Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 23:44
Static task
static1
Behavioral task
behavioral1
Sample
8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe
Resource
win10v2004-20240226-en
General
-
Target
8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe
-
Size
78KB
-
MD5
3d65702331cd2e0767e4cf1a74e771f7
-
SHA1
053b182c01151a3f5ddec67c1ef8693a7be3973e
-
SHA256
8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87
-
SHA512
60621e9157d0baf8260c5ab039ba9f958434b3c33fc2ae1f464599b447d5db34c7221921294aeef162fa392323e189d3c0c4f1b1a1c75d876c8b5427cff9eda3
-
SSDEEP
1536:1uHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQteP9/p1DB:1uHY53Ln7N041QqhgeP9/h
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp1880.tmp.exepid process 2788 tmp1880.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exepid process 1752 8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe 1752 8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp1880.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp1880.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exetmp1880.tmp.exedescription pid process Token: SeDebugPrivilege 1752 8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe Token: SeDebugPrivilege 2788 tmp1880.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exevbc.exedescription pid process target process PID 1752 wrote to memory of 2860 1752 8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe vbc.exe PID 1752 wrote to memory of 2860 1752 8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe vbc.exe PID 1752 wrote to memory of 2860 1752 8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe vbc.exe PID 1752 wrote to memory of 2860 1752 8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe vbc.exe PID 2860 wrote to memory of 2132 2860 vbc.exe cvtres.exe PID 2860 wrote to memory of 2132 2860 vbc.exe cvtres.exe PID 2860 wrote to memory of 2132 2860 vbc.exe cvtres.exe PID 2860 wrote to memory of 2132 2860 vbc.exe cvtres.exe PID 1752 wrote to memory of 2788 1752 8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe tmp1880.tmp.exe PID 1752 wrote to memory of 2788 1752 8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe tmp1880.tmp.exe PID 1752 wrote to memory of 2788 1752 8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe tmp1880.tmp.exe PID 1752 wrote to memory of 2788 1752 8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe tmp1880.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe"C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4nsaax81.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES192D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc192C.tmp"3⤵PID:2132
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1880.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1880.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8bc1e839208a551fbb94c272746141e70bedd52dfc5e21a1c09641874bdfdd87.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD59ebf7d57bc356057f5fdc4c5f01b12d0
SHA1feba17873ff8b61fd6919db84e89363269a531b6
SHA25630fb8243a8456bc3ab6858b35985051110228ccbc13af8b9431ff1d619c4d6bb
SHA5128fedaae522c9b0e8447cd99c02a8bd073f03bd19194fdac57a8589de38cdfda150ff0a4b7f903299b7dc3a719e6d53c5868fd85599ae300371d5b5839a7d86be
-
Filesize
266B
MD5f68dc88b62dc41b5fa7e24529a7fc61b
SHA1d9a8e233f02631d25d75d46eb5993db16ee4f17b
SHA2561545062924d257a960010a3f07ece352d93821e28b8e163c9b6b57715739d2ea
SHA5120af40eb72b7210f69842a9fbbebcb03a4059a599a40d61fa42bb52b3e9b420952b47972a789b0b31ae77fedd6d8eae0e0278c160524bf6741682085ae326efb2
-
Filesize
1KB
MD564ab1e8030d055c86229a24fa70103bb
SHA1c85184a631cf660c792a7a050cf60de4853b0fac
SHA256954df54413dc62f571dbd7c37f94f2183cf7fcacf0f7cf86875701b5b3a118e2
SHA512108abcb0eb989feca6b26e553916c5697bec3dce346187e1f14442e914efa3ceb450ea8c9950fec73dc12e5e5f4a2562879bfa5ad7044c7786907c636a779d41
-
Filesize
78KB
MD5b1e271fca54e0ab14687aa0ce04ad276
SHA194c19de64d24498715beefe070d1a6ec26179a74
SHA256a4720aaeec0f4ce30b70157e54d4f5f119feecb22c66795c8e4a476c357ac242
SHA5123b8aeb7a1752d22472da0c219553db50e8d262136482196a07090d5b84c9a579389e7f126d3fa594f6d49bc5d23493f44b48290f31038b1a495d48eb83d896b6
-
Filesize
660B
MD5973a5a9c42dfe1a11b3bd6bd40a4e183
SHA19658624d9c23ae64046c60783dd765a52e17d761
SHA256d00f37795e0479d67ae2db5fa5b58406aea579ff9ba23ae9560ca4ad2de86515
SHA512e41a36616f6099a1edf10a8712bf20b41fbbe4139bc7ebc5c1ee0aec28ca37bd83d3b62f40a2a833323fd2702d2e2c88982987b33ad1d240261dd459d0e74928
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65