Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 20:08
Static task
static1
Behavioral task
behavioral1
Sample
2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe
Resource
win10v2004-20240508-en
General
-
Target
2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe
-
Size
78KB
-
MD5
42c15c189c4ac429f658668e3ac742a7
-
SHA1
93e00f46114bf5b6e7d3e2f288ba3ab9746f5565
-
SHA256
2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699
-
SHA512
2b22b40ef58051286f22431bcddef45e8730a2c3266f03048aef1c03f8f8efc0a233e0119bff462f1f599e8951f45834bc368797920ba4dd5b083d92d1b46947
-
SSDEEP
1536:WuHH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtei9/X1cK:WuHa3Ln7N041Qqhgei9/x
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp1B2E.tmp.exepid process 2764 tmp1B2E.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exepid process 2180 2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe 2180 2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp1B2E.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp1B2E.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exetmp1B2E.tmp.exedescription pid process Token: SeDebugPrivilege 2180 2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe Token: SeDebugPrivilege 2764 tmp1B2E.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exevbc.exedescription pid process target process PID 2180 wrote to memory of 3056 2180 2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe vbc.exe PID 2180 wrote to memory of 3056 2180 2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe vbc.exe PID 2180 wrote to memory of 3056 2180 2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe vbc.exe PID 2180 wrote to memory of 3056 2180 2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe vbc.exe PID 3056 wrote to memory of 2136 3056 vbc.exe cvtres.exe PID 3056 wrote to memory of 2136 3056 vbc.exe cvtres.exe PID 3056 wrote to memory of 2136 3056 vbc.exe cvtres.exe PID 3056 wrote to memory of 2136 3056 vbc.exe cvtres.exe PID 2180 wrote to memory of 2764 2180 2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe tmp1B2E.tmp.exe PID 2180 wrote to memory of 2764 2180 2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe tmp1B2E.tmp.exe PID 2180 wrote to memory of 2764 2180 2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe tmp1B2E.tmp.exe PID 2180 wrote to memory of 2764 2180 2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe tmp1B2E.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe"C:\Users\Admin\AppData\Local\Temp\2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\palwjrzs.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C39.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C38.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp1B2E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1B2E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2e548d6fa2b335d39db8ff5f2cc529089e423d6345d5db49a663b5c910671699.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES1C39.tmpFilesize
1KB
MD5cca1daeabafe25f3950a69a943012c54
SHA1fb8a7c8f1b3847e37932730b1b7019085458d96f
SHA2562e35c916acdae182956d423bd0b8b9e27cc68b86489068658f00fc1184d0a685
SHA51202d5b215acf30bbb12a4cfdc3e81aaa4c90011fde65478a7c922b81cb23f68fc13ce33ee5064613db9d380dec5b18fe6215b77092b83c52f5b454db27d93e9e7
-
C:\Users\Admin\AppData\Local\Temp\palwjrzs.0.vbFilesize
15KB
MD5a7f4039e2f07cd663d9ab7e12cf09e48
SHA152be5a00ac5193e8eadd0dea0659ef88bbc13a7e
SHA256eb21f553f9a8f3da4e23aca4f48cb91f9e00ceed50266897146c30ed1f611b1f
SHA51268f77be60862eca815adf1f072504563601689a66874401b287b83962e6b1b981e021517a60bb58941b67cfcdcd31386e0553f6c1970f9619d7db84b20da6ffb
-
C:\Users\Admin\AppData\Local\Temp\palwjrzs.cmdlineFilesize
266B
MD52b0cb34c94cfb89df9b09ff785c3d099
SHA1deb6a9c05b32faf2d0884a0218ad8e2f698073d2
SHA2569f43d4c3744a73623e399e99c16b853561ced941f4d86ca8bc1b9ec195d1782e
SHA51230c2f3084496b8bb7f4300bc1dea98c5d4d253f441702a6025c78a477047d64b0c3a27018f70eae77390f393dbd4967b4654730bba447f79d877061235ab1ec2
-
C:\Users\Admin\AppData\Local\Temp\tmp1B2E.tmp.exeFilesize
78KB
MD5cb84476c948dfbd5d29d38c6cd0fda8d
SHA19083ac23e9f983b9a0095bbac58fd950cb3c8c37
SHA2562f85b120316bf8bbd8e176ccbafe185900ecd63161011c510f1b06381bb23401
SHA512d120d9ae44b1f60d6069cb7629ef110b9964864d82d6ac8d0ebaea701499bf61c18805ef6d4f55017bfbed2940ddd18da1aae6743ebe495c2cd74546b35c2b6f
-
C:\Users\Admin\AppData\Local\Temp\vbc1C38.tmpFilesize
660B
MD5b088f75a3a1201aab8319f5511704b83
SHA1d99925dcb68f6260a9c65264ee48de26ac8590f9
SHA256c4d52a01035e68c242c628be7424e3b45520ba0a7b557c4405062320e90c29fb
SHA5127dc836ddbe95ff0ec85e2fd8aa460889544dfdc12240201021603e648ac4b1c6b098b2b6d9ae844686971499fc93ed38244fc2e1fe4dbc917ce120be0631cb4b
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
memory/2180-0-0x0000000074811000-0x0000000074812000-memory.dmpFilesize
4KB
-
memory/2180-1-0x0000000074810000-0x0000000074DBB000-memory.dmpFilesize
5.7MB
-
memory/2180-2-0x0000000074810000-0x0000000074DBB000-memory.dmpFilesize
5.7MB
-
memory/2180-24-0x0000000074810000-0x0000000074DBB000-memory.dmpFilesize
5.7MB
-
memory/3056-8-0x0000000074810000-0x0000000074DBB000-memory.dmpFilesize
5.7MB
-
memory/3056-18-0x0000000074810000-0x0000000074DBB000-memory.dmpFilesize
5.7MB