Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 19:44
Static task
static1
Behavioral task
behavioral1
Sample
2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe
Resource
win10v2004-20240319-en
General
-
Target
2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe
-
Size
78KB
-
MD5
7610fdebc9263ef8a369d1602b36d2f9
-
SHA1
6a989b25e91bc1b80c6a4ca435aca9ba886c18a1
-
SHA256
2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba
-
SHA512
6aff82bce3277181101913f5c6c8b52d7b446c3a583f041466c7049d4119df2df13ad3c5ed14c1917a7f0821ea8ce88dfbcef79db4edf8ffda78efce45227c60
-
SSDEEP
1536:6y5j5dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6G9/gV14l:6y5jkn7N041Qqhg+9/H
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp9DF4.tmp.exepid process 2680 tmp9DF4.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exepid process 1580 2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe 1580 2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp9DF4.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp9DF4.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exetmp9DF4.tmp.exedescription pid process Token: SeDebugPrivilege 1580 2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe Token: SeDebugPrivilege 2680 tmp9DF4.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exevbc.exedescription pid process target process PID 1580 wrote to memory of 2480 1580 2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe vbc.exe PID 1580 wrote to memory of 2480 1580 2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe vbc.exe PID 1580 wrote to memory of 2480 1580 2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe vbc.exe PID 1580 wrote to memory of 2480 1580 2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe vbc.exe PID 2480 wrote to memory of 2868 2480 vbc.exe cvtres.exe PID 2480 wrote to memory of 2868 2480 vbc.exe cvtres.exe PID 2480 wrote to memory of 2868 2480 vbc.exe cvtres.exe PID 2480 wrote to memory of 2868 2480 vbc.exe cvtres.exe PID 1580 wrote to memory of 2680 1580 2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe tmp9DF4.tmp.exe PID 1580 wrote to memory of 2680 1580 2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe tmp9DF4.tmp.exe PID 1580 wrote to memory of 2680 1580 2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe tmp9DF4.tmp.exe PID 1580 wrote to memory of 2680 1580 2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe tmp9DF4.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe"C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jc4u20th.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA111.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA100.tmp"3⤵PID:2868
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp9DF4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9DF4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2bde7491c0540ca8499ae986fcc082d7d938bb0dd8ccfb4eabf859c90ba35dba.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d098314cb303dc8da5ce342de7bd2b61
SHA18f4e38ce6fe1b6399d3e209d35f08f10c5ee7533
SHA2565cca08c9630b1a9a434dc127b7d818f937d8b5be5cfb3a9083c343397883866c
SHA51285a9bb3d565f3173258900e226085fe0708007af13bbd1563f9090aa61393014599f1283b59636a96e08d42c69ead422dfcdbfac6b0f6484d22e215c051e8cd4
-
Filesize
14KB
MD54882f251bbcc6a181944aa6f8d58e076
SHA17e4527ca82249c37c7542e796a6066c4741e0a82
SHA2560cd988fcefb3e745673aa11a762325cdfa990a3b8b820a4b12c0487afe58a75e
SHA512dec5f8b4fc7e1b9cdc02294de83517ead9b5c7560a01125bf56571444827fea3edfd640972387a574bb5768b8b8c24e9f9f15df179c30512644a3b9094f9241b
-
Filesize
266B
MD5ffbc924085d1899bed499150aaa2a904
SHA164b7f5c83321d07e8cf0d96d2c42900ec9269069
SHA25672dc49d5e5c427239adc8755517352f1fc6e14c2178c30a1c56bd42fc1bc5769
SHA512c9cf43ca349a784244dfc0969509e69d79abdd4d8206d42cbffb78e57b3ba986b5043d568184e9a1da561ba37fc04d72985192ba7a2641f5681fdc62012d6d9f
-
Filesize
78KB
MD5a1e42933b9249d45f8564a9b7ece23ac
SHA1cbd16019d4e0ad9d898f7b493bc7627f0687cb53
SHA256be9692991ee5295bfe385bdde3bf650df783b9aa7f43e85ab5772fb55e8f52cf
SHA5127374e144c8728ca36bf76fb093139ca1e61f4abcc3ea4874a42980f42f04a487bbf6c3e8853cd18676d641bba0d8503d0b03a027dde0612c7768884fb87cfe59
-
Filesize
660B
MD56a00cce1944f90427cc355bc410cf8ac
SHA124aabf1c957d08d99e51b839689e9b868f96ee2c
SHA2561e74fc192037046a0bdd0928cf5f985650b2ef3a55a23e5a33ed9d9746f2dc91
SHA512ebe47043aacbdc2ddddfffde75ee8f05dacfce9a4e6cac25b7e0b0819dc65d19e8f4c5668485c66feb766e3129a201e62f1e4d64d7caae97f6f636b3a1cad043
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65