Analysis
-
max time kernel
116s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 07:55
Static task
static1
Behavioral task
behavioral1
Sample
e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe
Resource
win10v2004-20241007-en
General
-
Target
e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe
-
Size
78KB
-
MD5
6c5ba3841c33f959898afe862fb00e32
-
SHA1
8923ca1d9dfba6fc985ce8d5200ed00de57a0da3
-
SHA256
e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e
-
SHA512
2d37960bfeb868cd30c9a76d8c39aa36b1fd45c08f00dcac224373f47f36240881502c17ab5a31948887f65f9a82493324dc37116076afb7a62e125d4792a79d
-
SSDEEP
1536:QRWtHHM7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtRP9/k11qc:QRWtHshASyRxvhTzXPvCbW2URP9/Nc
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe -
Deletes itself 1 IoCs
pid Process 4712 tmpC14C.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 4712 tmpC14C.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmpC14C.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC14C.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1068 e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe Token: SeDebugPrivilege 4712 tmpC14C.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1068 wrote to memory of 4136 1068 e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe 84 PID 1068 wrote to memory of 4136 1068 e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe 84 PID 1068 wrote to memory of 4136 1068 e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe 84 PID 4136 wrote to memory of 2456 4136 vbc.exe 86 PID 4136 wrote to memory of 2456 4136 vbc.exe 86 PID 4136 wrote to memory of 2456 4136 vbc.exe 86 PID 1068 wrote to memory of 4712 1068 e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe 87 PID 1068 wrote to memory of 4712 1068 e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe 87 PID 1068 wrote to memory of 4712 1068 e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe"C:\Users\Admin\AppData\Local\Temp\e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ug22vkxg.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1F8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7480F9D5A7424C12BAF414A4B66766.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2456
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC14C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC14C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e6d918158a2e4ae801fab31c3372829b85f3b52e68bfc8017d9c3b880b84845e.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4712
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD556892dc7eb2dc5e3227203703c56c43b
SHA18c6b818a4a99621e82c117913c9dadae512ac273
SHA256c77e19a2a8cb327a12afb3cb2786be54357f86482f6d926b2e3eb19a60ecbdaa
SHA5129a74c211469beae51475614fdb924c71cfcfab33b43a0d11240fe089b71b766ec7ca42b9b34f3fb07a7f3f123371a28537c131f869fca8ae65cf6f492581c55e
-
Filesize
78KB
MD5ebd5b8d8a99906a1048b8b0d33094287
SHA1ce97e0c97bcddc4dc648dcbec30b31d4fb4ef971
SHA256a3b1498b0e693e52fee1d9be3560f7bd698c80a3d051f2393ff149b51aa5e323
SHA512c3f8656e71009c51a9e7159f1ab8ff68b46e8938efda84978aa78106bbd87077ba5ba63ae58faf06f888a9e9a25088e2a63fdece54742deb174a12a7e985fd6f
-
Filesize
15KB
MD531c604ec67439ad2d3ba9a539a3357d2
SHA1e6240b6dd2952b65b3c519de83e46bac6f124187
SHA2569157514b1c0102e2db7b01c3b02730a6dec8209b94809754c8d97b9b455c8623
SHA5120896fceb4f3d81e496c65fcbcf2c9c55d4e384270dde52ae842eda966eaf86f6cb28f3195fad3fa29cc5a6cdf408f75bad3136be0dc15cb29ada72bc81a0dae3
-
Filesize
266B
MD51ce2035eefaa38d84466d45a1cc4e07a
SHA160ec297a9ae0da08d06b4034a746a539ae102305
SHA256a0cda55413afdb6d8eb7e9178a45818fb13616cb064658c3e607906dce8efe81
SHA512ff74c9b3e43534e67981af45fbd13f894745ee6edf997c63d4f7b0b045ceef598c7a3892ae7f5e7d3cf4943932f098dd3aa4b18ba8ba4afdef6b3b6831480e7e
-
Filesize
660B
MD520630387f4fa62f1f30ecc4a09716bc9
SHA1f1dd59ba065f63d49fb71bb8beb036e16b426403
SHA2561a36506be09989665209fa431266af6e19d9ed521d91b2ae5ab67295c798b1d5
SHA512f7d29ca152dd6c59febff58f41b8a3dae81a1b98a5f34e4cd7c4edf0314f8507876fea58fbe84c591cf8455ba5993d47f6e3c40e6dc9f7798bb2abd1a59187e1
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c