Overview
overview
10Static
static
1094975fe621...cd.exe
windows7-x64
1094975fe621...cd.exe
windows10-2004-x64
1094c020786b...1d.exe
windows7-x64
1094c020786b...1d.exe
windows10-2004-x64
1094c7c87a82...20.exe
windows7-x64
194c7c87a82...20.exe
windows10-2004-x64
194dd618932...a1.exe
windows7-x64
394dd618932...a1.exe
windows10-2004-x64
394e2ada20e...f6.exe
windows7-x64
1094e2ada20e...f6.exe
windows10-2004-x64
7952e0a7f82...33.exe
windows7-x64
7952e0a7f82...33.exe
windows10-2004-x64
7953e99960b...40.exe
windows7-x64
10953e99960b...40.exe
windows10-2004-x64
109576cc7c1d...3f.exe
windows7-x64
109576cc7c1d...3f.exe
windows10-2004-x64
10959c2d37a1...19.exe
windows7-x64
10959c2d37a1...19.exe
windows10-2004-x64
1095cc71e95c...eb.exe
windows7-x64
1095cc71e95c...eb.exe
windows10-2004-x64
1095fc2287fc...2c.exe
windows7-x64
1095fc2287fc...2c.exe
windows10-2004-x64
10960c033d30...04.exe
windows7-x64
1960c033d30...04.exe
windows10-2004-x64
196591b5749...ff.exe
windows7-x64
196591b5749...ff.exe
windows10-2004-x64
19695505ced...e7.exe
windows7-x64
19695505ced...e7.exe
windows10-2004-x64
196959cb142...76.exe
windows7-x64
1096959cb142...76.exe
windows10-2004-x64
1096985d97b0...da.exe
windows7-x64
1096985d97b0...da.exe
windows10-2004-x64
10Analysis
-
max time kernel
138s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
22/03/2025, 06:14
Behavioral task
behavioral1
Sample
94975fe621437bc551de379ca5db04f88554915fa00e95a8595116a5e91d35cd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
94975fe621437bc551de379ca5db04f88554915fa00e95a8595116a5e91d35cd.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
94c020786bf74ea45e95666a68b1d21d.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
94c020786bf74ea45e95666a68b1d21d.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
94c7c87a82c5b86f793f2553cc5a6c20.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
94c7c87a82c5b86f793f2553cc5a6c20.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
94dd6189328a24ea86b9726e0ff01aba18c8b2d13cdd59dcdedf9ae19b9700a1.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
94dd6189328a24ea86b9726e0ff01aba18c8b2d13cdd59dcdedf9ae19b9700a1.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
94e2ada20e21670b71abcc87c81ea0f6.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
94e2ada20e21670b71abcc87c81ea0f6.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
952e0a7f82d06cd737223c4fe0c0d133.exe
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
952e0a7f82d06cd737223c4fe0c0d133.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
953e99960b6bb27c1953eb4c62949b32b63482f7f5613bf53ae7751bb9678140.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
953e99960b6bb27c1953eb4c62949b32b63482f7f5613bf53ae7751bb9678140.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
9576cc7c1d016017905b260b127b983f.exe
Resource
win7-20250207-en
Behavioral task
behavioral16
Sample
9576cc7c1d016017905b260b127b983f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
959c2d37a1e94337957c5323aab9bf19.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
959c2d37a1e94337957c5323aab9bf19.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
95cc71e95ccf96ee404de6261589d09ec40cc8e5536356806e23b2b8ba21fdeb.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
95cc71e95ccf96ee404de6261589d09ec40cc8e5536356806e23b2b8ba21fdeb.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
95fc2287fc4fea75666b56cfd668d72c.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
95fc2287fc4fea75666b56cfd668d72c.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
960c033d3033f9058766fe5f229e94401874404c1df50c73856346dc7141a104.exe
Resource
win7-20240729-en
Behavioral task
behavioral24
Sample
960c033d3033f9058766fe5f229e94401874404c1df50c73856346dc7141a104.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
96591b574924a1846cfccfedd4cfd584f84e920dc06b5ce05a581a8a067c79ff.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
96591b574924a1846cfccfedd4cfd584f84e920dc06b5ce05a581a8a067c79ff.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
9695505ced3961f59e27022cd01b53f6a05fd1dc98c77f3f4d4b1c16aa72b8e7.exe
Resource
win7-20241023-en
Behavioral task
behavioral28
Sample
9695505ced3961f59e27022cd01b53f6a05fd1dc98c77f3f4d4b1c16aa72b8e7.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral29
Sample
