Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 20:08
Static task
static1
Behavioral task
behavioral1
Sample
33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe
Resource
win10v2004-20240226-en
General
-
Target
33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe
-
Size
78KB
-
MD5
eb3e591c61216112064bbad14b1a973d
-
SHA1
9909f794d98238f42a5fbc56045df9a8dcaacc7c
-
SHA256
33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18
-
SHA512
ad79152d4194537eaa51985679527778bd9e0eea3bea7fb7371e3b5a5c2c5304ac9a61aaab6757db2a95a09512eff15b6f167fea9231809741e0d3a29a64acb4
-
SSDEEP
1536:Ay5jldy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6Y9/Rp1yo:Ay5jwn7N041Qqhgg9/B
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Deletes itself 1 IoCs
Processes:
tmp3295.tmp.exepid process 3040 tmp3295.tmp.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp3295.tmp.exepid process 3040 tmp3295.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exepid process 2008 33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe 2008 33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp3295.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp3295.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exetmp3295.tmp.exedescription pid process Token: SeDebugPrivilege 2008 33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe Token: SeDebugPrivilege 3040 tmp3295.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exevbc.exedescription pid process target process PID 2008 wrote to memory of 2832 2008 33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe vbc.exe PID 2008 wrote to memory of 2832 2008 33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe vbc.exe PID 2008 wrote to memory of 2832 2008 33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe vbc.exe PID 2008 wrote to memory of 2832 2008 33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe vbc.exe PID 2832 wrote to memory of 2556 2832 vbc.exe cvtres.exe PID 2832 wrote to memory of 2556 2832 vbc.exe cvtres.exe PID 2832 wrote to memory of 2556 2832 vbc.exe cvtres.exe PID 2832 wrote to memory of 2556 2832 vbc.exe cvtres.exe PID 2008 wrote to memory of 3040 2008 33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe tmp3295.tmp.exe PID 2008 wrote to memory of 3040 2008 33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe tmp3295.tmp.exe PID 2008 wrote to memory of 3040 2008 33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe tmp3295.tmp.exe PID 2008 wrote to memory of 3040 2008 33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe tmp3295.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe"C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vojdtnur.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3351.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3340.tmp"3⤵PID:2556
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp3295.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp3295.tmp.exe" C:\Users\Admin\AppData\Local\Temp\33be0e8fd8d27bc2824c4411e0e4705e6da552e929f4f1667ee2c001bd52dd18.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bc1e08e2155a42fc9b2ba081ae63f259
SHA1d524912f7076513647bd0d1b04f5de51440675b4
SHA25687f713eab99b52824bea8e1592819eec8b208dabbe081d1a8b46b3ae12010092
SHA5124cb85e808960dc54fe03b5f2fffd515ae07b3648cdf4a6135151ab79ac2a46a9045f2c63a18512e4b53fc7c529d958852cf03910ba6752a55677f832f6f3e90c
-
Filesize
78KB
MD580899339ebf57364549979876d43afa5
SHA198f0f82a6e108545844d909a70d6cf823aae8f8b
SHA256a81eab654c2ce292b7c0a1c82b62f3b627bccd8a6b212165d5e13371c98da1dc
SHA512acaf398a3785325c98d530de22102bf409f088809218f1d4f6712a2998f73dce9a255427c89f9bf7c47c56b0f33dd0580da66ae3318c023dee06cc1ef9866bce
-
Filesize
660B
MD5182daf1b1d61eb3f033438814172abaf
SHA1a660af96402bbc0450dfc913cf02c44dd1ce04d7
SHA256d4bbec9c2631b2ff77d29a5dad35bb13e851d35a952181edbd65ce985ac9d606
SHA5121d68a9f9b4912922e6b32fbf5cb6b1a2b0ee7eacbc227d79e993d1a1d6486eae05f67cc58db6d84935d0c83b4669b8810b108b53f788d55fb001c103bcb9e5b0
-
Filesize
14KB
MD5f0fae78ccf2fa6923a613bf020520ba2
SHA11c27a04d86cae75a9239fc3a46579522143b6792
SHA25630f501fac01add54e69871e883b26937f52c00492f4f2e4b58ebab6436623881
SHA51209e4b0c35957f681b5d88a8fe9c0a2b307d34dad5968059fce466fee906d8d52e0f4841d27a355f76ff6b6957380cb25d49d744e274636b1a84ed267f774a88a
-
Filesize
266B
MD5410b83482bbd54d29bbd30eba547e388
SHA1d2ee6d0fd7e11a66d8a75646a09dbb91a2515210
SHA2563bb8cad2ad03318f100b1ec43c6d8df0f96e7c7aaee0e375691f0a04a3fdcf97
SHA5123fd792cde8828cbb1ae2c83558f684c35692d6760e8b71924b4cbe48d1da69dba0152301d30b39d3250889ff7705a7841af3fd412ac9fced8dbe508447bc61df
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65