Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 20:57
Static task
static1
Behavioral task
behavioral1
Sample
4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe
Resource
win10v2004-20231215-en
General
-
Target
4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe
-
Size
78KB
-
MD5
0ab385dd7216e9d677c4fee6ffa159a2
-
SHA1
d3578e3963d00825e0d4fc35c9b364d9be458c54
-
SHA256
4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0
-
SHA512
fa7ef3b261d86852c50a4567f3eda14dbe9962c57b9b1c85582a85e3e2cf6e2ec94fd0836784f258271fffaa629b1b688e2cfda92dea47f4fbe0131fb2696c69
-
SSDEEP
1536:9WV5jS6dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6V9/Q1rG:9WV5jS1n7N041Qqhg99/7
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp3939.tmp.exepid process 2160 tmp3939.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exepid process 2200 4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe 2200 4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp3939.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp3939.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exetmp3939.tmp.exedescription pid process Token: SeDebugPrivilege 2200 4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe Token: SeDebugPrivilege 2160 tmp3939.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exevbc.exedescription pid process target process PID 2200 wrote to memory of 1640 2200 4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe vbc.exe PID 2200 wrote to memory of 1640 2200 4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe vbc.exe PID 2200 wrote to memory of 1640 2200 4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe vbc.exe PID 2200 wrote to memory of 1640 2200 4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe vbc.exe PID 1640 wrote to memory of 1704 1640 vbc.exe cvtres.exe PID 1640 wrote to memory of 1704 1640 vbc.exe cvtres.exe PID 1640 wrote to memory of 1704 1640 vbc.exe cvtres.exe PID 1640 wrote to memory of 1704 1640 vbc.exe cvtres.exe PID 2200 wrote to memory of 2160 2200 4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe tmp3939.tmp.exe PID 2200 wrote to memory of 2160 2200 4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe tmp3939.tmp.exe PID 2200 wrote to memory of 2160 2200 4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe tmp3939.tmp.exe PID 2200 wrote to memory of 2160 2200 4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe tmp3939.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe"C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dx6gioj1.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AEF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3ADE.tmp"3⤵PID:1704
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp3939.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp3939.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4bb97a9e54d36984c775674b892d989337db40ad22f87e4f6e6e4d49176e4ea0.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fe14fa87a4f9a0640d6e73db7c17c0a6
SHA17bff7a28ea272e99a95ed267376b18ffc0a79445
SHA2566f2f97b0e9adcab057f70a8dedaa3da482cefb69b4d29dfc2db0e42615f0a6f1
SHA512b0c283bfb118519c3ddd1a3832bbe6a53684615162de1f0d70e4ed70fab210d3cd9ace5e979d6147c06d45c6c891e166bed5d55b7242deaa415eb783dd02e397
-
Filesize
14KB
MD589dea00193b6fc0090abaa5b3d4048ea
SHA12bbbfdd7c1b29c06a1f87e2e32ce01cf3f1b5a59
SHA2562642a8befa174d2529000518d0efcb28872588e5fb5c73df40e64ddcaffd23fd
SHA5122aad1747b4cdae6cb20d167e4ddef7552d2188290271678504065dd550ab06ec51b0a61d9f61143c7d93fb0bcd6e8b7a8f888fc876335f5b098e276ffd5db1fc
-
Filesize
266B
MD50bc7d7beeaca525bfacc50b88107e019
SHA19faa7108d160445a3dc96e5219ffc8ac19589d67
SHA256581f574e56cb170f4b9dfa5bc2d034ef561118f2cb55b72b76a5422693e5e607
SHA5127ef32de564f8afb0c42a078f7d11d9b7fc85a0f4c222cc7bd3826996938dde7e20554a84118b2458411ad4fee659fa1785dcd779373d2c6c6ad0592727722555
-
Filesize
78KB
MD5f365f15321401d1173ffd399e36e811c
SHA1adca584023d4ffca46a64b5caa3e73d7510f5e94
SHA2568125a1d8bc6cf5aaf9eef7a9c616918fed49f1a0e219e4fcdd3962f1ed1e3c38
SHA51289179e006cb720d596dc64d9a79c5ae50f0070aed92a83d45a91be5dd43658d98e7a474ebbb46e25a1c8d71017375c0f433562f4d7508c169bc9497f5d0d9c0e
-
Filesize
660B
MD50f5de4148b83d89418a78816e69bb8d7
SHA11de400d24ae2c663e7ac87540209c3b22d3b2ce5
SHA25696e5ad45be923f22b2b3903b3fa4f627dba12ee269cf2e0bdbbf7b166cfe4b80
SHA512f475bfcf5f12e255e1d3d7beaf171b95ba1c56c2069ff8a26fb8e344fe219705b2cbfeb1b301df7cbe13acf2a2d1fe1000b03faea6773323948181d01a837ebc
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65