Overview
overview
10Static
static
106ea09dc024...bf.exe
windows7-x64
16ea09dc024...bf.exe
windows10-2004-x64
16ea800eee1...83.exe
windows7-x64
36ea800eee1...83.exe
windows10-2004-x64
36ec1c209b1...da.exe
windows7-x64
106ec1c209b1...da.exe
windows10-2004-x64
106f0c3386f1...bf.exe
windows7-x64
96f0c3386f1...bf.exe
windows10-2004-x64
76f456ca531...05.exe
windows7-x64
76f456ca531...05.exe
windows10-2004-x64
86f46a58808...0c.exe
windows7-x64
106f46a58808...0c.exe
windows10-2004-x64
106f6b7ee9a4...db.exe
windows7-x64
106f6b7ee9a4...db.exe
windows10-2004-x64
106f723cd900...bc.exe
windows7-x64
106f723cd900...bc.exe
windows10-2004-x64
106f7e5a7572...05.exe
windows7-x64
106f7e5a7572...05.exe
windows10-2004-x64
106f8921f285...3e.exe
windows7-x64
106f8921f285...3e.exe
windows10-2004-x64
106f8a4cd4e0...0e.exe
windows7-x64
106f8a4cd4e0...0e.exe
windows10-2004-x64
106f9568a7c5...ba.exe
windows7-x64
106f9568a7c5...ba.exe
windows10-2004-x64
106f9d1b3820...e0.exe
windows7-x64
36f9d1b3820...e0.exe
windows10-2004-x64
36faa2d85ae...9b.exe
windows7-x64
106faa2d85ae...9b.exe
windows10-2004-x64
106fd711c9c2...c6.exe
windows7-x64
106fd711c9c2...c6.exe
windows10-2004-x64
106fe5c591a1...4a.exe
windows7-x64
106fe5c591a1...4a.exe
windows10-2004-x64
10Analysis
-
max time kernel
147s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
22/03/2025, 06:12
Static task
static1
Behavioral task
behavioral1
Sample
6ea09dc024349dc98b36f4ace0dd0fbf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6ea09dc024349dc98b36f4ace0dd0fbf.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
6ea800eee1fc82ad358d35a7fde8ccd12b93a783300c4a97f7b8a7abcc7d7383.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
6ea800eee1fc82ad358d35a7fde8ccd12b93a783300c4a97f7b8a7abcc7d7383.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
6ec1c209b158ca6a09569dab997a10da.exe
Resource
win7-20250207-en
Behavioral task
behavioral6
Sample
6ec1c209b158ca6a09569dab997a10da.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
6f0c3386f12f5dee87b51bce9d5ac5500d5f173dd6c541b97aaac3bcd4abb9bf.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
6f0c3386f12f5dee87b51bce9d5ac5500d5f173dd6c541b97aaac3bcd4abb9bf.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
6f456ca5318d53c7577e67e641dbb36c8380514e08a7c4dd8ba88f15cebded05.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
6f456ca5318d53c7577e67e641dbb36c8380514e08a7c4dd8ba88f15cebded05.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
6f46a588081210caf9fc5f69f68daa1eb869bfb5658baaa201c7d9f466e3a00c.exe
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
6f46a588081210caf9fc5f69f68daa1eb869bfb5658baaa201c7d9f466e3a00c.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
6f6b7ee9a4b8c657931ecaacd04849db.exe
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
6f6b7ee9a4b8c657931ecaacd04849db.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
6f723cd9002531ad31487e588d1132bc.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
6f723cd9002531ad31487e588d1132bc.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
6f7e5a757226029c4770683df8125105.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
6f7e5a757226029c4770683df8125105.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
6f8921f28520259dde636ae0740e643e.exe
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
6f8921f28520259dde636ae0740e643e.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
Resource
win7-20241023-en
Behavioral task
behavioral22
Sample
6f8a4cd4e0092c7cf850cf6434225de4ade9b7eb92d8110bb7cbec7fdc29c10e.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
6f9568a7c563f84e4331fd0954d9ad321f41199035067dca004e1c927c1989ba.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
6f9568a7c563f84e4331fd0954d9ad321f41199035067dca004e1c927c1989ba.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
6f9d1b3820144f3c5df2673cd155bfe0.exe
Resource
win7-20241023-en
Behavioral task
behavioral26
Sample
6f9d1b3820144f3c5df2673cd155bfe0.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
6faa2d85ae06f7888287bec8ae3e079b.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
