Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 23:42
Static task
static1
Behavioral task
behavioral1
Sample
8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe
Resource
win10v2004-20240226-en
General
-
Target
8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe
-
Size
78KB
-
MD5
eeec22974d525daca3a813ba47125c54
-
SHA1
a33269698deb6854a26c1caea8c285234083493a
-
SHA256
8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2
-
SHA512
83f07410fa952aeffd0b982564cf7e3235fd2641eb4474879c344df9a43794e560bab99147918d515b202cfbf1bcefc748bacadb9fd922624facf203aa1bb838
-
SSDEEP
1536:Xe58/dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt96O9/b1jR:Xe58en7N041Qqhgd9/T
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp1065.tmp.exepid process 2664 tmp1065.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exepid process 3000 8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe 3000 8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp1065.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp1065.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exetmp1065.tmp.exedescription pid process Token: SeDebugPrivilege 3000 8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe Token: SeDebugPrivilege 2664 tmp1065.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exevbc.exedescription pid process target process PID 3000 wrote to memory of 2128 3000 8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe vbc.exe PID 3000 wrote to memory of 2128 3000 8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe vbc.exe PID 3000 wrote to memory of 2128 3000 8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe vbc.exe PID 3000 wrote to memory of 2128 3000 8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe vbc.exe PID 2128 wrote to memory of 2088 2128 vbc.exe cvtres.exe PID 2128 wrote to memory of 2088 2128 vbc.exe cvtres.exe PID 2128 wrote to memory of 2088 2128 vbc.exe cvtres.exe PID 2128 wrote to memory of 2088 2128 vbc.exe cvtres.exe PID 3000 wrote to memory of 2664 3000 8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe tmp1065.tmp.exe PID 3000 wrote to memory of 2664 3000 8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe tmp1065.tmp.exe PID 3000 wrote to memory of 2664 3000 8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe tmp1065.tmp.exe PID 3000 wrote to memory of 2664 3000 8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe tmp1065.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe"C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uozzhbfw.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1121.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1120.tmp"3⤵PID:2088
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1065.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1065.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8aed245603460349cb8eccf3687363f924e9c3dedf35472cb4ac8373a1cb9fa2.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD594dddfd0c0e280234f98efa0e911d5b1
SHA12e3056260610aa255306af39692924ab5f9f6ab2
SHA25653793a05f5a4f630fce78872de0e41e8df2a3f7b5adaebbce0d367252df071e0
SHA512a3e1f1b0ba4757f2d5444bdd0ae41a3675151c6f4afc5a7d04dd0fcc88e1c5588789eb675d18d5ac88456b4fe90cec59238c9fe21fc703789cb34f52d1d5c04c
-
Filesize
78KB
MD551fe6562a574b602020d2bed5bc3465b
SHA1e578a53a4c027833417b7f240843e9dff541ee93
SHA256087c7fca2d37ca08f53f128fc6c73970f0471e70e37819c40f03a258c0c1053a
SHA51289c1eaef87504a5bc0e5edaa91202b6669ae83bf19015f06d602746146344f1a42f6347d2d35b38ed8ea4fe64be68db174485ce5454bd4e80bf52c7f64be6afc
-
Filesize
14KB
MD5ef4f7eb172f75b02e9f90a0d94e974a9
SHA15481721f023b530bc9c65501e259de545af64f82
SHA256d26f47ed81dbed6b6d6a2c8c35f233f0f9829003198550ea79e50aa47ab73a88
SHA512f8d18dd5b57a61ea3affef4bcc046c755a5dc0112bf17227c94e2b506ecfcc7debcb7b6291c43ea0b0002ba5339251668874cfe44975b42a66693ba1a19dd4b3
-
Filesize
266B
MD515b8e71703e95626082487d988274026
SHA1c9cff33e89d631dd757a3c6c4f58642f09d0ea35
SHA256be0b89c1405eda823b8d8550ec0a0cfcc358ab83133a2d1d29366467ff56f423
SHA5121b7ce15c112f5ae0d0fb0b1dded1fe4486ed32801d3be3a3393d3a9d0dcd16a348a17ec609e6b9f0f53d4bb3b49eb5e4541d24957ea225177f47006bda3adc6a
-
Filesize
660B
MD5988c624cd3d21df4c9953b687d0104d8
SHA1672e1728eea204899c269795d46f776a95af9f09
SHA25691d408a8eacfd25a8c61fc07f6cd1a065b53b467feac69dc45376f285061b0c2
SHA5122e19b76d17e8ddc4915d985a137f904ba7c4185c5d2477ff83a3801c271cef30749bc45fff6e86257967dd34ce57bc2a6a2a763ed9c5ab0a0a14955489c078fa
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65