Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 23:41
Static task
static1
Behavioral task
behavioral1
Sample
8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe
Resource
win10v2004-20240226-en
General
-
Target
8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe
-
Size
78KB
-
MD5
8f304eb7a41b2b025542c43176604c9d
-
SHA1
24ab6349bbfadfaac43607a25803152b3394c187
-
SHA256
8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63
-
SHA512
1b77ec6d35222fc88335a1821dc8eed7bb22ecc5054376f91c6053a38ac9f513e36088adf16a90ffc66271f0c8204cb5e38c31c3a2759dd1be87cd855a751d1d
-
SSDEEP
1536:4HF3638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtep9/ju1t9:4HFq3Ln7N041Qqhgep9/E
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp4DA3.tmp.exepid process 2628 tmp4DA3.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exepid process 2504 8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe 2504 8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp4DA3.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp4DA3.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exetmp4DA3.tmp.exedescription pid process Token: SeDebugPrivilege 2504 8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe Token: SeDebugPrivilege 2628 tmp4DA3.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exevbc.exedescription pid process target process PID 2504 wrote to memory of 1768 2504 8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe vbc.exe PID 2504 wrote to memory of 1768 2504 8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe vbc.exe PID 2504 wrote to memory of 1768 2504 8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe vbc.exe PID 2504 wrote to memory of 1768 2504 8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe vbc.exe PID 1768 wrote to memory of 2128 1768 vbc.exe cvtres.exe PID 1768 wrote to memory of 2128 1768 vbc.exe cvtres.exe PID 1768 wrote to memory of 2128 1768 vbc.exe cvtres.exe PID 1768 wrote to memory of 2128 1768 vbc.exe cvtres.exe PID 2504 wrote to memory of 2628 2504 8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe tmp4DA3.tmp.exe PID 2504 wrote to memory of 2628 2504 8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe tmp4DA3.tmp.exe PID 2504 wrote to memory of 2628 2504 8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe tmp4DA3.tmp.exe PID 2504 wrote to memory of 2628 2504 8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe tmp4DA3.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe"C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\snlrwylj.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F69.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F68.tmp"3⤵PID:2128
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp4DA3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4DA3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8ab0f1b14dae155687b7044c3e8923aa48fa2026b34721c6e2f8775e329e6d63.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD570bd931f50eea5ce95bea28cdc51118d
SHA113cb81f4a20709643458882c72ec87aa1749ac8b
SHA2565b0f86b40034687e9810db1e8994ab896ddb9f453eb87ffd6a5c0c349cb53929
SHA512e3cb6e54e2ab36972dc3f00499df5cba10de8f270cb4ec4cb0edfc937a2f2e535c8e664f67e8f119b37897736d2086c6407731254f4d1bc15d6221f96b692889
-
Filesize
15KB
MD5b25ad46db3cb1eb0bfebde35b0e8ef4a
SHA1c22802af0094f454db2da6377c38f79751ef0eb8
SHA2567e907b91274410fefce45067ceced5da38089f3795dcbbaa9cc0e9939a1913f0
SHA5126ac1830b6fb9a39bf912d6064b2260b3f6c453975d4cba11ad9569d5305696666ae00444b89244f420c3990ed725f97f72b06212ffe21524068bd483a707918e
-
Filesize
266B
MD576b15d77139bb926f5633bec87d72240
SHA12156864d88a83d287fc77228a3f09026c1bf4253
SHA2564ead162907d3172ddab5341498b02192d07b1a18e974dd0f433f5e326afa045f
SHA5122dbe37773b987bd0fe2983b8c91ab594725db36bf6a0881d49bc9593086da0b56af9d1c7b040030d1e3a5b53b605206968e3f9601c8cd935221dc88cb3aab725
-
Filesize
78KB
MD5f1756d1f52f3ec3d699a2f29e6795fc2
SHA17358f0fdf06517d5aec6a36f5ed21fe0756d98ef
SHA2569b5e567d9fa50fcf572d6cff7a6022b89496f05980f27534296fdec2484fe31d
SHA5126c63285bdc9924b1d871dd614812e32500257d47b0b6d5242895e02abd638964de73ff69fe02f87b02e9c6578eb38e3b5feae099b657e75f5fed567284ca0850
-
Filesize
660B
MD589f0789c01251e6b2c88551d61029199
SHA17bf90deedb964189e52f286d97078b82dc405de5
SHA256dcbd2cf526cd4d09d990694f39935441db622ca97c741838eeb110e157189c58
SHA51282173b2621ba03647f3ef173e9f7121ebfbe86cb00c7c4a0cec936f91a946b317c169ca2835a82f1231a255be433b93d5700c7a64931c16cc1e2e2af0ff736da
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65