Overview
overview
10Static
static
1094975fe621...cd.exe
windows7-x64
1094975fe621...cd.exe
windows10-2004-x64
1094c020786b...1d.exe
windows7-x64
1094c020786b...1d.exe
windows10-2004-x64
1094c7c87a82...20.exe
windows7-x64
194c7c87a82...20.exe
windows10-2004-x64
194dd618932...a1.exe
windows7-x64
394dd618932...a1.exe
windows10-2004-x64
394e2ada20e...f6.exe
windows7-x64
1094e2ada20e...f6.exe
windows10-2004-x64
7952e0a7f82...33.exe
windows7-x64
7952e0a7f82...33.exe
windows10-2004-x64
7953e99960b...40.exe
windows7-x64
10953e99960b...40.exe
windows10-2004-x64
109576cc7c1d...3f.exe
windows7-x64
109576cc7c1d...3f.exe
windows10-2004-x64
10959c2d37a1...19.exe
windows7-x64
10959c2d37a1...19.exe
windows10-2004-x64
1095cc71e95c...eb.exe
windows7-x64
1095cc71e95c...eb.exe
windows10-2004-x64
1095fc2287fc...2c.exe
windows7-x64
1095fc2287fc...2c.exe
windows10-2004-x64
10960c033d30...04.exe
windows7-x64
1960c033d30...04.exe
windows10-2004-x64
196591b5749...ff.exe
windows7-x64
196591b5749...ff.exe
windows10-2004-x64
19695505ced...e7.exe
windows7-x64
19695505ced...e7.exe
windows10-2004-x64
196959cb142...76.exe
windows7-x64
1096959cb142...76.exe
windows10-2004-x64
1096985d97b0...da.exe
windows7-x64
1096985d97b0...da.exe
windows10-2004-x64
10Analysis
-
max time kernel
139s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
22/03/2025, 06:14
Behavioral task
behavioral1
Sample
94975fe621437bc551de379ca5db04f88554915fa00e95a8595116a5e91d35cd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
94975fe621437bc551de379ca5db04f88554915fa00e95a8595116a5e91d35cd.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
94c020786bf74ea45e95666a68b1d21d.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
94c020786bf74ea45e95666a68b1d21d.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
94c7c87a82c5b86f793f2553cc5a6c20.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
94c7c87a82c5b86f793f2553cc5a6c20.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
94dd6189328a24ea86b9726e0ff01aba18c8b2d13cdd59dcdedf9ae19b9700a1.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
94dd6189328a24ea86b9726e0ff01aba18c8b2d13cdd59dcdedf9ae19b9700a1.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
94e2ada20e21670b71abcc87c81ea0f6.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
94e2ada20e21670b71abcc87c81ea0f6.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
952e0a7f82d06cd737223c4fe0c0d133.exe
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
952e0a7f82d06cd737223c4fe0c0d133.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
953e99960b6bb27c1953eb4c62949b32b63482f7f5613bf53ae7751bb9678140.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
953e99960b6bb27c1953eb4c62949b32b63482f7f5613bf53ae7751bb9678140.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
9576cc7c1d016017905b260b127b983f.exe
Resource
win7-20250207-en
Behavioral task
behavioral16
Sample
9576cc7c1d016017905b260b127b983f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
959c2d37a1e94337957c5323aab9bf19.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
959c2d37a1e94337957c5323aab9bf19.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
95cc71e95ccf96ee404de6261589d09ec40cc8e5536356806e23b2b8ba21fdeb.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
95cc71e95ccf96ee404de6261589d09ec40cc8e5536356806e23b2b8ba21fdeb.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
95fc2287fc4fea75666b56cfd668d72c.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
95fc2287fc4fea75666b56cfd668d72c.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
960c033d3033f9058766fe5f229e94401874404c1df50c73856346dc7141a104.exe
Resource
win7-20240729-en
Behavioral task
behavioral24
Sample
960c033d3033f9058766fe5f229e94401874404c1df50c73856346dc7141a104.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
96591b574924a1846cfccfedd4cfd584f84e920dc06b5ce05a581a8a067c79ff.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
96591b574924a1846cfccfedd4cfd584f84e920dc06b5ce05a581a8a067c79ff.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
9695505ced3961f59e27022cd01b53f6a05fd1dc98c77f3f4d4b1c16aa72b8e7.exe
Resource
win7-20241023-en
Behavioral task
behavioral28
Sample
9695505ced3961f59e27022cd01b53f6a05fd1dc98c77f3f4d4b1c16aa72b8e7.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral29
Sample
96959cb1423fd801a2e3d718868a3776.exe