96959cb1423fd801a2e3d718868a3776.exe
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
96959cb1423fd801a2e3d718868a3776.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
96985d97b017d4c59db75bdbab49f82d464e90407987be456b1b0ba7f1b748da.exe
Resource
win7-20241010-en
Behavioral task
behavioral32
Sample
96985d97b017d4c59db75bdbab49f82d464e90407987be456b1b0ba7f1b748da.exe
Resource
win10v2004-20250314-en
General
-
Target
959c2d37a1e94337957c5323aab9bf19.exe
-
Size
78KB
-
MD5
959c2d37a1e94337957c5323aab9bf19
-
SHA1
c1008d70530f9b443d3fd3bf777d55c7bcbb34cf
-
SHA256
aaeda31514ca109b3a85002648761d73f97e281fcc8171ef5300c68950658507
-
SHA512
991c2d17b495f01d2678340f7709f35d8baa13aac185b489ec74a72cc9d442b9e801dc90605d8da482b2933b1fe1efdf2b251ae04f6e03d4e0d9ba1ce7a4c2c9
-
SSDEEP
1536:wRWtHH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtRP9/o1xc:wRWtHa3Ln7N041QqhgRP9/j
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation 959c2d37a1e94337957c5323aab9bf19.exe -
Executes dropped EXE 1 IoCs
pid Process 5604 tmp70BB.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp70BB.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 959c2d37a1e94337957c5323aab9bf19.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp70BB.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1852 959c2d37a1e94337957c5323aab9bf19.exe Token: SeDebugPrivilege 5604 tmp70BB.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1852 wrote to memory of 3620 1852 959c2d37a1e94337957c5323aab9bf19.exe 90 PID 1852 wrote to memory of 3620 1852 959c2d37a1e94337957c5323aab9bf19.exe 90 PID 1852 wrote to memory of 3620 1852 959c2d37a1e94337957c5323aab9bf19.exe 90 PID 3620 wrote to memory of 3196 3620 vbc.exe 92 PID 3620 wrote to memory of 3196 3620 vbc.exe 92 PID 3620 wrote to memory of 3196 3620 vbc.exe 92 PID 1852 wrote to memory of 5604 1852 959c2d37a1e94337957c5323aab9bf19.exe 93 PID 1852 wrote to memory of 5604 1852 959c2d37a1e94337957c5323aab9bf19.exe 93 PID 1852 wrote to memory of 5604 1852 959c2d37a1e94337957c5323aab9bf19.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\959c2d37a1e94337957c5323aab9bf19.exe"C:\Users\Admin\AppData\Local\Temp\959c2d37a1e94337957c5323aab9bf19.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dwd49cbz.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7186.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc97C05A14AEF8471880E4F4422AC99723.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:3196
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp70BB.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp70BB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\959c2d37a1e94337957c5323aab9bf19.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5604
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD592b64022a7c9e7d855fe9b7f5ac85634
SHA1dfb477b0e328668ffe4d25b6ffa9771e4f098cb5
SHA256c0381433eb464e2d763a69fd3ae5a7208be0f77c62f51bbca61e95ec2051e231
SHA512f3828b204dd152098ff8fc711060ad957b51d6351597836bfe37cab718d460ecf1bc3aae3b7c503456d0748466dc32fe456196806e231b9088377b9fc45d0dcc
-
Filesize
15KB
MD525a34ce585d8b6fcfb26d4f2bbad7502
SHA14c959d0c8ea742a1bce6a75c3279b54eb4dc6508
SHA2562805c61e1a8108ac9e058bad4bc66a4eff56a53665f3f1054aeb0bcd46af7f99
SHA512a2553a48fdcde7ae232bcf0402f0abc46ee4ec68f76f1f81f3566638c310addb4e13ea6f2ee3be4c9b8aa4aeeb8d1456ffd2909c3ec5415796050c16734a6aba
-
Filesize
266B
MD520ac619ce2afc6034ad6e0fdf0cfed83
SHA15c4b5967ae7313e9c8a54ab75aabd1f5ba400d03
SHA25675148c24afcfefe4a5d12ab9034152e1e487927f81d81919e085841275cb658f
SHA5128ad7ab437dd58114d0fbde62423f6f5b0843a4db19e97d4cabf209d2f8dcdd86fb86c346750a1a27234c6c3547d191b9739e00e22a204e7fe47937a979069993
-
Filesize
78KB
MD56d4671ea93ab0bad32d1b763d72d43c0
SHA19f09719626799ebfdb381f5bfe1850574153f781
SHA2562b09e5208b81b9b5dee68dd201b4a6c72902a3e84d81853960c918ad91e58eb2
SHA512aefa5fd13f82ed022a50782d61b1de3b9e0a209b580bb9071faa58df82d981a2fd1112a4016bb2e9a2cb8dcf884c46b60fa89bb6bc7da1cb8db8ed21eab3915f
-
Filesize
660B
MD5f7d7313c295ab95a4810947447ee5126
SHA1effe9116b5136d2d9535e2e1b4beabf4872b7cd1
SHA2562c5c428114d2e61dde9f2419b052baecdc6fe70c98e739037063f3e29457a189
SHA51248ef262ef1bd740fe3d6b859b6955ea03efd8dfaf67a901878952cab1fe098ea54ca71ed6eff82d370b37d927a929487f1f7e50cb4925ccfc1ed74888c3a8ad9
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65