Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 23:29
Static task
static1
Behavioral task
behavioral1
Sample
86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe
Resource
win10v2004-20240226-en
General
-
Target
86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe
-
Size
78KB
-
MD5
180829ee3a299f96c653d968e820a5a7
-
SHA1
2608b66111143b1d64d80f8500d97071c427e875
-
SHA256
86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310
-
SHA512
b7fe46eb13695c610913a3d29134cca0737ac83fab3bd3cdd70b0f68270854e3fe8347dd45bd6307c2106ece66da4eee95360f9e130a3bfbc882101f021f8a7d
-
SSDEEP
1536:s5jS9dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6J9/21kk:s5jSon7N041Qqhgx9/W
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp167D.tmp.exepid process 2556 tmp167D.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exepid process 2416 86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe 2416 86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp167D.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp167D.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exetmp167D.tmp.exedescription pid process Token: SeDebugPrivilege 2416 86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe Token: SeDebugPrivilege 2556 tmp167D.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exevbc.exedescription pid process target process PID 2416 wrote to memory of 2204 2416 86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe vbc.exe PID 2416 wrote to memory of 2204 2416 86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe vbc.exe PID 2416 wrote to memory of 2204 2416 86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe vbc.exe PID 2416 wrote to memory of 2204 2416 86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe vbc.exe PID 2204 wrote to memory of 2544 2204 vbc.exe cvtres.exe PID 2204 wrote to memory of 2544 2204 vbc.exe cvtres.exe PID 2204 wrote to memory of 2544 2204 vbc.exe cvtres.exe PID 2204 wrote to memory of 2544 2204 vbc.exe cvtres.exe PID 2416 wrote to memory of 2556 2416 86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe tmp167D.tmp.exe PID 2416 wrote to memory of 2556 2416 86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe tmp167D.tmp.exe PID 2416 wrote to memory of 2556 2416 86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe tmp167D.tmp.exe PID 2416 wrote to memory of 2556 2416 86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe tmp167D.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe"C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wm30nljz.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1759.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1758.tmp"3⤵PID:2544
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp167D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp167D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\86ddb40ec7f06f3c274e2a230173aaf0c395add59724b65a29b584127ce1c310.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55d1545a2c62b5a5da368536ba7af2ec7
SHA1348feea04d4d4a2434ed57b69556fab6bd53ee0a
SHA256e3a377b2a26ede7f8105309a80b314d123f47731c7bfcb397538904ffe698e11
SHA51210bace610c613e0ba71d8531972a1e320a6c26798efbf96e0ecf7fbd53172cefcb685ff81c59e2cbc34ec25b7f32e6c7364048634043993bd4875fef0ce08ea4
-
Filesize
78KB
MD5620bc88976324a4797749d0c514719ca
SHA17742437f4f46fe099d6c88d8357be327e965411a
SHA2563679fd60c4cbcd98ec52fea56668295019091d922086554df57c7cd3eb5cdeb1
SHA512e07dbaab2d164da1cee95980188ad1db61774df6080736e16cf6045c9482532ee8fdd86688d986e2d9286d0c0117b4759b815188c7bdbebb8fdfb133d9d0c5b1
-
Filesize
660B
MD55450dafdd83262b5aa7463021e209498
SHA1d52fe4e1db8dd050356c6a2a7ce4dda39dd60b7c
SHA2562846e8a62a4494c63a50fa475a0d92c0665b8a832f9c3f1ac0cd7bfa42a5aae8
SHA512cff88ab69a113e2775bc084c0942c47807d1781a2da0cbd4ff08e9d8c29a4c2c71aef7a709daf88f209a8bb88858936216c30145e60c9672f179a4f3068831c0
-
Filesize
14KB
MD5e19ecf2aa032a20a207189e2ca5d4a8f
SHA1a55b2ffb1da69421594ef08d73d8628686f7f485
SHA2566b4d29f60ce521b3162f9200e8a496ea7c532a9362526e2c449364c804eb41e5
SHA5126318608daa8ecb776f00659ece9e23cc77f51d6698955f1afa6472fc82465d17cceadf3932aa45717b27752142d1e7de74ad83a5a00e0a65f46c3f049c9bda43
-
Filesize
266B
MD599a622662b1cfe8c1002479375971d71
SHA1d9a3ecc4e364fadc0d3d3aea57d5276458332082
SHA256c738a6686846b8c627d66d8e32caea192b5fec7fa7899fd1cd850b3f43b07def
SHA512417fd7e2f1fd7251d000e2844a44c557ca3c59331aba2d47ebe4edc2d77ca3c9e881aa631bcd15587700d9ac84b4c05a4e8a65c2ea9a2b340ac9efbed97da8e3
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65