Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 01:38
Static task
static1
Behavioral task
behavioral1
Sample
a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe
Resource
win10v2004-20241007-en
General
-
Target
a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe
-
Size
78KB
-
MD5
2664fd9c6f4053b0d0d49e77f0b73687
-
SHA1
30897c778058572cbd9e6c9db62db4bddf0ed9f9
-
SHA256
a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd
-
SHA512
6b3ac294048242896e8e55eeee1ab7ba53cec80a7444a99271945d98265143e5c6da16c8ee2d144f25f70f931665873ed0ce31c94286a927468fd7a9ed7e83e6
-
SSDEEP
1536:XXgy5jPvZv0kH9gDDtWzYCnJPeoYrGQtN6I9/W1DR:gy5jPl0Y9MDYrm7n9/2
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe -
Deletes itself 1 IoCs
pid Process 3480 tmp9366.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 3480 tmp9366.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\"" tmp9366.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp9366.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1520 a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe Token: SeDebugPrivilege 3480 tmp9366.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1520 wrote to memory of 964 1520 a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe 83 PID 1520 wrote to memory of 964 1520 a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe 83 PID 1520 wrote to memory of 964 1520 a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe 83 PID 964 wrote to memory of 1428 964 vbc.exe 85 PID 964 wrote to memory of 1428 964 vbc.exe 85 PID 964 wrote to memory of 1428 964 vbc.exe 85 PID 1520 wrote to memory of 3480 1520 a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe 86 PID 1520 wrote to memory of 3480 1520 a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe 86 PID 1520 wrote to memory of 3480 1520 a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe"C:\Users\Admin\AppData\Local\Temp\a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\alcxwamn.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES956A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE47ECB2E3B40DEACD25AA328A4B8F.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:1428
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp9366.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9366.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a3101fce422da2346f11a205c5a031672fb6f16645b28e3ec682dd1cd118bfbd.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3480
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51083f54d9464eb9714331ac8573c1780
SHA1029ca7078b4b985f40e7973ae1cfd564350e1197
SHA25687fc86b8b10a58511e7a064c1d9e9add74dab9327b18e915ad14aebdcb6e3eb4
SHA512eb9224d774fd4f6024bb4f8428d61aa055d822f918ba2288986de3948169ab7fc3530958f97e72b3ef9e373255707feed11f2fb59b55c89cbe7d5f210b2fd1af
-
Filesize
14KB
MD59eee24b34eda7859429210aeadee917e
SHA1be72b613600149238290f0b7e7030c4f91d25713
SHA256ea770e792d56bb2766665daabdcc4240468d53f149bd1933190c6b783379712b
SHA51266ad894650496f44f7ee4a29071917b6cabcdd1d5bfe25d78cfbc84747baf56e8820c56396b323bd08a595f401d77f82b90346d6437ff5d294ed44972c458e07
-
Filesize
266B
MD53740525cc4f218deabb4aa4482d878a8
SHA11858f62cb180c7f5e9443c095b02dbb4ebf9405a
SHA256081587d91df1ae2007937079cc773ce06c5491997627e8ee3309ce4fd8d984af
SHA5128bc3669934b86ab01e276c20ba25168bdf0c5936913d01d2422cc2fdd55f0f91faba12155dd61995e77704b18209762dce3e6c9d075a0c66a0311b99726064e1
-
Filesize
78KB
MD596dbde0823dfe09c427e1979da694450
SHA1391506a9fb06fa10a0a2d66b1bd4dc0454327721
SHA256d89867fcc80a0bda8eac8dffa75ed7df5c1ddf97ccb6c615a3bf6cce3faa809a
SHA512be7bf48407d5eafb40576c38a2b93ad8e466cce31a0dd0d3b961b821736bd44ebed57970b715642f94b231d3b0c63f6a0a821a347a6b6f3cb5b9d7b5f8fda8c0
-
Filesize
660B
MD5163649c1958c8ff1534b91703fd2951c
SHA1d867adf861d55b3a85fce56e2bf9191d4606ad15
SHA256dfc6a0c3be19d4c94c1cd199f5e8d03b26804403023ab725f45302b27dc3f8d7
SHA512a2e6d72d4eb00bcaac6c68ac81db218ace5f1449e6d85e1b535ab091e4fa138dab37800424371c0df075f537164a312fc127dc652ed159a8ec88992430018d3f
-
Filesize
62KB
MD58b25b4d931908b4c77ce6c3d5b9a2910
SHA188b65fd9733484c8f8147dad9d0896918c7e37c7
SHA25679c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e
SHA5126d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d