Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23-07-2024 23:14
Static task
static1
Behavioral task
behavioral1
Sample
7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe
Resource
win10v2004-20240709-en
General
-
Target
7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe
-
Size
78KB
-
MD5
92147390866e992d61c2e53fa1dbf232
-
SHA1
98aaa505c71acb3ff181ff0e12614d5d9cf9847b
-
SHA256
7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3
-
SHA512
125ac3c5aedeb846589e3fdd37a7bebe55a846da5cf3c3d8f6033c752e7d037a343a1260885f54e720c18192a689a709ae8146496f01c91c19bec6f68d5f19c1
-
SSDEEP
1536:uWV58gdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6P9/J1ol:uWV58vn7N041Qqhg39/M
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
Processes:
tmpC265.tmp.exepid process 2496 tmpC265.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exepid process 1720 7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe 1720 7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmpC265.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmpC265.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
tmpC265.tmp.exe7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exevbc.execvtres.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC265.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exetmpC265.tmp.exedescription pid process Token: SeDebugPrivilege 1720 7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe Token: SeDebugPrivilege 2496 tmpC265.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exevbc.exedescription pid process target process PID 1720 wrote to memory of 340 1720 7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe vbc.exe PID 1720 wrote to memory of 340 1720 7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe vbc.exe PID 1720 wrote to memory of 340 1720 7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe vbc.exe PID 1720 wrote to memory of 340 1720 7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe vbc.exe PID 340 wrote to memory of 1600 340 vbc.exe cvtres.exe PID 340 wrote to memory of 1600 340 vbc.exe cvtres.exe PID 340 wrote to memory of 1600 340 vbc.exe cvtres.exe PID 340 wrote to memory of 1600 340 vbc.exe cvtres.exe PID 1720 wrote to memory of 2496 1720 7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe tmpC265.tmp.exe PID 1720 wrote to memory of 2496 1720 7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe tmpC265.tmp.exe PID 1720 wrote to memory of 2496 1720 7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe tmpC265.tmp.exe PID 1720 wrote to memory of 2496 1720 7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe tmpC265.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe"C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qbbodjae.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4B7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC4B6.tmp"3⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpC265.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC265.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESC4B7.tmpFilesize
1KB
MD5b3250071ac805216d1bd4e3262af4b70
SHA17067e2d62bdfa2fe4c4c04d7a581d57656ee7d79
SHA256627ae831d2c2c14c7d033826654c4da476eee1810d1e735e7edbb140995c9a38
SHA51278f800948169f595f89231551a7a7213668283fb01e2612e8047d8e7db6d2f53107033df46a79145b12b55df24bb95efbfd0069182ce3b6173420a571887f571
-
C:\Users\Admin\AppData\Local\Temp\qbbodjae.0.vbFilesize
14KB
MD5ce2d3c69c497834a4b16d556cbe73034
SHA13988203d388e57c074bb38b1bf282dff6bcc6f35
SHA25666e72f9c71ffe98786b3e6352fab10e570c4d522c326e6e92ae228a40f880665
SHA5125406518224110fe91dd934de75ceaa89741fad2b3fb211e2d2b94e3085d4ba57d1f55ecac7b78039366fcc492f2bd27672713bd2cff9ea8d2d38ac93aa23c201
-
C:\Users\Admin\AppData\Local\Temp\qbbodjae.cmdlineFilesize
266B
MD584218ed9bac345b3a01605b667021ca3
SHA1b75f29e5e46a935b41fe5be31b47f380a32a874c
SHA2567fed0dbf6ad5eb4c785a968c8193c15c6b2fa6c8b011f764d65845318699e372
SHA5125f263180b1ab08db73424be6801f96cd5e4a37459a7c58addd86ea6c6b54f731e995ff7a5df5cdc02949b5c6afd6791d849869f05f5864a7240550526cafa619
-
C:\Users\Admin\AppData\Local\Temp\tmpC265.tmp.exeFilesize
78KB
MD554b777a9b938e971f2da53e3e40bafdf
SHA19e6af76274b61961b7ca16f683a0995e9d607349
SHA256537599fa5648cddbb591e1e2e5b3d3892958e97d368310c49c03e0de8a267200
SHA512b9da181bb300a9c51b7b8dbe65ad2b68d538cd4a1ace4d13a8161499436202261241b185efe95bd272a993c7bc860b7f3274299f96948a38bc00431c843c23bf
-
C:\Users\Admin\AppData\Local\Temp\vbcC4B6.tmpFilesize
660B
MD5d030fc5acb50ba6c9ef8afbfd0b0f24a
SHA1e9d5b2ec4dd2e1922b2e72a8c9d7c135f2a64ae0
SHA2569a51ab0d8ac35a89c0cf3379698aa8f604d43fd50561dc045105ad5b5de549c6
SHA512f431d6102901c9b5301c3d84edeba216fa32a193f90e315d48bba70d8b4142c7016c84ac72743c92e9dd5b254379dff7ccde3dbf2e0fc1807c03b18c98ee33a4
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65
-
memory/340-8-0x0000000074550000-0x0000000074AFB000-memory.dmpFilesize
5.7MB
-
memory/340-18-0x0000000074550000-0x0000000074AFB000-memory.dmpFilesize
5.7MB
-
memory/1720-0-0x0000000074551000-0x0000000074552000-memory.dmpFilesize
4KB
-
memory/1720-1-0x0000000074550000-0x0000000074AFB000-memory.dmpFilesize
5.7MB
-
memory/1720-2-0x0000000074550000-0x0000000074AFB000-memory.dmpFilesize
5.7MB
-
memory/1720-24-0x0000000074550000-0x0000000074AFB000-memory.dmpFilesize
5.7MB