Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 02:41
Static task
static1
Behavioral task
behavioral1
Sample
ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe
Resource
win10v2004-20231215-en
General
-
Target
ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe
-
Size
78KB
-
MD5
d08ed2cff94b42f8b2566188416e4a9e
-
SHA1
a7e15b6bfa3924b4b9ce5f5a3659bcddf87bb17e
-
SHA256
ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112
-
SHA512
48f8c248c805a1e1eb81d566d728bef196caace675a9ff140814bd1e6c6cb284ea0ed953860e1fd4c01387431215eb853f85fad4479b0d1526bcddf6317e8715
-
SSDEEP
1536:We5kdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQty6at9/H1en:We5Tn7N041Qqhg+9/G
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp7FDA.tmp.exepid process 2648 tmp7FDA.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exepid process 2696 ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe 2696 ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp7FDA.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp7FDA.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exetmp7FDA.tmp.exedescription pid process Token: SeDebugPrivilege 2696 ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe Token: SeDebugPrivilege 2648 tmp7FDA.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exevbc.exedescription pid process target process PID 2696 wrote to memory of 1064 2696 ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe vbc.exe PID 2696 wrote to memory of 1064 2696 ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe vbc.exe PID 2696 wrote to memory of 1064 2696 ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe vbc.exe PID 2696 wrote to memory of 1064 2696 ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe vbc.exe PID 1064 wrote to memory of 2916 1064 vbc.exe cvtres.exe PID 1064 wrote to memory of 2916 1064 vbc.exe cvtres.exe PID 1064 wrote to memory of 2916 1064 vbc.exe cvtres.exe PID 1064 wrote to memory of 2916 1064 vbc.exe cvtres.exe PID 2696 wrote to memory of 2648 2696 ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe tmp7FDA.tmp.exe PID 2696 wrote to memory of 2648 2696 ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe tmp7FDA.tmp.exe PID 2696 wrote to memory of 2648 2696 ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe tmp7FDA.tmp.exe PID 2696 wrote to memory of 2648 2696 ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe tmp7FDA.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe"C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fuepdtov.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81DE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc81CD.tmp"3⤵PID:2916
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp7FDA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7FDA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ed83c97821a9f23a27ce6c4f96b26c15733101ff71598e50df319a10ad4b3112.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5717d0a30ccdbba5d3df8a1df2e21914d
SHA1cbb3760c47177e9750305aae9404f59401cc566d
SHA256bf9fa2d008293b203ac1aba8245ffbf07e8814dab22ade351750e4bc044c9a52
SHA512a42792f01ad282a29eb0d83630cba37d6e40f26a76ff3ed180af3ff62b0e66c4664f7e914a3441e3daef6d422dfb6b92f0a9e5bf306853c6cf924c0f9d080f41
-
Filesize
14KB
MD579b5b6d672154e1450b4db60a4672184
SHA1f8aa8c4e8bf66a606209e3f3e5ab49d8b71006c8
SHA2560304b8ebaa092a4c3b27d3d2be722a0303a3c9cd47caad5610d8e68263c7e366
SHA512ae584778cd07980f138ced540aefee88ddd34da51f4a82960e670f18a824b143a1500cca10770ff4b6a2f26a9a404023e80fe6b0dcd15e255794b99e08af443f
-
Filesize
266B
MD532a2677dfdf86ecc840975601779e766
SHA1c0ba7c4adbdadb98dd8c70b1fdba4c1f56ae469f
SHA256e1c26f9852826a185d43e94e5d0546d0fa430e9dc00f65bde7f828cc62fbf4a6
SHA5129e147e1d81b54c44892951f72a5d994ecb4bbf0ce4a559574cab6a90459a5bf8581f3e0dcc7c3041fa4f6d6fc449593a6e5089eb0c6949798b7992a783eb386c
-
Filesize
78KB
MD5b6d31ff51431e4bfcc4177ce86b604d2
SHA135808580a822fbfeda24aea22b96ac9c70e65076
SHA2561d1450fb6db1486162aaa4ff90c54f494faefa6004a43eb0493253b39db8435c
SHA512cdbade17d3d825100bf2df816c500c12a38ea1cb02d6afe698a1c3eee4baa68d74774fa02b76199239b53acd2057a7516b365357ecd7866c87f84abb63b261be
-
Filesize
660B
MD552f1bb85fb9a39b519bb8ec2ffd67f3a
SHA132fbe5535619376a2829ad068bbdee1202578130
SHA256dc7c5f2aa79f38d2729ed58a52cbe71a0ad6948cc0232a495f59484607ff9423
SHA51254fd7c4f170e08812204d15a85778b25784ca24d064fcea0685b99fe46c76bffd42a07c65b6f68631d0595af36c1231c1105832482715bcff8340a34944a87e9
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65