff466364a29e2c2bb9545aba0f0ea3e3202ab0a2374fb2e197abf52b8e9121
SHA512d8d84d57328f1ee598bc0eb86a9d5eded5c3ba115d2be7fc1cbdd384e380bf6ac927bda1f07f275241158b8fdde953612c9e7356dd98f0074ac58748fbb36a80
-
Filesize
78KB
MD544e43ef8e333b1272f957613c4960598
SHA1c4ee067931b9006e31e1bd4bab52f42a8a0dc925
SHA256b14151c19e646f7899e860afbc0f1362d81850a2d796e7521ad3907343f4dc4e
SHA512278145acb243c792f82544a8964586c736602b0abb477a6a073a4d2ff5e044b40bebf0ad120943396ac908058042283b694b4b2bf5a6475fb427df6bc9d2da72
-
Filesize
660B
MD5c26fd98af75d50e7ef33cd77055e469a
SHA1dac200aa57c93939a86c986f4fb9dcbc6a8b1eaa
SHA256719aecaffd1ac4e9bffffa78fd0263f353a85005c2e8f64e17bd621ce886d20e
SHA512ae6f2510dbc44984eed45c5a75b0b2d17453d09dd9d0638e76d716f551cbc50c6c8e12910e5c018e34d5d2f7dd0abdaab66b30cee066796c77220a58fe711a41
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c