Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 03:12
Static task
static1
Behavioral task
behavioral1
Sample
fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe
Resource
win10v2004-20240226-en
General
-
Target
fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe
-
Size
78KB
-
MD5
da6ed2a31a3ebd8b179a3babdfd7f227
-
SHA1
bd9afa1afe1977a9712d2fc8cea9a9394017e56a
-
SHA256
fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db
-
SHA512
41442c7e9baa57eb14d23a89438f6397b730fb7176c4e1be768ea254a49066178aa222acf69d0901dbecc10410d412479e4cf4a2d3469893614a3d3d16a0e52e
-
SSDEEP
1536:AV5jidy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6T9/z1FW:AV5j9n7N041QqhgL9/2
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Deletes itself 1 IoCs
Processes:
tmp91D4.tmp.exepid process 2636 tmp91D4.tmp.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp91D4.tmp.exepid process 2636 tmp91D4.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exepid process 856 fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe 856 fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp91D4.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp91D4.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exetmp91D4.tmp.exedescription pid process Token: SeDebugPrivilege 856 fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe Token: SeDebugPrivilege 2636 tmp91D4.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exevbc.exedescription pid process target process PID 856 wrote to memory of 2508 856 fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe vbc.exe PID 856 wrote to memory of 2508 856 fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe vbc.exe PID 856 wrote to memory of 2508 856 fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe vbc.exe PID 856 wrote to memory of 2508 856 fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe vbc.exe PID 2508 wrote to memory of 2912 2508 vbc.exe cvtres.exe PID 2508 wrote to memory of 2912 2508 vbc.exe cvtres.exe PID 2508 wrote to memory of 2912 2508 vbc.exe cvtres.exe PID 2508 wrote to memory of 2912 2508 vbc.exe cvtres.exe PID 856 wrote to memory of 2636 856 fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe tmp91D4.tmp.exe PID 856 wrote to memory of 2636 856 fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe tmp91D4.tmp.exe PID 856 wrote to memory of 2636 856 fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe tmp91D4.tmp.exe PID 856 wrote to memory of 2636 856 fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe tmp91D4.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe"C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2fo__eb7.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9454.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9453.tmp"3⤵PID:2912
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp91D4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp91D4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fc5b0140c6a6bc9812c70f3a15b1d54867c12472590e398418e1d9731645c7db.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD58bab61380e4ab59b1484a59c5a29e874
SHA1dddaf29217a1ef6ac4f18dbbe98b0abf862a902c
SHA2565a89bdf0c671bfec7a91e57512f9189064aee1498a1975a95e7e3d0456c10cbd
SHA512ff2216c0d23c26061742941c742e93cdeebacd0d15dacf1e29427fdf33412512eafc6b6a3c36bbac9550344c55a2994398a7dcfc09d0461252dda8155655641f
-
Filesize
266B
MD5349e51c1505c6a4bd1dd4196b1988838
SHA11381f2c42c9da7dee7c1588940f8b58aa6b69c52
SHA2565d07d31697e61f061d1aa58750ef1d5434cdce7b9b89ff064174a8a2bc27dc2f
SHA512058dd6c2374d84255d2a789b765a48b2350ca2e0e3d85913cfac060ef2303e3d4ebf24a771240a95bd92868040d41de2d17e8d5c3124323027976d77913e632b
-
Filesize
1KB
MD58b18281ee869d9a2ee30388774a4c1cb
SHA1431a923842c5033d623acae464bc82c7446c8827
SHA2561b1765cd97640b153d6e84da099590bf3fa0cfc935fe381c2f62227d17ad926a
SHA5129d9c3ef9e8aaae5e25614b4518a524ed964d755b203343169824b3b223a21d73ad2e5c535ad17b8fb846edef1a3caa9cde0912a679fe933fa48dc8871cdb90ee
-
Filesize
78KB
MD51d9c77d40fdad280a06821cd6d89b336
SHA1984f0e5968f1da02ff124579b6c5a7b5ece8cbff
SHA2563cf3bd0021c68396582feceba81cf4cffc35f25842121de871d304d064e66d0a
SHA512990ef42296e7f56c5e5e1604b17aa2611ec7024dedee05624c5a7bcbbc97408ff8f76cd5310bf81885f92e4f5300cd7dc615cbeeeee7c5c115380caeb2978675
-
Filesize
660B
MD54a4246ee5538f052ca962eb851d78622
SHA1148f26367ac2930535b0d8b9df51040a53b37a68
SHA256f2ed1edf2352c0a88f887cf0e8be8ebc08842907d31c51577fc9fa39cb097643
SHA5127f37a6368884000041142c5d423cd7bd35cce969ff579dc8fd61f7331ecd2a8a191b4155b1952aed51736eda5a85452dff1e64a3bf94099b77d1bdbe24583efb
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65