Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 21:13
Static task
static1
Behavioral task
behavioral1
Sample
4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe
Resource
win10v2004-20240508-en
General
-
Target
4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe
-
Size
78KB
-
MD5
01870f77e360b7650820645411825ca5
-
SHA1
9257e1e7abdb47b7514d4a140a885905be573dfa
-
SHA256
4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e
-
SHA512
e116e8d947e2cc166e83e55ece6808bd674d62f8c077fb815955769b90d63897a5c380a745648160294058f94067b5d72f70cb61749605b39c925a4ccbfbff84
-
SSDEEP
1536:NtHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtW99/x1So:NtHY53Ln7N041QqhgW99/n
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmp1786.tmp.exepid process 2904 tmp1786.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exepid process 2888 4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe 2888 4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp1786.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp1786.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exetmp1786.tmp.exedescription pid process Token: SeDebugPrivilege 2888 4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe Token: SeDebugPrivilege 2904 tmp1786.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exevbc.exedescription pid process target process PID 2888 wrote to memory of 2392 2888 4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe vbc.exe PID 2888 wrote to memory of 2392 2888 4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe vbc.exe PID 2888 wrote to memory of 2392 2888 4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe vbc.exe PID 2888 wrote to memory of 2392 2888 4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe vbc.exe PID 2392 wrote to memory of 3052 2392 vbc.exe cvtres.exe PID 2392 wrote to memory of 3052 2392 vbc.exe cvtres.exe PID 2392 wrote to memory of 3052 2392 vbc.exe cvtres.exe PID 2392 wrote to memory of 3052 2392 vbc.exe cvtres.exe PID 2888 wrote to memory of 2904 2888 4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe tmp1786.tmp.exe PID 2888 wrote to memory of 2904 2888 4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe tmp1786.tmp.exe PID 2888 wrote to memory of 2904 2888 4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe tmp1786.tmp.exe PID 2888 wrote to memory of 2904 2888 4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe tmp1786.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe"C:\Users\Admin\AppData\Local\Temp\4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ag5zci8w.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1862.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1861.tmp"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp1786.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1786.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4758e05cbb72f859ee126a0edc78e131b5a18a70a77e948b1c86a9f225a1fd1e.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES1862.tmpFilesize
1KB
MD511e20d5217654a58515a4d4764ea17cb
SHA1c435bbc0fbf1cb02978dfe92fdcc189be5c6695e
SHA256b9f25878641d0a9cbcbdc4580477505c970995d6baefc85c7f361856dcc6ed67
SHA512c51a05a48d272aec602e4d85482d2248cceb4bcb853eeceebd698679c03554df4c3d2ddfbb2fff393b087ec8227809ea103b4cf8626e27794937bb048a855cb3
-
C:\Users\Admin\AppData\Local\Temp\ag5zci8w.0.vbFilesize
15KB
MD58db4cd52cb94cba86919c978a084e260
SHA19ba34effc4611d13038824eee56796b2a38a6395
SHA25670e74c838f52be5d89eb6de9c0c9d0d470f72e9222d643f5523f04ddaba700b6
SHA512f6953fe6371db15492ab32a36d73960ef10068a595a8a9a246b36a96c8a6d18fa55d5c83b8104f910fec19c428262f6874c676bf0c6f4c780efd8cdd2c56a742
-
C:\Users\Admin\AppData\Local\Temp\ag5zci8w.cmdlineFilesize
266B
MD53ba1a0775c3b699ef74bd31ac4ec0726
SHA18ef284baae6a0ba503441f65440df659c766f335
SHA256dcaf38bea809b428ce063ed1b2346df41187176ceca59aa920465bb4ce7e1ed8
SHA5123c2235a7986a058dca08b57fc8014938692acfcd3a96e272ef2b490a6e92a4d6b17f851a5c4b0ba86ed58f5447f8a948881fa7b20169d701d2a208656c76bfb6
-
C:\Users\Admin\AppData\Local\Temp\tmp1786.tmp.exeFilesize
78KB
MD5422eec47b45cd0e657d6ae7d8fc968d1
SHA14fa60458adb6fcc143f5d8c3404a09300205dccc
SHA256d74a6236be451c0a3f167f2774fb3d2da6b97815177eb44e21194c03243a6131
SHA512086a0c1069fa77de1197a8bfc3ba4870609e07775136a563e6d27602d963a350df36183d76336b449e3af77d6798fba049098e28e77a911c12a130ea4739aed3
-
C:\Users\Admin\AppData\Local\Temp\vbc1861.tmpFilesize
660B
MD54df46ba0dd120b8e4f16d7335efeb36f
SHA18d5e85973ec0018da8510284a78e666c42323410
SHA256b467fdaaf2f1b815363305a35d7c75787fb1596d99c1824177388644929c64df
SHA512ac9ffdf248fc5913080610f4e6e14b60970f82fea00520e243716f7fa03dd8d2b55cc32ee5f8ff2acf3d3680725b8b502d5fc5d0aad4db3ebe0e0cf7a0d58b93
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
memory/2392-8-0x0000000073FE0000-0x000000007458B000-memory.dmpFilesize
5.7MB
-
memory/2392-18-0x0000000073FE0000-0x000000007458B000-memory.dmpFilesize
5.7MB
-
memory/2888-0-0x0000000073FE1000-0x0000000073FE2000-memory.dmpFilesize
4KB
-
memory/2888-1-0x0000000073FE0000-0x000000007458B000-memory.dmpFilesize
5.7MB
-
memory/2888-2-0x0000000073FE0000-0x000000007458B000-memory.dmpFilesize
5.7MB
-
memory/2888-24-0x0000000073FE0000-0x000000007458B000-memory.dmpFilesize
5.7MB