Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
12-11-2024 04:42
Static task
static1
Behavioral task
behavioral1
Sample
25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe
Resource
win10v2004-20241007-en
General
-
Target
25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe
-
Size
78KB
-
MD5
d440bae961f4557a1bb93cedd786ee25
-
SHA1
7e3fd7de63df6e9cd6c5a585575a817e3c9361a3
-
SHA256
25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7
-
SHA512
9d6e6bfb03a9531d8791b1aa7bb95f77f32dcae2b012d1e480f845c98b1b8e12848d2163ed9c587de5db0554a2b8a9004da453a23aefb2f5fea240555a65efdc
-
SSDEEP
1536:Qy5xpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtd6z9/m1oxH:Qy5HJywQjDgTLopLwdCFJz49/XH
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
Processes:
tmpB70F.tmp.exepid process 2884 tmpB70F.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exepid process 2568 25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe 2568 25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exevbc.execvtres.exetmpB70F.tmp.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB70F.tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exedescription pid process Token: SeDebugPrivilege 2568 25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exevbc.exedescription pid process target process PID 2568 wrote to memory of 1712 2568 25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe vbc.exe PID 2568 wrote to memory of 1712 2568 25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe vbc.exe PID 2568 wrote to memory of 1712 2568 25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe vbc.exe PID 2568 wrote to memory of 1712 2568 25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe vbc.exe PID 1712 wrote to memory of 2356 1712 vbc.exe cvtres.exe PID 1712 wrote to memory of 2356 1712 vbc.exe cvtres.exe PID 1712 wrote to memory of 2356 1712 vbc.exe cvtres.exe PID 1712 wrote to memory of 2356 1712 vbc.exe cvtres.exe PID 2568 wrote to memory of 2884 2568 25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe tmpB70F.tmp.exe PID 2568 wrote to memory of 2884 2568 25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe tmpB70F.tmp.exe PID 2568 wrote to memory of 2884 2568 25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe tmpB70F.tmp.exe PID 2568 wrote to memory of 2884 2568 25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe tmpB70F.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe"C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\exelec5z.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB868.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB867.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2356
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB70F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB70F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2884
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c1548d321d3d90c8a9dc1a542a84372d
SHA1bbfa9fddddf9bcfb0461ea2dc7c3c2826c671835
SHA256de9526b74757f3d07ee3d193ce7f84dec9f9d71d19d38ca7650c106e46474f2c
SHA5123987b55b5fa508f9b26080486b40871f2eb641b266bc0ecec619511fee98b40ca865055897d30a90bdb2c447807ea62e8e22ad76f46d7ba3b109aca9cc4caac1
-
Filesize
14KB
MD543b1d63cb62d52ee23f8fb5811de4821
SHA1c33612fcbd033c42f293910e87f2fc2e0f5ab691
SHA25673c30c8dfdfb8bc45fa3ba72c19ecc9116785b2f5edec8c7e5f9f383cacaa81d
SHA5123f6fbe9f269d7b14cbf583f2c65df595e89e647ff6790d916940198acf9a9066264d484a5ebec257e8dd2ee163886f7b3d8b1f96cff416a13da8e827d7a0bdac
-
Filesize
266B
MD58c809f8ecf5be9c3b074e203eabdedd7
SHA1fa525dab2cc18370ac99cc584f8f4f1d29ef4188
SHA256a17e82fbba2475f35f9ad8536f9903dff3a0a79c5f12ed08dec89b2b66806c88
SHA512650484a2c1964f528eee6167331ee3b02b4b11cf29f14ecac2971b62dd7df0bd4b5f421709cbdfdefcccce0e3f2034b9573d4dfa3227aeb9f46a3716c3844a02
-
Filesize
78KB
MD5a103730bcc25c9bbb81724f383f14115
SHA1e8db52048295250c36b073ba17e59f0970afc645
SHA256d30c161dbbadc245a1c15e85454e956ca80da1e28d52253d5549e445a2b4699b
SHA5120da5db7e7284b43b05a495bbb37fb2e207e8a30fb3965ab47a803f6661005d2c03b27a89ffc1c9aefd2ecf2548da9418eea85ac187321d5ed0c89130f5cb387d
-
Filesize
660B
MD5346322d427537e1b37608fbac3128676
SHA14260800bc97e3560a0ce5adfd623e22f57dc7e2d
SHA25600fc2db797deb908c2c1e9fd6a1d4e2685bcc47fdc49bfbe5d88b10bd163e2cc
SHA51215dc3f819a83d061fea9dbf2530705f1f993eec5c70bc28873658680c8ac99b523cdeaa257f576934b05c73945bfacba5a7ed7f73e21fc8f98644fd287d866b7
-
Filesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7