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
96959cb1423fd801a2e3d718868a3776.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
96985d97b017d4c59db75bdbab49f82d464e90407987be456b1b0ba7f1b748da.exe
Resource
win7-20241010-en
Behavioral task
behavioral32
Sample
96985d97b017d4c59db75bdbab49f82d464e90407987be456b1b0ba7f1b748da.exe
Resource
win10v2004-20250314-en
General
-
Target
96959cb1423fd801a2e3d718868a3776.exe
-
Size
78KB
-
MD5
96959cb1423fd801a2e3d718868a3776
-
SHA1
65d1736c9b979158bbfd4c1674f91fb034506eef
-
SHA256
1905c3deaf30debadbb9311cd746db562d2c92f17ff356b6a66d9e448fc7ce6e
-
SHA512
1ff6b163e10a01f18d28d5be955665324e63606ed380b15ca66943b1547f366f7713b291ceb48a42b02d7912b1f3ee3a1077f0d0ebec28eedd0579627609df28
-
SSDEEP
1536:vsHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtD9/213n:vsHY53Ln7N041QqhgD9/Y
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation 96959cb1423fd801a2e3d718868a3776.exe -
Deletes itself 1 IoCs
pid Process 3128 tmp926C.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 3128 tmp926C.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp926C.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 96959cb1423fd801a2e3d718868a3776.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp926C.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 6008 96959cb1423fd801a2e3d718868a3776.exe Token: SeDebugPrivilege 3128 tmp926C.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 6008 wrote to memory of 3556 6008 96959cb1423fd801a2e3d718868a3776.exe 86 PID 6008 wrote to memory of 3556 6008 96959cb1423fd801a2e3d718868a3776.exe 86 PID 6008 wrote to memory of 3556 6008 96959cb1423fd801a2e3d718868a3776.exe 86 PID 3556 wrote to memory of 5132 3556 vbc.exe 89 PID 3556 wrote to memory of 5132 3556 vbc.exe 89 PID 3556 wrote to memory of 5132 3556 vbc.exe 89 PID 6008 wrote to memory of 3128 6008 96959cb1423fd801a2e3d718868a3776.exe 91 PID 6008 wrote to memory of 3128 6008 96959cb1423fd801a2e3d718868a3776.exe 91 PID 6008 wrote to memory of 3128 6008 96959cb1423fd801a2e3d718868a3776.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\96959cb1423fd801a2e3d718868a3776.exe"C:\Users\Admin\AppData\Local\Temp\96959cb1423fd801a2e3d718868a3776.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6008 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\elyc70bi.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9357.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5ECE8E4D2034D03A09B67E2A8BC28B4.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:5132
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp926C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp926C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\96959cb1423fd801a2e3d718868a3776.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3128
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f47d7bbb40f98fda16bdeb6f5454e31f
SHA1e46e50cfedd47263d52ca45be504c432348e5555
SHA25669f531e3bb727c2ed176b14a7b20f6053116db8202eb08d7f311281b01fa2982
SHA512e5987e90fb0935d5ec839e59578aef8ad4be957522e9b15438b40e53a70974011376d5f0e9ffd8143c98858cdda86aec4c4273eca0fa18186bdf61477cebe2cc
-
Filesize
15KB
MD53389331d2b13d936527a3e98c126566b
SHA1f7e83486df23caaf11d60620fc0616bd0e8583d0
SHA2563e0fb46e5e188bede630a92ccfd9e02391f4e57c803154edefff5ee9866fc1dc
SHA512fd0e398aa61e24920c678f721a08055e56c54179d89ca7ff9afc82880a94bd18fcf293ff71ffbb109c83d9ef1171fedf478f095b388c358893390045089dcd8b
-
Filesize
266B
MD5af414a4c79b9856e96e078ba27bdfc2a
SHA1e849227a8e9b1e8d65537630bb84b8f4b7627c2b
SHA2561d1085a114d012e759b90d83d2a3db955fa777026af35fb0aa31cf8fcf7f9ff9
SHA5123a37559230406e0f03eee1776db0ae4e02af61d5f4eca3c5efdc8b4454f294bd2d34bbba502355ed3176fd94afd6bca8b13f543ec856b338be9964f9b8f447d9
-
Filesize
78KB
MD5b21fe70c7b4f34c70ac196e0fadbec74
SHA1a6d07bcb1d0f8567a2c2b6a630b616b7e9cd47ba
SHA256911aad8db36a10739461b1922b4c49996797c4b3b3c5c698d345795380577a88
SHA512ce81676e9691b6579ecffc43455767f4769e237e663b40971ff430a99bb45ca06711d77a954549ac1c28e279ba0f13b794c15d381352c141f243be032134cb44
-
Filesize
660B
MD5d0aeae7d0905adf07d57d68290108405
SHA154813bc885c050dfc0e54f57754eeb7ce1f33c12
SHA25632d2d82c80bf4e940a6bcc793e4ecdcae1702fafe6e0d57657fe18e1c7135005
SHA512dc4eabf357162ddb825199c2e0ef3ea7f75ba115319bcc35cbbd819693be79867e676c9385ccf6e8dcbe5d937970d2fb1792f682f658e84425cdb7f2478585fd
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65