Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 23:12
Static task
static1
Behavioral task
behavioral1
Sample
8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe
Resource
win10v2004-20240226-en
General
-
Target
8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe
-
Size
78KB
-
MD5
4d58a1a717b57f8fd1a0e0b08e72d521
-
SHA1
3b12b2896e20274e18d71888f0eda019e96872bd
-
SHA256
8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8
-
SHA512
d46d9fa56d0b1c044d7b12ba79bdb75e035b8fffca97872ca1a7a74041e7cc091e49a571fe8c1f57b547b5f264f573b4fd905411b21598e3815bc907f6d9f261
-
SSDEEP
1536:PPy5jS/dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt96V9/n17mQ:PPy5jSen7N041Qqhga9/J
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp2230.tmp.exepid process 2144 tmp2230.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exepid process 2408 8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe 2408 8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp2230.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp2230.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exetmp2230.tmp.exedescription pid process Token: SeDebugPrivilege 2408 8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe Token: SeDebugPrivilege 2144 tmp2230.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exevbc.exedescription pid process target process PID 2408 wrote to memory of 2008 2408 8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe vbc.exe PID 2408 wrote to memory of 2008 2408 8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe vbc.exe PID 2408 wrote to memory of 2008 2408 8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe vbc.exe PID 2408 wrote to memory of 2008 2408 8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe vbc.exe PID 2008 wrote to memory of 2616 2008 vbc.exe cvtres.exe PID 2008 wrote to memory of 2616 2008 vbc.exe cvtres.exe PID 2008 wrote to memory of 2616 2008 vbc.exe cvtres.exe PID 2008 wrote to memory of 2616 2008 vbc.exe cvtres.exe PID 2408 wrote to memory of 2144 2408 8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe tmp2230.tmp.exe PID 2408 wrote to memory of 2144 2408 8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe tmp2230.tmp.exe PID 2408 wrote to memory of 2144 2408 8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe tmp2230.tmp.exe PID 2408 wrote to memory of 2144 2408 8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe tmp2230.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe"C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ev99sy1m.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES22CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc22CC.tmp"3⤵PID:2616
-
C:\Users\Admin\AppData\Local\Temp\tmp2230.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2230.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8c5cdae9cb74570d70fde6349a82a1a72484e930edc003db700e1005c18d98d8.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2144
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bacaf2e0f018d73fe94ef853ad01fa46
SHA1ac3e2ad14f0ca3f05443424242afc38b9ed06b0c
SHA256ed46be4a2686a6e375bad2b771bdab97ba55913c4dfd5daf9c25a097f70d8fc3
SHA512431c805f5f7c000872518dc2e3dce4196cfb7880524e7baed21a7a8b895a98b397af37ef22044b654581945b195db053754a8b1a074da0cda25950352668581d
-
Filesize
14KB
MD53fb38591e1c58ebc526127f99a8ae7d7
SHA1b4eaa99c60e689ae7061b295c6d9726887af4663
SHA2569f35fbf5f20e431288398b83c4664c116f3207c4e65e3a0a2eef947cbdc90a93
SHA5128af413e8588e3af88ae17214f154a623fd0afb3c2b9509051a5139ae1b91b3c0c72b33088eeaf255b1fee3d0f4126972082fe10fc93204509fc90e1f0656bcf9
-
Filesize
266B
MD51b268439b1d981f7e37c2b2e6d7aeb20
SHA17d2a9afdab429e53904b9ab3245a63215116fd09
SHA2564c3f77311a634f6744ac23bca956e500ac9c6091b6b7914a09abb5a33bf063ed
SHA5125a5dd8b45753481791a1ed760b150163639a4970e3723e47bcc9366df8214bed41ecd131d09618ea387521dc3a7937959bbb560f7d33dec5004d88127627c0da
-
Filesize
78KB
MD58bb2caa71e4ba40ea49268915667f8ca
SHA1dbbf8ce0c2a78fe73c63e962ea877a99cb98cea1
SHA256bcee7f683ab73b8af96062956386df5f8212368be00d7e6e58b911604cf31fb4
SHA512a405606f16ec350a8eef533b1181ebca6f30d6498db3d42e86428d68c1378935f715e094351e0157f50e1d5e88b22b96febe51b7b0b84307408be57aafe94620
-
Filesize
660B
MD5dc50ae906c71dcdec15d63530401352f
SHA1cb260e3f9e0bc2f33d325d1a16178487b26b9f2b
SHA256e6c3266141f87ebbafe6800862b791972fa1f84a458e8e2846036686ed5dea2a
SHA512d094ed1e932b18a5f0e188a43e7815e8a9ed84ab06401d9efb15ffabeef5a1c1b0eb330618411791994353da3a45230c9cb6237526c113fb00d56a6d8752b4a6
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65