Analysis
-
max time kernel
138s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2025 22:47
Static task
static1
Behavioral task
behavioral1
Sample
aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe
Resource
win10v2004-20241007-en
General
-
Target
aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe
-
Size
78KB
-
MD5
733319b3eef1c7bbd30aa8dac6519aac
-
SHA1
fce2c55c1436a9d8ef0ab7dd25decf3fc2eb54eb
-
SHA256
aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7
-
SHA512
104309319cc30b3180e0148efbdcfa73b5319dd39d8206ef77f176110ed7a30f491c37c6108827fd356bcac1d5b15ff507c0d2011aee7694947f73830011ec6a
-
SSDEEP
1536:NPCHHM7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtv9/M162A:NPCHshASyRxvhTzXPvCbW2Uv9/4A
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe -
Deletes itself 1 IoCs
pid Process 4800 tmpC4C7.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 4800 tmpC4C7.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmpC4C7.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC4C7.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2924 aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe Token: SeDebugPrivilege 4800 tmpC4C7.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2924 wrote to memory of 2036 2924 aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe 83 PID 2924 wrote to memory of 2036 2924 aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe 83 PID 2924 wrote to memory of 2036 2924 aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe 83 PID 2036 wrote to memory of 2232 2036 vbc.exe 85 PID 2036 wrote to memory of 2232 2036 vbc.exe 85 PID 2036 wrote to memory of 2232 2036 vbc.exe 85 PID 2924 wrote to memory of 4800 2924 aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe 86 PID 2924 wrote to memory of 4800 2924 aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe 86 PID 2924 wrote to memory of 4800 2924 aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe"C:\Users\Admin\AppData\Local\Temp\aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mqm1v5cg.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC5A2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc10474662492443AF884040D234233A9E.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2232
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC4C7.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC4C7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4800
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57005692fe21ae991cfb32c6793cf3b33
SHA15756481125d74ce1740a9d52416f9439309eb93e
SHA256f9412d63f414022525db83add02e5fda1c728baca609fd2a6c150186433f99c6
SHA5126d86dd043f45895722bf82b81d1b337c28a3fe27afe78a8f423abbca66035db4e5862c95d7c3682cc464bfa52da52f3950b7b36cf9a1d0347dbe6a32cb52ecb7
-
Filesize
15KB
MD5e9cc6f58497967964ff8d214ca154a02
SHA1d9a55dc8d8fd529d6697b0e921d69291a856371b
SHA25691bd8766beb329ab6bc173834405d29776792e1fab7604b89c8c39f5e25ae0d6
SHA512a9f60e65792b448494724c46eb3dfb98b8704c4d58bd565f80bd93087f7c85bee6c4f6af3a663db65555676e054e881e165b65cab34f6eb965c8c24fea82c300
-
Filesize
266B
MD51d738369e304d35d178f39dee1642298
SHA19fdf132f07d641c593ee13abe18af5e412edecb4
SHA2566470b1093dad20cf34735cea2cec931f143133001680187c88cd0bd7277e87a4
SHA5120e6240ee425776ac7cae8df4a7273db7c2c57b034eb604fd09158098294d0a43681abbc66a5e15ee8da6b1c294439781efb38e049e38bd983d538f59469070f1
-
Filesize
78KB
MD5e40b25c5384b5142dbefc610b76ba682
SHA1ff21ba213bc7cae8e8bc4f30dc0d79301ccddcdc
SHA256613725197481e23173596ac1574bd0463e1d142721991f3ecf1b534fe214a7a3
SHA51217a59544767df7e3eb6b71aad6b4ad86449da1e7d7437190ea8fd0802b70deda570feafde9d9b58967882364f3e5fe92e50cb608e81bc7d422f873f76e09db4f
-
Filesize
660B
MD5af221c1b7b43623adde19215a41563dd
SHA166ce3cd9124d1c01e87535c4fa4b9d4af4eadd0f
SHA256e03ec0bd096acd7f855e37f7a445f2002a6f66da65dd01eddeee9985f0196715
SHA5124e125a6b82a3d71e20b872124334c461d205e0d069633042010e777e231b974c1f030d182ae486bb38c28be908afeb4f8c172b23e47c53dd2c24d91c267f13a1
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c