Overview

overview

10

Static

static

3

79de67f437...8N.exe

windows7-x64

7

79de67f437...8N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 16:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe

  • Size

    78KB

  • MD5

    83abbc2fa12cce90a34623228d1cf060

  • SHA1

    ccdefc4083b6f4a01cc9b5647a5a5555942794d6

  • SHA256

    79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78

  • SHA512

    0c8b8deb59d1a9aa400a2ed6e20bb4dac18912b7aec6f5cbf00b78e663b556692da17f1bc8c8ef3fcd1bf4587a85dc640a3a9d91aa438e9b179a805dd1a1c92d

  • SSDEEP

    1536:9MV55AlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtW6ta9/k1Va:WV55AtWDDILJLovbicqOq3o+nw9/J

Score
10/10
metamorpherratdiscoverypersistenceratstealertrojan

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

    trojanratstealermetamorpherrat
  • Metamorpherrat family
    metamorpherrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe
    "C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4212
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wuiqwj99.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4252
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3DF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB856D972988A4663B2C2D461901BE83.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:212
    • C:\Users\Admin\AppData\Local\Temp\tmpB268.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpB268.tmp.exe" C:\Users\Admin\AppData\Local\Temp\79de67f43715e37caee15c1cc1b12a8456db2e72eab9c0131ce3a79f6fcf7f78N.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4056

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESB3DF.tmp
    Filesize

    1KB

    MD5

    578a841d41a2e63e6ac7ce63bb30d055

    SHA1

    a38a6e5d05d1ff20ffd8314e361c16d499288261

    SHA256

    c4faa0c14076530aa3b93f8c4a62c9d869c848da33fbcfbc4e682a23c8ec3230

    SHA512

    39b601fde025d9d40fa1754ae280a734824c72ef5819d7271db2e89920dd6b32c14d43d6b2bc9a55f964fe7631bc45676e9304ef4df749151da364c81a8f7570

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpB268.tmp.exe
    Filesize

    78KB

    MD5

    398ed26b419df131463cec052758452e

    SHA1

    f4e0e4c273799e61e0a88fc5a620d96c9cd0cb71

    SHA256

    374f18fa824b343892db689d9d8941cc53b5030d542b72a7ea28563fb1120afa

    SHA512

    2d3b274c32e7f8c5803945d9877e4c0b78f9f80348afe5d36fc020ad64239868462a8e3bb6feaf9e88a3855dcdea0c5290929b32061d67e2c8ed3a04cd1c118f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbcB856D972988A4663B2C2D461901BE83.TMP
    Filesize

    660B

    MD5

    a2bd0bec68b080ec02724df82d6a3c4f

    SHA1

    e67755c69f7f44c2e03c22d0751fdc30c8c111c8

    SHA256

    e41d8eef06fa954eda5b1c8f1b3ca0b5001ceef2d50865dd5902715dfea1f146

    SHA512

    a631708fc3ff9adbd0cf8ecb88154d13d612cdcd29f171010a6735b3ab90baa1f3929a0ea009fc7346aa988d41bf7273639eb51a3f3bc0342346246f27519c4a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wuiqwj99.0.vb
    Filesize

    14KB

    MD5

    1a9a1dc13ec78d32e6354d8202e47bcb

    SHA1

    09c7cc0b3c3ea2abebc12ca956d7db5d1baa56e7

    SHA256

    8342625acaa54212d902784f7b8ed0f444417553782a9133b419746cb90a38ce

    SHA512

    f1525479c674087d4e402a38ec7a3fd2c3f64ca90162c0fda610ec90a55df7cf6c77f3521720f7ff20d234bbf72f3b277117eb31c663e68408a179bc9b1ab0a5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wuiqwj99.cmdline
    Filesize

    266B

    MD5

    b305d1708d66639051f2704c97c3f478

    SHA1

    5c80804dd4f53fdb2973defc66b0113d498ef262

    SHA256

    db50c7ec77c01d341ffa342cdab5cf56641d301e4c783bed404d6ab85f9144fd

    SHA512

    ff43cb09e3f3f361474d4d96d2062b5222f17e1d0e9ea7345b09b9be14236fa72fc23c3731eb0669c321155ef652b0a03592b2ef2002e35c8a42874a0a93ef46

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources
    Filesize

    62KB

    MD5

    a26b0f78faa3881bb6307a944b096e91

    SHA1

    42b01830723bf07d14f3086fa83c4f74f5649368

    SHA256

    b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

    SHA512

    a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

    Download Submit

  • memory/4056-22-0x0000000075420000-0x00000000759D1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4056-24-0x0000000075420000-0x00000000759D1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4056-25-0x0000000075420000-0x00000000759D1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4056-26-0x0000000075420000-0x00000000759D1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4212-2-0x0000000075420000-0x00000000759D1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4212-1-0x0000000075420000-0x00000000759D1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4212-23-0x0000000075420000-0x00000000759D1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4212-0-0x0000000075422000-0x0000000075423000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4252-8-0x0000000075420000-0x00000000759D1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4252-18-0x0000000075420000-0x00000000759D1000-memory.dmp

    Filesize

    5.7MB

    Download