Overview

overview

10

Static

static

3

2773dfe503...cN.exe

windows7-x64

10

2773dfe503...cN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2024 09:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe

  • Size

    78KB

  • MD5

    00152c998c9fcf9b697738c9564d2730

  • SHA1

    65ed9cd87387a3eb6ab1da9ab7df5e824b6dd0b0

  • SHA256

    2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364c

  • SHA512

    8e09ca9c1578e49568407da87ff70fb64dd5adf454bf0573ecc8ef6a7c8442969730ce2f8df0bf27ccef49ccb3192271d4f5eecc9d216bfddd8833323d30541d

  • SSDEEP

    1536:pCHFo6JIfpJywt04wbje37TazckwzW4UfSqRovPtoY0BQtD9/Te1nI:pCHFoOIhJywQj2TLo4UJuXHhD9/Tz

Score
10/10
metamorpherratdiscoveryratstealertrojan

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

    trojanratstealermetamorpherrat
  • Metamorpherrat family
    metamorpherrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe
    "C:\Users\Admin\AppData\Local\Temp\2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3352
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qob61htl.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4540
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc338394FEC92743D69059E61A7BD389C9.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2116
    • C:\Users\Admin\AppData\Local\Temp\tmp9153.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp9153.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2773dfe503f70724dff36a36a544cfc770d2475bebd6aec97ccc73aff524364cN.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1660

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES92CA.tmp
    Filesize

    1KB

    MD5

    94b8c142808ce6b5e03154a86fff33ba

    SHA1

    a6ffaea753ece484284a8516ca7e2e351a7108ce

    SHA256

    15f1b3260f43b015358dfae9a0d3c6e0e56931b0996f8320e927e1f4116314c3

    SHA512

    c88bc05634a6dd6379c23bedf7e000ed3239728b7a0d88a2facbc8a2dcefc9cb1bfcbeda39fe7301e7669c5575702a5e9998b884768f7be0c9e2289bcddba516

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\qob61htl.0.vb
    Filesize

    15KB

    MD5

    81a4f2aeddd396cc28791f5ff2753eed

    SHA1

    a10ac51bcb4529982cce5033b179711f343a7298

    SHA256

    6c9e9130facb165d68fb6df3db03986e751260d8b34dbbbdb38f8aa716baed35

    SHA512

    4cad78cd80bc2cbed0c9d97171430da9507c6bc3cdebcce364517a54e790765a06091e203cfcde95c98137532edd2ded4578dfb902fd06a7fc93675ad4d239cb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\qob61htl.cmdline
    Filesize

    266B

    MD5

    b478d2617db9dea845b68bd33d9f68a2

    SHA1

    d3af41063a562aab9ce1c45badfa2cbaa0822b08

    SHA256

    ff985689d65527fca1f8c9bd01547217af55176a1a264dfc6104da09e2b8c579

    SHA512

    89dc14ad120fdc041a80857d89fda683b872285d6e2e912cf9a82d2dca6ea2a4250886495d97d58f0780540be56796fb28d5f136faea81c6eb5044e029824958

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp9153.tmp.exe
    Filesize

    78KB

    MD5

    5a72040304d4c6ad39d226028d76d7eb

    SHA1

    8788142691f8fe813e361ba6feca584adb90ec77

    SHA256

    f7db597c64b29cdc455768ca8cbfca00ed44ff62ff605fbb160ea5d447c7127c

    SHA512

    5e1733c0bf3517f6028c562c3ac48551c1ce83675cff7cbacd7424dcfc6612e5e3618af1cebb5b93efac2cff4a18b97a992f887a1bda6a6100692a84c4deeb6a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbc338394FEC92743D69059E61A7BD389C9.TMP
    Filesize

    660B

    MD5

    56a51e112b904e1f1d83326b95c47d8c

    SHA1

    4927ad26abfb35ac4be13ab47c76462311366775

    SHA256

    5bcc67ebc41e164d1717fa6b64dec4f9c19454a956be996070f946500ff4600b

    SHA512

    c56073f842fd4736dfa8cafaa632ca12971f35ea0a230f168e94525d9c98613b1a7446fd283a71c6d9236b0ab6178f8effd4e80b70f698747b49ac5279603301

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources
    Filesize

    62KB

    MD5

    8008b17644b64cea2613d47c30c6e9f4

    SHA1

    4cd2935358e7a306af6aac6d1c0e495535bd5b32

    SHA256

    fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55

    SHA512

    0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

    Download Submit

  • memory/1660-23-0x00000000753D0000-0x0000000075981000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1660-27-0x00000000753D0000-0x0000000075981000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1660-26-0x00000000753D0000-0x0000000075981000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1660-25-0x00000000753D0000-0x0000000075981000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1660-24-0x00000000753D0000-0x0000000075981000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3352-22-0x00000000753D0000-0x0000000075981000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3352-1-0x00000000753D0000-0x0000000075981000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3352-2-0x00000000753D0000-0x0000000075981000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3352-0-0x00000000753D2000-0x00000000753D3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4540-9-0x00000000753D0000-0x0000000075981000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4540-18-0x00000000753D0000-0x0000000075981000-memory.dmp

    Filesize

    5.7MB

    Download