Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 20:30
Static task
static1
Behavioral task
behavioral1
Sample
3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe
Resource
win10v2004-20240226-en
General
-
Target
3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe
-
Size
78KB
-
MD5
2627456fa3286338ba04377a00d84f91
-
SHA1
e598838e48f8c59131ba8ca6ec54603c85f00915
-
SHA256
3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9
-
SHA512
f3ea71639e000ece3f7b757f71313f757a03afa415aa150a0a4048ff70f03339a24f235c1e896d6e2a5c806f5ffdb50908541543ee7479e4f6ce2deca072099d
-
SSDEEP
1536:bHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtS9/ww1le:bHFo53Ln7N041QqhgS9/0
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp12E5.tmp.exepid process 2900 tmp12E5.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exepid process 1244 3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe 1244 3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp12E5.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp12E5.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exetmp12E5.tmp.exedescription pid process Token: SeDebugPrivilege 1244 3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe Token: SeDebugPrivilege 2900 tmp12E5.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exevbc.exedescription pid process target process PID 1244 wrote to memory of 2000 1244 3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe vbc.exe PID 1244 wrote to memory of 2000 1244 3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe vbc.exe PID 1244 wrote to memory of 2000 1244 3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe vbc.exe PID 1244 wrote to memory of 2000 1244 3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe vbc.exe PID 2000 wrote to memory of 1440 2000 vbc.exe cvtres.exe PID 2000 wrote to memory of 1440 2000 vbc.exe cvtres.exe PID 2000 wrote to memory of 1440 2000 vbc.exe cvtres.exe PID 2000 wrote to memory of 1440 2000 vbc.exe cvtres.exe PID 1244 wrote to memory of 2900 1244 3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe tmp12E5.tmp.exe PID 1244 wrote to memory of 2900 1244 3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe tmp12E5.tmp.exe PID 1244 wrote to memory of 2900 1244 3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe tmp12E5.tmp.exe PID 1244 wrote to memory of 2900 1244 3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe tmp12E5.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe"C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mens4nmz.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13C0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc13BF.tmp"3⤵PID:1440
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp12E5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp12E5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3ded29ba0ac213b98dcc33ee7aed568747aab40a201d519010fd9dc480000bf9.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50feab416a36edfb5a9ddef16829fbca0
SHA12409ca305df9d246b37cac9e05aad38effe36b0f
SHA2565bb21a137cd24aeb4d7e1845af37c4acfb41e323875fa154775a4376a4269af0
SHA512dc9c61f8b1429fed9611f3d7ee5cfb694dc43462d4d821441a8817c24a10cfceb757254f4dd5ce7bf0f456acdedd90d31306a5de4dca2619bbe637efbf0d3fc0
-
Filesize
15KB
MD55320148874d8604e01419af688b85e1b
SHA121a6839c882b3531845d786d49fea5f26d1d1ce4
SHA2565d6a69185540aaa5bbe7e790d579fed614ddca6f07f25d744f61928190c8afc4
SHA512c6e355ba42c3b506dcbc764ff4c40953a1556bbbc0bdfeab11715cb11ecf1b76060ff0b531cba9bd976f4e27c7bd881755b2638d232a4a215e7f7aa8943fcbc0
-
Filesize
266B
MD5cd516cf8682bc63b410b4d8f99d38910
SHA1bdf29115bd52db620bd3a41a21d504b19d8f4144
SHA256dde82dd2792c36724c0492db41dfec58ecf226ae742578722b9cd89016355e29
SHA512a800dcbbe4d7e6bde41aae2c7c5898fab4ae1f430ae16dba6ef2410ee441fff30c470db569ac8efb6fc0fa720621f0a18c87ec2dd9518216527d0af0462c52ee
-
Filesize
78KB
MD54881389c8ae06da40b8e86da635e655b
SHA10d08695406e16376689df5f8b62726c6cd4e464d
SHA2565ab36cc1821dabc506faaef6ae40129db06e8bfcbb294ba0bf66c3e1d7ede11f
SHA512dc928274b0da073c6cd7f36d5592abc461a677698daeb04d2cd664b8e18bb7b8594a76061e790b3a3a2a0c052f9382ae10a46fe50d0394fd2279156a96be7967
-
Filesize
660B
MD5336ca875c2113afb536c44505f702a10
SHA151410a1e4f0bc8cfe047f259b9f56f13c32a6b04
SHA256222d30cb7846501d09f91459ac052abace1ae961a5f3e3e9f2bd6be1e93a60d9
SHA51204680925f907c031773c5f6097fbe1a9d43aa7b4035987a71f414dd7a084ce125f260c6dd078bc38ed62b5dde24a4d8e70014f1852f7be2b8d4087c35753048f
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65