Overview
overview
10Static
static
103c7b097b31...0f.exe
windows7-x64
83c7b097b31...0f.exe
windows10-2004-x64
83c8a6c6cde...86.exe
windows7-x64
103c8a6c6cde...86.exe
windows10-2004-x64
103ca3e4676b...f1.exe
windows7-x64
103ca3e4676b...f1.exe
windows10-2004-x64
103cb47c4bbe...c1.exe
windows7-x64
103cb47c4bbe...c1.exe
windows10-2004-x64
103d18edb3bf...ff.exe
windows7-x64
13d18edb3bf...ff.exe
windows10-2004-x64
3d1ee6caf0...b4.exe
windows7-x64
103d1ee6caf0...b4.exe
windows10-2004-x64
103d2f05086d...0c.exe
windows7-x64
103d2f05086d...0c.exe
windows10-2004-x64
103d81f411b0...ba.exe
windows7-x64
103d81f411b0...ba.exe
windows10-2004-x64
103d90976d58...8c.exe
windows7-x64
103d90976d58...8c.exe
windows10-2004-x64
103d97ea72c5...9e.exe
windows7-x64
103d97ea72c5...9e.exe
windows10-2004-x64
103dd452b939...18.exe
windows7-x64
33dd452b939...18.exe
windows10-2004-x64
33dfc71cfc4...bd.exe
windows7-x64
103dfc71cfc4...bd.exe
windows10-2004-x64
103e435c9ff2...57.exe
windows7-x64
103e435c9ff2...57.exe
windows10-2004-x64
103e624f48a8...2b.exe
windows7-x64
13e624f48a8...2b.exe
windows10-2004-x64
43e8acfab95...cc.exe
windows7-x64
103e8acfab95...cc.exe
windows10-2004-x64
103e9a136b97...9d.exe
windows7-x64
103e9a136b97...9d.exe
windows10-2004-x64
10Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
22/03/2025, 06:25
Behavioral task
behavioral1
Sample
3c7b097b31ed5df2ce6313dddd86da0f.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
3c7b097b31ed5df2ce6313dddd86da0f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
3c8a6c6cde2240783bed48a2f3d849a30bfa841d7cb55177721631dcec1eb086.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
3c8a6c6cde2240783bed48a2f3d849a30bfa841d7cb55177721631dcec1eb086.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
3ca3e4676bac76c4f7eaf0ab169b8af1.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
3ca3e4676bac76c4f7eaf0ab169b8af1.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
3cb47c4bbe6856c45fd89eb5eb2723c1.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
3cb47c4bbe6856c45fd89eb5eb2723c1.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
3d18edb3bf6b0493a6572edd73f937ff.exe
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
3d18edb3bf6b0493a6572edd73f937ff.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
3d2f05086d9da9564c7c7e945875e80c.exe
Resource
win7-20241023-en
Behavioral task
behavioral14
Sample
3d2f05086d9da9564c7c7e945875e80c.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
3d81f411b0ec1ac7d861358e145db4ba.exe
Resource
win7-20250207-en
Behavioral task
behavioral16
Sample
3d81f411b0ec1ac7d861358e145db4ba.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe
Resource
win7-20241023-en
Behavioral task
behavioral18
Sample
3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
3d97ea72c561c7d15574a99be582c59e.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
3d97ea72c561c7d15574a99be582c59e.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
3dd452b9394976fd7b431d3dbae57d18.exe
Resource
win7-20240729-en
Behavioral task
behavioral22
Sample
3dd452b9394976fd7b431d3dbae57d18.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
3dfc71cfc45034d671ac0f319bc080bd.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
3dfc71cfc45034d671ac0f319bc080bd.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
3e435c9ff25f6dca4a3e7262825aa557.exe
Resource
win7-20250207-en
Behavioral task
behavioral26
Sample
3e435c9ff25f6dca4a3e7262825aa557.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral27
Sample
3e624f48a849ad8a70e09f6d4e75f02b.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
3e624f48a849ad8a70e09f6d4e75f02b.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
3e8acfab95493518077e0028fd0f2dcc.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
3e8acfab95493518077e0028fd0f2dcc.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
3e9a136b97b7ad7104019ae696b4f59d.exe
Resource
win7-20241010-en
Behavioral task
behavioral32
Sample
3e9a136b97b7ad7104019ae696b4f59d.exe
Resource
win10v2004-20250314-en
