Overview

overview

10

Static

static

3

b85e91b3a4...33.exe

windows7-x64

10

b85e91b3a4...33.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 15:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b85e91b3a492835c273e25895c8c48c47bc24f1dba9b1411e2594399c7cf4b33.exe

  • Size

    78KB

  • MD5

    68b4be56a75b7dbe03689e1d48437556

  • SHA1

    bbdd8822dbe1a62ccbe921e4f313250a10234dbd

  • SHA256

    b85e91b3a492835c273e25895c8c48c47bc24f1dba9b1411e2594399c7cf4b33

  • SHA512

    bcd9533ee699171b63d3198771a8087c58f86561287bab4576bc57e75f7e64c3a094b563242a6fedeb2e10b73b5caf55bb4ad1b413de4c6463622d90d2141e41

  • SSDEEP

    1536:8CHY6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQte39/n14qG:8CHYn3xSyRxvY3md+dWWZye39/FG

Score
10/10
metamorpherratdiscoverypersistenceratstealertrojan

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

    trojanratstealermetamorpherrat
  • Metamorpherrat family
    metamorpherrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b85e91b3a492835c273e25895c8c48c47bc24f1dba9b1411e2594399c7cf4b33.exe
    "C:\Users\Admin\AppData\Local\Temp\b85e91b3a492835c273e25895c8c48c47bc24f1dba9b1411e2594399c7cf4b33.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4076
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0npxkpgp.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3640
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A2D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD7D29A671B34DE09642B731676C4946.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:336
    • C:\Users\Admin\AppData\Local\Temp\tmp9923.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp9923.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b85e91b3a492835c273e25895c8c48c47bc24f1dba9b1411e2594399c7cf4b33.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\0npxkpgp.0.vb
    Filesize

    15KB

    MD5

    1e62518d58908de61d8bc11ef260cfdd

    SHA1

    6f27da865a4df57695fe090cee61522e6de682a1

    SHA256

    fe89f305971b64dc20d76751da006e3573b37bdc1218a812d680036c85bfcca0

    SHA512

    a641e6482b24658d449e78bf186b1152314e3648a1fc532aec4e1db6439c45d53aa27834c2ae3e563cba2128a4e72afda9ef60902749c537d38b63aacb31ddef

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\0npxkpgp.cmdline
    Filesize

    266B

    MD5

    6814be43066976e45ae04992b7562d79

    SHA1

    364777c11eabae9dd0e9ed42746ed4027d9d9959

    SHA256

    47673ccf823bad0482d206480709db68e905afb58234cac938bf07a5f7c7c8ac

    SHA512

    58e6f85f74e4c4790fb4362f5a9cdfa9eda713fdec83457c88520cd45856d219ffa67e1b55faab33d85857ec6b03f6b6373643a01b25c0d36dbca031cfeef9af

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RES9A2D.tmp
    Filesize

    1KB

    MD5

    018be6ac1411717a14eca57c8374aef5

    SHA1

    42d81339e93a66d72aa54adf882fc8cd964f0c42

    SHA256

    e97955ccde764cb9381c619b8d8dc89ecb51a2e815fcef441fa626a32081e865

    SHA512

    58d39a7fd46d7e6558db6c83659e61b0468cadcdbf3a1405f82f7e69683fa9118e799a000403e6ba4e3c22cc5829dc4f3ee5f2b0900e09b902c46eba96b66d32

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp9923.tmp.exe
    Filesize

    78KB

    MD5

    93fae4f141333df84a58ad24df514272

    SHA1

    32c9a813378a3eeeaf8eb95d2f787032a8af7ac4

    SHA256

    ea11a15945e3e91a7d87b3708ae03015f594996dd27324c97f59ecf6002b0490

    SHA512

    cbc618601eb229795e3f71c3f0b9273c46d330920e9865ca9903fc586bf8d9eea73c414f6494b62eff7b36a5283f0835acd0646f1e0e3edfdd78db909de768f8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbcD7D29A671B34DE09642B731676C4946.TMP
    Filesize

    660B

    MD5

    8776ae930de8492fc3f6fb0985274b75

    SHA1

    113ae8b2887fee52089e2ef2de52321637d11cff

    SHA256

    31c3c6df40522e265b237862a393c8e1ac77065da0b9e5ab1c9afbfb9f336c09

    SHA512

    70440f53fb239efde152c5d3a1cc66c85466b4fc6b684ce0c699e50de5633ac3ecc60b617fcc16dc214f91c317b4bd453a1b9d016bd9aee059b5df0b48cb242d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources
    Filesize

    62KB

    MD5

    4f0e8cf79edb6cd381474b21cabfdf4a

    SHA1

    7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

    SHA256

    e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

    SHA512

    2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

    Download Submit

  • memory/2768-23-0x0000000074CD0000-0x0000000075281000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2768-25-0x0000000074CD0000-0x0000000075281000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2768-26-0x0000000074CD0000-0x0000000075281000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2768-27-0x0000000074CD0000-0x0000000075281000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2768-28-0x0000000074CD0000-0x0000000075281000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2768-29-0x0000000074CD0000-0x0000000075281000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3640-9-0x0000000074CD0000-0x0000000075281000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3640-18-0x0000000074CD0000-0x0000000075281000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4076-0-0x0000000074CD2000-0x0000000074CD3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4076-1-0x0000000074CD0000-0x0000000075281000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4076-22-0x0000000074CD0000-0x0000000075281000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4076-2-0x0000000074CD0000-0x0000000075281000-memory.dmp

    Filesize

    5.7MB

    Download