Analysis
-
max time kernel
103s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 07:23
Static task
static1
Behavioral task
behavioral1
Sample
469cad32c42578cf2713602fb4b0bf417ff697ce43289a763beb2cc7bea10e6aN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
469cad32c42578cf2713602fb4b0bf417ff697ce43289a763beb2cc7bea10e6aN.exe
Resource
win10v2004-20241007-en
General
-
Target
469cad32c42578cf2713602fb4b0bf417ff697ce43289a763beb2cc7bea10e6aN.exe
-
Size
78KB
-
MD5
aa27921f3604aa1ce8f57df7db0a6df0
-
SHA1
0e3f6ed58a733f34ef62f0b298c4a2918257627d
-
SHA256
469cad32c42578cf2713602fb4b0bf417ff697ce43289a763beb2cc7bea10e6a
-
SHA512
1fc0fd88eea355f2a6c6d79beef8337a644a51fc6b4ad557e01beb01c7978442ffd524846c206184a2477808e50777f711876e40b2ea5ae7b41dda35f194f342
-
SSDEEP
1536:DPWV5j/vZv0kH9gDDtWzYCnJPeoYrGQt9629/5R1gm:DPWV5j/l0Y9MDYrm799/l
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 469cad32c42578cf2713602fb4b0bf417ff697ce43289a763beb2cc7bea10e6aN.exe -
Deletes itself 1 IoCs
pid Process 4868 tmp99EE.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 4868 tmp99EE.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\"" tmp99EE.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 469cad32c42578cf2713602fb4b0bf417ff697ce43289a763beb2cc7bea10e6aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp99EE.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4208 469cad32c42578cf2713602fb4b0bf417ff697ce43289a763beb2cc7bea10e6aN.exe Token: SeDebugPrivilege 4868 tmp99EE.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4208 wrote to memory of 3904 4208 469cad32c42578cf2713602fb4b0bf417ff697ce43289a763beb2cc7bea10e6aN.exe 82 PID 4208 wrote to memory of 3904 4208 469cad32c42578cf2713602fb4b0bf417ff697ce43289a763beb2cc7bea10e6aN.exe 82 PID 4208 wrote to memory of 3904 4208 469cad32c42578cf2713602fb4b0bf417ff697ce43289a763beb2cc7bea10e6aN.exe 82 PID 3904 wrote to memory of 336 3904 vbc.exe 84 PID 3904 wrote to memory of 336 3904 vbc.exe 84 PID 3904 wrote to memory of 336 3904 vbc.exe 84 PID 4208 wrote to memory of 4868 4208 469cad32c42578cf2713602fb4b0bf417ff697ce43289a763beb2cc7bea10e6aN.exe 85 PID 4208 wrote to memory of 4868 4208 469cad32c42578cf2713602fb4b0bf417ff697ce43289a763beb2cc7bea10e6aN.exe 85 PID 4208 wrote to memory of 4868 4208 469cad32c42578cf2713602fb4b0bf417ff697ce43289a763beb2cc7bea10e6aN.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\469cad32c42578cf2713602fb4b0bf417ff697ce43289a763beb2cc7bea10e6aN.exe"C:\Users\Admin\AppData\Local\Temp\469cad32c42578cf2713602fb4b0bf417ff697ce43289a763beb2cc7bea10e6aN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3rd6kq6q.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9BD2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc30AE9C0772EA401B8C57148DBEDD70E8.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:336
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp99EE.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp99EE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\469cad32c42578cf2713602fb4b0bf417ff697ce43289a763beb2cc7bea10e6aN.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4868
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5423ac77092ecdc923a37e6628d46c22d
SHA1f9fdf726f5f2c350ee0eb2157f539d67bf643759
SHA2569472ce211c2059c76310eab43a8bbb5131d91e84f5daeda9d0497ceb9acea2ec
SHA5123803caba9f23fa8306694ef446a1d06799789d9de90129aef7a5e84ddddf3b474d1bdb13d94ad64d83c3a18b9274d20b2ff068e8c66b035497f3052d1910f92d
-
Filesize
266B
MD5f2c2f40c099a1457eba7d71648b46be3
SHA186bb01d098efce5205d440b32c96a4c247b47415
SHA256e9caa541232e3a59e00131076fcd0fc6c3ea3c4134b2f35faf6fba6d22c404ca
SHA51222f613333ece6ecf66fc7ed8769ace0cc397c5a0f646e46a36f90dfa5f9948cfaef5fa004bcf6fae2a25bb1dd413f60613a46e660b09fd475f957dd4938fa9ae
-
Filesize
1KB
MD5e14a4f8522faf44bd16819f2bc42a3c6
SHA11e577e8a312a60b54ed9213d336e528b924c4e76
SHA256a9fcc5234a1c0d007570ab5791bfc1a5816ae24b27d05ba9de04935d57dd695a
SHA512ea93a7f5d045bcb73d561ad156b323d3d09a24a5e90e2a9b809c782727616d48cb8af7d98d7517c1408c981e4ebca09a2ea6214b9d2b0ee01e92fca82651d11c
-
Filesize
78KB
MD5e9a937570eb92719190ba19f762eb5c2
SHA141bf4bb10e1d4747c8c1bfdbe8c4b17adc5a65bb
SHA256efbb0b540cbe7e32e8b2e9073a1bf6736f794d99c7414d67e5a47dc5ac12c4ad
SHA5124491507a42a6c1e4bae86797ba3de6e9cd3acaead28d6bf2dcd03443f6a2296b6d67b106be17bb2e5eebb5d791e37c80c0505e95316cf8fe589bbd407a98a110
-
Filesize
660B
MD53f3d13797be8a3be66197ed3e6226ea8
SHA17c7792566bcfa6ce9d2b48e80ab009aff61ca305
SHA2563282798fd6deef84eeddeb4a3f28b55fe885eade40c4b62d771d45fd629e4494
SHA512b7a5e3857db3d064ea81f7aeca8f76445bf49d6d89f80e640b93107f85b94e4b9991a3a14ca72c9ff86ed1660c6bfbc1e63fcbbd5296d2f9a8bd7a19100a766d
-
Filesize
62KB
MD58b25b4d931908b4c77ce6c3d5b9a2910
SHA188b65fd9733484c8f8147dad9d0896918c7e37c7
SHA25679c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e
SHA5126d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d