Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 13:59
Static task
static1
Behavioral task
behavioral1
Sample
38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe
Resource
win10v2004-20241007-en
General
-
Target
38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe
-
Size
78KB
-
MD5
197c0bad190134f5a490c9c2a8693ae5
-
SHA1
51772c9dbc86bdb98944649dda3731d0a4e62156
-
SHA256
38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17
-
SHA512
493ef8a5ba7166c0fd906b99bdc0ec87c58ba29ae027c437feafcaf05c3ca6d846a5fb5bb0c4fa147f5950311d52429e984b8a320dc47c93684f0f0368a1c6ae
-
SSDEEP
1536:UPy5jS6vZv0kH9gDDtWzYCnJPeoYrGQt96g9/qT1y+g:UPy5jS6l0Y9MDYrm7f9/qXg
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe -
Deletes itself 1 IoCs
pid Process 3148 tmpAF4B.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 3148 tmpAF4B.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\"" tmpAF4B.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpAF4B.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4128 38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe Token: SeDebugPrivilege 3148 tmpAF4B.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4128 wrote to memory of 3484 4128 38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe 82 PID 4128 wrote to memory of 3484 4128 38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe 82 PID 4128 wrote to memory of 3484 4128 38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe 82 PID 3484 wrote to memory of 2784 3484 vbc.exe 84 PID 3484 wrote to memory of 2784 3484 vbc.exe 84 PID 3484 wrote to memory of 2784 3484 vbc.exe 84 PID 4128 wrote to memory of 3148 4128 38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe 85 PID 4128 wrote to memory of 3148 4128 38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe 85 PID 4128 wrote to memory of 3148 4128 38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe"C:\Users\Admin\AppData\Local\Temp\38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iir6tnjw.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB026.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7CE6CC56A09F47728FC28FA32B37141.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2784
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpAF4B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAF4B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\38d1e61855767b0e32333d29b1a5795ba56366436b416fbd52860290b328fb17.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3148
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD557f863e0207cea6a741af49d80381bab
SHA1fec21a64445bd08ecd2dbbb3afea4e03a45a20a9
SHA256690a280554f734bea1638458e8405ed008200efa5d189cf4abc937baa7ef2d0d
SHA512f828a5ec6d81294cdc98773b606c08d45ec38f65573c000186ed078927a0554255af4c46ae1c46c08f0d4e2872b99bb6e8d0a4373de61a72d2480378405007bb
-
Filesize
14KB
MD54fe43c97ccf06a1f974826cc9293eb72
SHA19c6389d60377e38f2fb41a16b02a9096d8767214
SHA256ff3f0381cfbefa9c1def45b22f15fccadf8dbf32bb9c35631a46cd630ed6b0f6
SHA512a822d6e6ec6791abc5d32070bcd3c786e6c3964020603bc6f31fc2998691a33afc637d4dd48adef778540699b6ea06dce0032a34aa69ffc7e30607000ef3f843
-
Filesize
266B
MD51fa989298f3f2f3d6c402ab68a4ee541
SHA15c7f976e108ac33e08bb6d4967fe4175211853b8
SHA256043b649ebc47ed4f79a3fd323126a58412f37de4c9c293d8d4c8d5f7b4207b52
SHA512fc94737e8569de68c6147636768be8e7479b9c428dffb1637756ee93c886e937c13318fd146d814f61055fbe4780ab398fad5cc83a9e1959376201f511e1dfd3
-
Filesize
78KB
MD5e85efc14f53544d1f737e88b1ab6c955
SHA1930a757e523184ad2a0cb0b4df8a8bbd9d36d7be
SHA25643b80c9fb0a5aa04e692043a49e37a474844cf21b926724c72acdb813a6e5699
SHA51242ffdee09da7595c42c20880358a07079e18033bc07c08297a544f70beb717fb439d85a99861c3eded90bbb0af83eda7a8bf0cc72514db703a02f7b7535e17be
-
Filesize
660B
MD5000eb497abf05cf2e83c7fdc9c2ff8b2
SHA1b9fc00e7b942c19d32d635502a14acb470522611
SHA2561cdd9e94f734bb2defa365a2148bc1749d37311255834071c1b5bb429243f6b3
SHA5121b1d2f5b355685738ef2d8245b9ce6783a54206efd47e1467fe2b04adbd8a77a5eee8fe4434010df9ee95efabb00b524894df06f67231ede7f435a56a7b34b06
-
Filesize
62KB
MD58b25b4d931908b4c77ce6c3d5b9a2910
SHA188b65fd9733484c8f8147dad9d0896918c7e37c7
SHA25679c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e
SHA5126d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d