Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    12-11-2024 04:42

General

  • Target

    25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe

  • Size

    78KB

  • MD5

    d440bae961f4557a1bb93cedd786ee25

  • SHA1

    7e3fd7de63df6e9cd6c5a585575a817e3c9361a3

  • SHA256

    25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7

  • SHA512

    9d6e6bfb03a9531d8791b1aa7bb95f77f32dcae2b012d1e480f845c98b1b8e12848d2163ed9c587de5db0554a2b8a9004da453a23aefb2f5fea240555a65efdc

  • SSDEEP

    1536:Qy5xpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtd6z9/m1oxH:Qy5HJywQjDgTLopLwdCFJz49/XH

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe
    "C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\exelec5z.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB868.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB867.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2356
    • C:\Users\Admin\AppData\Local\Temp\tmpB70F.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpB70F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\25b5038b831e845cf2574e5bd65c60f2c20f0d2c603bece848e1bf09e66608a7.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESB868.tmp

    Filesize

    1KB

    MD5

    c1548d321d3d90c8a9dc1a542a84372d

    SHA1

    bbfa9fddddf9bcfb0461ea2dc7c3c2826c671835

    SHA256

    de9526b74757f3d07ee3d193ce7f84dec9f9d71d19d38ca7650c106e46474f2c

    SHA512

    3987b55b5fa508f9b26080486b40871f2eb641b266bc0ecec619511fee98b40ca865055897d30a90bdb2c447807ea62e8e22ad76f46d7ba3b109aca9cc4caac1

  • C:\Users\Admin\AppData\Local\Temp\exelec5z.0.vb

    Filesize

    14KB

    MD5

    43b1d63cb62d52ee23f8fb5811de4821

    SHA1

    c33612fcbd033c42f293910e87f2fc2e0f5ab691

    SHA256

    73c30c8dfdfb8bc45fa3ba72c19ecc9116785b2f5edec8c7e5f9f383cacaa81d

    SHA512

    3f6fbe9f269d7b14cbf583f2c65df595e89e647ff6790d916940198acf9a9066264d484a5ebec257e8dd2ee163886f7b3d8b1f96cff416a13da8e827d7a0bdac

  • C:\Users\Admin\AppData\Local\Temp\exelec5z.cmdline

    Filesize

    266B

    MD5

    8c809f8ecf5be9c3b074e203eabdedd7

    SHA1

    fa525dab2cc18370ac99cc584f8f4f1d29ef4188

    SHA256

    a17e82fbba2475f35f9ad8536f9903dff3a0a79c5f12ed08dec89b2b66806c88

    SHA512

    650484a2c1964f528eee6167331ee3b02b4b11cf29f14ecac2971b62dd7df0bd4b5f421709cbdfdefcccce0e3f2034b9573d4dfa3227aeb9f46a3716c3844a02

  • C:\Users\Admin\AppData\Local\Temp\tmpB70F.tmp.exe

    Filesize

    78KB

    MD5

    a103730bcc25c9bbb81724f383f14115

    SHA1

    e8db52048295250c36b073ba17e59f0970afc645

    SHA256

    d30c161dbbadc245a1c15e85454e956ca80da1e28d52253d5549e445a2b4699b

    SHA512

    0da5db7e7284b43b05a495bbb37fb2e207e8a30fb3965ab47a803f6661005d2c03b27a89ffc1c9aefd2ecf2548da9418eea85ac187321d5ed0c89130f5cb387d

  • C:\Users\Admin\AppData\Local\Temp\vbcB867.tmp

    Filesize

    660B

    MD5

    346322d427537e1b37608fbac3128676

    SHA1

    4260800bc97e3560a0ce5adfd623e22f57dc7e2d

    SHA256

    00fc2db797deb908c2c1e9fd6a1d4e2685bcc47fdc49bfbe5d88b10bd163e2cc

    SHA512

    15dc3f819a83d061fea9dbf2530705f1f993eec5c70bc28873658680c8ac99b523cdeaa257f576934b05c73945bfacba5a7ed7f73e21fc8f98644fd287d866b7

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    484967ab9def8ff17dd55476ca137721

    SHA1

    a84012f673fe1ac9041e7827cc3de4b20a1194e2

    SHA256

    9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

    SHA512

    1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

  • memory/1712-8-0x0000000074920000-0x0000000074ECB000-memory.dmp

    Filesize

    5.7MB

  • memory/1712-18-0x0000000074920000-0x0000000074ECB000-memory.dmp

    Filesize

    5.7MB

  • memory/2568-0-0x0000000074921000-0x0000000074922000-memory.dmp

    Filesize

    4KB

  • memory/2568-1-0x0000000074920000-0x0000000074ECB000-memory.dmp

    Filesize

    5.7MB

  • memory/2568-2-0x0000000074920000-0x0000000074ECB000-memory.dmp

    Filesize

    5.7MB

  • memory/2568-24-0x0000000074920000-0x0000000074ECB000-memory.dmp

    Filesize

    5.7MB