General
-
Target
3ca3e4676bac76c4f7eaf0ab169b8af1.exe
-
Size
78KB
-
MD5
3ca3e4676bac76c4f7eaf0ab169b8af1
-
SHA1
3873da68bc51d374243468d08e73058674ea0a02
-
SHA256
572c49454d971b5cebc708b888e42970a4f954d97cdd8cd237a5ce4b281c60a7
-
SHA512
2f34a5d1affdada1686408f5f6ac748fd688215a2a12acf897f06af177ad103dbae344102b271b572a5e51ec11b68d97b7d2fa184244ce67d5ea8430f85f1e4e
-
SSDEEP
1536:bCHF3638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtN9/t1+S:bCHFq3Ln7N041QqhgN9/Z
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation 3ca3e4676bac76c4f7eaf0ab169b8af1.exe -
Deletes itself 1 IoCs
pid Process 5232 tmp49DA.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 5232 tmp49DA.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp49DA.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ca3e4676bac76c4f7eaf0ab169b8af1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp49DA.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5244 3ca3e4676bac76c4f7eaf0ab169b8af1.exe Token: SeDebugPrivilege 5232 tmp49DA.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5244 wrote to memory of 5060 5244 3ca3e4676bac76c4f7eaf0ab169b8af1.exe 87 PID 5244 wrote to memory of 5060 5244 3ca3e4676bac76c4f7eaf0ab169b8af1.exe 87 PID 5244 wrote to memory of 5060 5244 3ca3e4676bac76c4f7eaf0ab169b8af1.exe 87 PID 5060 wrote to memory of 5220 5060 vbc.exe 89 PID 5060 wrote to memory of 5220 5060 vbc.exe 89 PID 5060 wrote to memory of 5220 5060 vbc.exe 89 PID 5244 wrote to memory of 5232 5244 3ca3e4676bac76c4f7eaf0ab169b8af1.exe 90 PID 5244 wrote to memory of 5232 5244 3ca3e4676bac76c4f7eaf0ab169b8af1.exe 90 PID 5244 wrote to memory of 5232 5244 3ca3e4676bac76c4f7eaf0ab169b8af1.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ca3e4676bac76c4f7eaf0ab169b8af1.exe"C:\Users\Admin\AppData\Local\Temp\3ca3e4676bac76c4f7eaf0ab169b8af1.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5244 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ju0595n8.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4BAF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc57444B7A62E74ABABD71616A96A122D.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:5220
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp49DA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp49DA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3ca3e4676bac76c4f7eaf0ab169b8af1.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5232
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5aee7284858f96d439c9128392aa40078
SHA196775298db4a82fac89396694feb3325c0ae9c32
SHA25656775c560ffec91daec8af097072b743f974e9ca2b5b0c0ca8e0c03f4475ec38
SHA5125de7068db866536c598df4e20ab688dd6ef52182563a183d558555fc41b287edbd5db03d704e71a5c5a5ca87c7917bfa7876ea33cddf06bfb91e070f070c626e
-
Filesize
15KB
MD5e3fb4d88713cfa0504d8305dd95dba00
SHA1d3c546d5f7dd00db5c695f07aff3b2d80e4bb72b
SHA256738aa4b78654af84b7c13e73f2447212caaae895ba0f89e0ebd62bced289f011
SHA512f41a7cbe1cccca876af97307e3286c6c3281293856d21e63e5e1e33c9786554e4db20f12aeb8696ceb3305361c28814a5d959c7abf2cffc630056e626406b842
-
Filesize
266B
MD51df67d50ad44e89970b416da9e4ed063
SHA1e0304126fc6a920c0b6f09f322a5041a52e842db
SHA256d1e9509495951790f37af521f264c57672e0aa095cfb75ae5864ef2bfddf72ea
SHA512c383112d7aae48026d8619e04fca0826e1c274e23f35f5010ad4eb3759f3f12fd0b67ac9436d4fb2e9d54edf3d5cea1b52e55f7fc56e7a28c2ddea71066890c6
-
Filesize
78KB
MD51116590de90b811b247c0c11105d4f7d
SHA160d53e1f02b4ceeb8d3f361e02e0c428feca936a
SHA256df6fa18cd358a9f2adf513c641bb353d1d9614c4c0519bc82f31f166a3c941c1
SHA512d52ac85e94da0de37c22d0e375b1964550a2959469facd9d5d01f92e7c733a09de6ded50f27bd63300d0dad61daac0e0c2c39b424600d04a99f7c7378eb33699
-
Filesize
660B
MD54835d6dad2f3b5a78652c4412decb225
SHA1d22a7223701be33dc08449f4870cee9404fe141b
SHA25629eac352dfa74178d32b1ac2a88ec65bf1c97204857ae342b04fa52bbd94d6df
SHA512932e29d049ea6a3ffd90e888c1a3d9382cbd936fc3d08051cc50200a414ff50950e018383bf7c711a385c5f4bf101a241c1824dc76a72f8fcd2afca2784943fe
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65