Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 02:00
Static task
static1
Behavioral task
behavioral1
Sample
d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe
Resource
win10v2004-20240226-en
General
-
Target
d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe
-
Size
78KB
-
MD5
d5e438d5c28d8817b77f2e3893c5648d
-
SHA1
64bfba0f51eb646da49b40013a02668c5f553ac3
-
SHA256
d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e
-
SHA512
cb18609831659429a649c92ab3f6b12c8b043cbe08c0c089b20df95fbeb53b7341a59728fd14ce4257cdab4460ad506997416d9d8951ce28d94ec92482b5b179
-
SSDEEP
1536:iPCHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtQ9/S1mC:iPCHY53Ln7N041QqhgQ9/m
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp3BE8.tmp.exepid process 2508 tmp3BE8.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exepid process 804 d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe 804 d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp3BE8.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp3BE8.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exetmp3BE8.tmp.exedescription pid process Token: SeDebugPrivilege 804 d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe Token: SeDebugPrivilege 2508 tmp3BE8.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exevbc.exedescription pid process target process PID 804 wrote to memory of 2992 804 d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe vbc.exe PID 804 wrote to memory of 2992 804 d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe vbc.exe PID 804 wrote to memory of 2992 804 d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe vbc.exe PID 804 wrote to memory of 2992 804 d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe vbc.exe PID 2992 wrote to memory of 2996 2992 vbc.exe cvtres.exe PID 2992 wrote to memory of 2996 2992 vbc.exe cvtres.exe PID 2992 wrote to memory of 2996 2992 vbc.exe cvtres.exe PID 2992 wrote to memory of 2996 2992 vbc.exe cvtres.exe PID 804 wrote to memory of 2508 804 d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe tmp3BE8.tmp.exe PID 804 wrote to memory of 2508 804 d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe tmp3BE8.tmp.exe PID 804 wrote to memory of 2508 804 d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe tmp3BE8.tmp.exe PID 804 wrote to memory of 2508 804 d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe tmp3BE8.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe"C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mj1d4ouw.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E39.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3E38.tmp"3⤵PID:2996
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp3BE8.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp3BE8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d8b3080c6e5c4480da8f690a63498ab2fc6c275ac181b3e8145624864ab1f54e.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58554bd7b09032d6b48ec37d91202c925
SHA163675c1fe055e9dfb960db9ace6637169a5a2527
SHA2566b75a90615cf9ff51d4b4cdb2ce24967bfef84cc63f7d617d73a458a3f456dc6
SHA51251f4051d5f7fc869af824e71429921eddae77b43474c738861d9a31d1e736b7002223c284ac7fe16037b19f7355eaefde899d023e03fb19d8c5aa8b7712a5c45
-
Filesize
15KB
MD54548e12a02cc1f752616bdf4a8b8e88b
SHA1bed243f51575293e2654ec7729129b51f832d906
SHA2564ceef0f0184b6ce9b4bb07e3294b29f83bfec7eed2dcc80146726bd74b5c95c4
SHA512b2e7ce15e3fb4b381c081d68b116deadc072dd2543aefbae70ef1de2f7154c7acd720e093ad5f5725cba0ed47626993ebc04eb4037535d740798ad873bed7bab
-
Filesize
266B
MD5c995ffea880ae5effe711bcc31a67526
SHA1f31c9c9957a34457a177e4c572b683e4205c7b7a
SHA2565d2c914f5902cda377495a9bc2a8e1ea192f162a5e2e5f311e42165c22d45e16
SHA512ab7d90b6615a850de599cde5a2a97cc4a80c98c523f3674f26b46a4a0b9636087214d375c2335f66beace1bd238215d673e14f79ca9e3d04f4ba4fc623b30203
-
Filesize
78KB
MD51be6f1cd434fa65f852a86340bbe6687
SHA1e5d0a45ccaf55d3697ae4dad17b59f38b66ce085
SHA2560f4d3f49e93ad5e9ff1a1e788c86bf8ad5f411680730b96d09df07a299f4df15
SHA5121cbbc69dc6b46c6492e2cd0e4ed226427bb7aebfed194a6631fda4baac9b6fee29b10e078d63d0686c8f1e85be95324f817252327f8e50818c6280927270e550
-
Filesize
660B
MD5e4f239da4b0f43dc254b23cb82a34001
SHA11d121f58e19e72228e4c1ab4149481efce89b5d2
SHA256f141b19efefe27dc43a2873232e439f6e020f8233939eaea80738b3415418f81
SHA512a43bade9bbdd661191490838c0191039b017d9ac769b289ecfcc088b784751ff41ffa62c89b3c002fdc81cd878d8fc5fd25046320aa05f82b154fad66f79ced3
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65