6faa2d85ae06f7888287bec8ae3e079b.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
6fd711c9c2d9499442df85e477e670c6.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
6fd711c9c2d9499442df85e477e670c6.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
6fe5c591a1fbdd543b030912700b164a.exe
Resource
win7-20250207-en
General
-
Target
6f6b7ee9a4b8c657931ecaacd04849db.exe
-
Size
78KB
-
MD5
6f6b7ee9a4b8c657931ecaacd04849db
-
SHA1
aadc1272891324493ad099c65e72a7bff8b2fd0b
-
SHA256
11fb7846090fb2e23cba8a66b1e5e605072aab6580cb9103f9d3e89205826a1a
-
SHA512
3c64218ed10eec552f198b17289aced5feaefec0c6ca8b1f25ed7f7e2cc1cab3fa98202f8bf0590810131c0cf12c38e5e9cd772170b5eb73873af7d8b12e7074
-
SSDEEP
1536:NPWtHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtD9/q1zv:NPWtHFo53Ln7N041QqhgD9/o
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation 6f6b7ee9a4b8c657931ecaacd04849db.exe -
Executes dropped EXE 1 IoCs
pid Process 3064 tmp6B0E.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp6B0E.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6f6b7ee9a4b8c657931ecaacd04849db.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp6B0E.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4768 6f6b7ee9a4b8c657931ecaacd04849db.exe Token: SeDebugPrivilege 3064 tmp6B0E.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4768 wrote to memory of 696 4768 6f6b7ee9a4b8c657931ecaacd04849db.exe 88 PID 4768 wrote to memory of 696 4768 6f6b7ee9a4b8c657931ecaacd04849db.exe 88 PID 4768 wrote to memory of 696 4768 6f6b7ee9a4b8c657931ecaacd04849db.exe 88 PID 696 wrote to memory of 2420 696 vbc.exe 90 PID 696 wrote to memory of 2420 696 vbc.exe 90 PID 696 wrote to memory of 2420 696 vbc.exe 90 PID 4768 wrote to memory of 3064 4768 6f6b7ee9a4b8c657931ecaacd04849db.exe 91 PID 4768 wrote to memory of 3064 4768 6f6b7ee9a4b8c657931ecaacd04849db.exe 91 PID 4768 wrote to memory of 3064 4768 6f6b7ee9a4b8c657931ecaacd04849db.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f6b7ee9a4b8c657931ecaacd04849db.exe"C:\Users\Admin\AppData\Local\Temp\6f6b7ee9a4b8c657931ecaacd04849db.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xiqvsiae.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C95.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA142FEC8BB64D019726D5DE85A8332.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2420
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp6B0E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6B0E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6f6b7ee9a4b8c657931ecaacd04849db.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b7b5aec373f1c427c32db99d367ac044
SHA11719fa8f7ec16dcb125c609b6bf2d4fba77c193f
SHA256bff68e27af11bab0483ad6b9d950f9a4912023acf34075ca1622e9c3d3dd653d
SHA512649207c43a0fcc69563ff6e8d6177e541baa2b1dfc45a1976ec692843778fa9e55ffd87e1eec7b612a55aee366f33b42a574c8f2f7dc11308f100b3e9effa3af
-
Filesize
78KB
MD5f6090d3774cc1d88b0d44f145a341816
SHA1ec996f14a60487dc22198e479f77861346968826
SHA25677c913f237196ae8ba316ae8d0dab5ef3f1dcaaacd749d81ad67051a97e16d25
SHA5129ef5dae1cb4f36f591d6e7c6f5b38e03cf8bff5827ef3e5fbe92cc87ca296fa401c79352d65a032ec7a02791038663cf385a86464c3d65dd0465b240d4750816
-
Filesize
660B
MD5d1be7c345c5506fcd720c900c023776c
SHA1a10fb5ce9fb9632d1ace6e18c8d1444976893a7e
SHA256d565bef8c01437b5f9553915ae9238c02ead428db1e1ac816142a79d8a8f3063
SHA512e438f8b4962ff02400b624cab326dc6900ff5e5d5083f63483710bca93815e4ea7a0b1053af2df084e7e9f92601de99e615402dffd27bbff1f43d95b3aece2d6
-
Filesize
15KB
MD55a72ac9a65b46ca6f2423cd93fedd4dc
SHA1ec7c8a4e78ddde0a148b4b67ff75ad54e3f06f32
SHA25630f5c4f5b9792e0597d1261656822da6dc7134b560952c67478f50417742e957
SHA51235b1f462739210fe2d8feec44e7541a436a943fee89ffeb09b586cc9aaf447a32333028c7c275f2b07d2825167bebcf873d1c4332ab4b3e5c2fcdd81d9337b5d
-
Filesize
266B
MD59338f4df8791b5393bec8125087a2575
SHA1b0fbfe64043c5a3accc4a006ae000116dd50764e
SHA25696b64c8932dfd4543bd3e9f0724009b41617b7d15b32f1b0fe2c49b206b67524
SHA51234020290e57b1e15029bd53737091094ac327e42c2c31a3764272b4cd29763f7e2ea2975e4198be701f0e1531b9b3c5e5b13406b26903b949816db5d0d35867e
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65