Overview

overview

10

Static

static

3

fc4b2dbed4...3c.exe

windows7-x64

10

fc4b2dbed4...3c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-10-2024 06:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fc4b2dbed4ab61061e08c88ce16b2a0a37127c99870192d62123800ee7feed3c.exe

  • Size

    78KB

  • MD5

    aceb7423395e8efe850671491e18f6bc

  • SHA1

    86dd0be3a5e9f8d64aa771f4e3e59c62df3814b7

  • SHA256

    fc4b2dbed4ab61061e08c88ce16b2a0a37127c99870192d62123800ee7feed3c

  • SHA512

    c2c03ec526e635f29918f1a12076e772a73f8746f3f5a2f96f114b5c0c9711899fb3e058d766e5fe6f28abdcad76ee434e9f2f9ec9f85b6a7dd2b867d00d4768

  • SSDEEP

    1536:lPWtHHM7t/vZv0kH9gDDtWzYCnJPeoYrGQtc9/S1gc:lPWtHsh/l0Y9MDYrm7c9/+

Score
10/10
metamorpherratdiscoverypersistenceratstealertrojan

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

    trojanratstealermetamorpherrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fc4b2dbed4ab61061e08c88ce16b2a0a37127c99870192d62123800ee7feed3c.exe
    "C:\Users\Admin\AppData\Local\Temp\fc4b2dbed4ab61061e08c88ce16b2a0a37127c99870192d62123800ee7feed3c.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g0etlyvc.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1008
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9579.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE8A516FDD0B643EE8C14A3D68476BB8E.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:620
    • C:\Users\Admin\AppData\Local\Temp\tmp93D4.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp93D4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fc4b2dbed4ab61061e08c88ce16b2a0a37127c99870192d62123800ee7feed3c.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES9579.tmp
    Filesize

    1KB

    MD5

    df83f0b1d65a4cd9bfb987a124c7a506

    SHA1

    f58e70a88791eb01987e406019bb5264274f24df

    SHA256

    c57eb3485d70e226b24c29756350d8ac0cc67cf7b52edd7d51ef8c22a53b432d

    SHA512

    112445e7fec6c70668812f11b390341be45534eca8005261bfaea170a6a24f74f008513cec211d9a19a8a4340e4cd2db80a262416dc03c7db17d0dd99f4017fa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\g0etlyvc.0.vb
    Filesize

    15KB

    MD5

    1d33b35db985df1524340d01638e9fdb

    SHA1

    960e5aebba1a5f3583e07f1408471b75f2d879a0

    SHA256

    4ecdc2cb30f6769a85b12129afb1c41e056b5de7b96b32c4489e31bc3d9e408b

    SHA512

    6213bb480c33cba5ad6826afe0dc5eef4deac154f303595eb615e327a5d59f4e6e7aafcf0835da87c15e3ee091003e38ff153eb2a6d985e8c77f55215692376b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\g0etlyvc.cmdline
    Filesize

    266B

    MD5

    9c934e3c8353019f68b667c91eaad028

    SHA1

    726de633d71b97fdd7d80ce098dc13c266e8546f

    SHA256

    e456e6149cd7f69484c821e9e3f16a4b039f896ac810bdb24080012152e69bb5

    SHA512

    e7d762d98cfb9c727e1212726a1941f9a18f57de6d541930ee1f77d9d659a850f4e5fc53d0aeb4fb31acdc1a3dfed6cfd361e3df36ebba7d897055d2736f913a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp93D4.tmp.exe
    Filesize

    78KB

    MD5

    c50c37c0fde1d6e6f6ed7694c136b330

    SHA1

    7e9f36354659d846a43d7491a8a1658dc5a96d10

    SHA256

    7d187768b55eb3a266fc20985d9b725e7204357cc8876341be7af68b2516c47f

    SHA512

    bc7188e700f37fcc0a5bfeb93bc748c6790b7d0ef5e6cb635edb3fa562518c66e8f6af6a090141311c9a9b17a7667aa0183bf96654fcc8d900a9c20cf0224451

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbcE8A516FDD0B643EE8C14A3D68476BB8E.TMP
    Filesize

    660B

    MD5

    7afbf83ffe1ba2e73ebece448f3e1343

    SHA1

    8b04d2ecb51a314af2c4ba7bb7f88839ab831c4a

    SHA256

    c8a0c5f2cb6004f56bb66d35be60ff4ae9da4dc5a8d7bfd21c81b3e9e0396ec5

    SHA512

    d1ca68833a183aa8d47595cdd7ddbd41bf307a33fd8b76919d0f4a7dbd6f2a857a4eb6a1f54126a56a6c54c0133f9837a6210cd4f17bd70fcb2e8b2665df7371

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources
    Filesize

    62KB

    MD5

    8b25b4d931908b4c77ce6c3d5b9a2910

    SHA1

    88b65fd9733484c8f8147dad9d0896918c7e37c7

    SHA256

    79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

    SHA512

    6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

    Download Submit

  • memory/1008-18-0x0000000075270000-0x0000000075821000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1008-9-0x0000000075270000-0x0000000075821000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2896-23-0x0000000075270000-0x0000000075821000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2896-30-0x0000000075270000-0x0000000075821000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2896-24-0x0000000075270000-0x0000000075821000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2896-26-0x0000000075270000-0x0000000075821000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2896-27-0x0000000075270000-0x0000000075821000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2896-28-0x0000000075270000-0x0000000075821000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2896-29-0x0000000075270000-0x0000000075821000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4804-22-0x0000000075270000-0x0000000075821000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4804-0-0x0000000075272000-0x0000000075273000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4804-2-0x0000000075270000-0x0000000075821000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4804-1-0x0000000075270000-0x0000000075821000-memory.dmp

    Filesize

    5.7MB

    Download