Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 15:22
Static task
static1
Behavioral task
behavioral1
Sample
89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe
Resource
win10v2004-20241007-en
General
-
Target
89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe
-
Size
78KB
-
MD5
2315b763266a9f2cb9e40548cdfc29db
-
SHA1
120fd5a2436528e2f7b40738faf41b0d2e5bf722
-
SHA256
89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f
-
SHA512
d821b4da41a71e75eca97a2511d51079c46cbb58e1a659b6b70ee874469fdf660edea48df6f6293675b9f47bb664c5f02576d73d73adbced1cae1cb62e533fb9
-
SSDEEP
1536:158Tdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6E9/Yx1eEE:158yn7N041Qqhg89/mE
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe -
Executes dropped EXE 1 IoCs
pid Process 3180 tmp7501.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp7501.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp7501.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3472 89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe Token: SeDebugPrivilege 3180 tmp7501.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3472 wrote to memory of 2636 3472 89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe 85 PID 3472 wrote to memory of 2636 3472 89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe 85 PID 3472 wrote to memory of 2636 3472 89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe 85 PID 2636 wrote to memory of 3532 2636 vbc.exe 87 PID 2636 wrote to memory of 3532 2636 vbc.exe 87 PID 2636 wrote to memory of 3532 2636 vbc.exe 87 PID 3472 wrote to memory of 3180 3472 89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe 88 PID 3472 wrote to memory of 3180 3472 89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe 88 PID 3472 wrote to memory of 3180 3472 89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe"C:\Users\Admin\AppData\Local\Temp\89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5ovdofjb.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75FB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4508686CF2ED47C5B13C10E547855DF4.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:3532
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp7501.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7501.tmp.exe" C:\Users\Admin\AppData\Local\Temp\89dcd3a3c24ece396dd0133a12752360ada68883a3e3d9c7af9e99d87e983d4f.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3180
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD59701f27846d21d7de0d219605e2304fb
SHA1bedc26f93c77f3ab27d54a3b42a0e20ca8b99009
SHA256717da9830f325f97eee7f1eeb11d96737a515d5e916b4956865351697bfdc4af
SHA512d197d9b321246f48edab1625fef4a8e96e2e41b08d1cf75d1d6ce2eaec3d86718a6e2c6e8107cc3839ea9b1af5a19cedca17569caaeeb47e9863e4c60de00dd0
-
Filesize
266B
MD5dd660391c642578cd0bad41e22f1712f
SHA12c1931c4378a61bc22a9629eaeca07beb58b1fa9
SHA2567e5d2427b76002f20e416be577478de0e9b7709bc1497874ed2231d0696cd76d
SHA5128f71e6b04c21738ebee632bc7ce9b3c23a4126c0c0dd0eccf13cf67d93f07aa9cc3b4c797b666801d72f649f3ee1b9e12a992358838046a2bf9736e747a4b4ec
-
Filesize
1KB
MD59d114200a379fa6f1dd551da1f41864c
SHA15e02f647daa4170c25c45c00b9816a41b55ba38e
SHA2561cb2b44eaeba88b0b4f4514556cbac753db5c881a155bd6465bc580b7e9b83b6
SHA5129cfa555a8f5cff0c78048a65cd743cddfb96d7cfab4758655dfc26639aabf7704531a4713ddfeca94c9900286e0d98668a34945c1a9930db38277dd41c6b6b43
-
Filesize
78KB
MD56f2415a3b287e8881abc8e8ba7aa2ccf
SHA1b20d6f6789f245ed86d5d01c02511cbadf5e7c8d
SHA256bae406cbc707b4ef78228469bf154a293d82a5f0d5bb130c2dbc5f9259a03d9e
SHA512af02ef4a877eff42b6d8b614e4d29890dd2bf1b96c3b6e62548d4b9057b6163746a823f385310a8c866ce7d98f2035ddcc9f22c5cec06279ae77589838a75a0a
-
Filesize
660B
MD573e3f6cef67007d1884c1dc658b1a82f
SHA174cecf797b52a6a102f27d7d0dc89b36ac2d34ca
SHA2560b9168fe5a8b425af727c67e039c1ed2b6b4492c011104ad06cf71c5bfc27cbd
SHA5126d3e69e1a5b9f4a48b3e78257f780d08ba6d1069ac970e96cb2b16a50876c250abb1ce954cdf76f0154253a85fe94457353cd564f01c8ac8f40e1d8b9024b564
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65