Overview

overview

10

Static

static

3

d360bb2d9f...4N.exe

windows7-x64

10

d360bb2d9f...4N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-10-2024 01:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d360bb2d9f8d04f98f13b18f06645ea2b26651d06712ad1488503039c928bf84N.exe

  • Size

    78KB

  • MD5

    8f244062a07244a5c19b3dde1f0105e0

  • SHA1

    2ec908bb8627a690df625b743bae15a04d52a173

  • SHA256

    d360bb2d9f8d04f98f13b18f06645ea2b26651d06712ad1488503039c928bf84

  • SHA512

    dedb7a836cdf50cb30f62351b3a187cd09b24b4427fb5e996044739c2a8bf8c6b1f54ab6f858b79905d5b87933b99b374e3ed161dfef46fa435e80bd0af5869f

  • SSDEEP

    1536:9mWV58XvZv0kH9gDDtWzYCnJPeoYrGQtC6i9/n+1ue:QWV58Xl0Y9MDYrm7q9/i

Score
10/10
metamorpherratdiscoverypersistenceratstealertrojan

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

    trojanratstealermetamorpherrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d360bb2d9f8d04f98f13b18f06645ea2b26651d06712ad1488503039c928bf84N.exe
    "C:\Users\Admin\AppData\Local\Temp\d360bb2d9f8d04f98f13b18f06645ea2b26651d06712ad1488503039c928bf84N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4652
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6tqmqbuo.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8C1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc195D63AC9DFE40609314F3EE29E35B6.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1560
    • C:\Users\Admin\AppData\Local\Temp\tmpB805.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpB805.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d360bb2d9f8d04f98f13b18f06645ea2b26651d06712ad1488503039c928bf84N.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:5012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\6tqmqbuo.0.vb
    Filesize

    14KB

    MD5

    36837382257398bfef3ccc7e00bd03c0

    SHA1

    7de0a7b78be998835b1e98a027118f2b65e9463a

    SHA256

    bbd8bd8f7d5f2c29cc545af31075d78e2e852a91cfbe3c03cb0a297b5e230e96

    SHA512

    03c86cc5b30cf698be1fa7260253be19b995a3d07e93bdce5dfccda1c9a93cf6e56862cb1e6dab3d90559fe4935a2abacda1d1e2e5119f8c80d673e859ffe50c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\6tqmqbuo.cmdline
    Filesize

    266B

    MD5

    46b2592f2a7f5f2a08dc882bd673bb36

    SHA1

    c20ae9ad75b70b90ce3172c12f26b146345acd66

    SHA256

    f86b754b5534045d4a0c1ff7e78ba685f86a32ca749006ad1c52d9e35f6d44a0

    SHA512

    128f02be7137a3c1dec2ea4e53718de07788806cebdd01d36b465733866a148671634dad48d2c8cebfdf8775c37527f3f0ebf8197a4767a93afd4fe5a9b973bd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RESB8C1.tmp
    Filesize

    1KB

    MD5

    077a1d1db52231aed1dd254523efcf6b

    SHA1

    210172184827e13a1791513dc08e2611fb93ff86

    SHA256

    895f2223e2cecdd41a1f7303f0a45897b4270150e37b1cf3f825f424f8cb7782

    SHA512

    8fe75761bb871ffc3a6fb96a6bc221778c376e2d18d050f72f0fdff5a757f566b4b61bc7b511eafe2383d82f1e84952fef240415d3b2da623fc731b953b2d5a4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpB805.tmp.exe
    Filesize

    78KB

    MD5

    d1013f3159ee5ed15fc8300534d37550

    SHA1

    614b8a5be6bd576ee0970f23ffcd782ab5bbedd3

    SHA256

    f5fc244be6c4ff3d298144887479346aec3b8aadf9c2bd1b7592d6e0769f5364

    SHA512

    50f853ebad7191db80dfd01c8e034d5dc051faf1978487859ff40175d47d6eac33e65efac8fc37037bf3fb093505f9f081a947960a3eeae2384ad8e68d8c9658

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbc195D63AC9DFE40609314F3EE29E35B6.TMP
    Filesize

    660B

    MD5

    20a3b04aa484b5f35e9865cf8d4bbba1

    SHA1

    4ed09c2f5a314852ac26bbc1acf97e3007591f1c

    SHA256

    025347734f44985c836812aa454404985202ccc84ac40b24070d062b43459f0c

    SHA512

    f1d6d0dacb2c1f1032885f68c36fac58ab7453d881b3eeba52cb1f0ef30ee1acd7f1d08111b3f061765f6de7cdba59d0b225d4c10b3bd6c2299abacc910c08d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources
    Filesize

    62KB

    MD5

    8b25b4d931908b4c77ce6c3d5b9a2910

    SHA1

    88b65fd9733484c8f8147dad9d0896918c7e37c7

    SHA256

    79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

    SHA512

    6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

    Download Submit

  • memory/1200-9-0x0000000075540000-0x0000000075AF1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1200-18-0x0000000075540000-0x0000000075AF1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4652-0-0x0000000075542000-0x0000000075543000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4652-2-0x0000000075540000-0x0000000075AF1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4652-1-0x0000000075540000-0x0000000075AF1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4652-22-0x0000000075540000-0x0000000075AF1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5012-23-0x0000000075540000-0x0000000075AF1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5012-24-0x0000000075540000-0x0000000075AF1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5012-26-0x0000000075540000-0x0000000075AF1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5012-27-0x0000000075540000-0x0000000075AF1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5012-29-0x0000000075540000-0x0000000075AF1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5012-28-0x0000000075540000-0x0000000075AF1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5012-30-0x0000000075540000-0x0000000075AF1000-memory.dmp

    Filesize

    5.7MB

    Download