Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2024 19:05

General

  • Target

    48c3579b97182b47c93a22a955d02c1e3c807aee80b69fd448598ecdcb9aba1cN.exe

  • Size

    78KB

  • MD5

    9f5f3f8296e435da13fe06d5cf844800

  • SHA1

    f89ed084c8b7ef45bd9de95f89bace4601987a5c

  • SHA256

    48c3579b97182b47c93a22a955d02c1e3c807aee80b69fd448598ecdcb9aba1c

  • SHA512

    c9525c903d24b998cd76aa181d28bf83c91a19db15f27e388c102e3baec3e1363c345d547ab7667c50aca7aee8225af197e682a80f40eb1cadaa29d1d9f34862

  • SSDEEP

    1536:Do4tHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtI9/51qE:k4tH/3ZAtWDDILJLovbicqOq3o+nI9/X

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\48c3579b97182b47c93a22a955d02c1e3c807aee80b69fd448598ecdcb9aba1cN.exe
    "C:\Users\Admin\AppData\Local\Temp\48c3579b97182b47c93a22a955d02c1e3c807aee80b69fd448598ecdcb9aba1cN.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qqfcym_a.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7724.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7723.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2676
    • C:\Users\Admin\AppData\Local\Temp\tmp753F.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp753F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\48c3579b97182b47c93a22a955d02c1e3c807aee80b69fd448598ecdcb9aba1cN.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES7724.tmp

    Filesize

    1KB

    MD5

    34c0de624d5507a1c47e9a11e4b36836

    SHA1

    9ad39c15f98a69cb102c72537ccf1f51fb2937b3

    SHA256

    0340a9f14b27bd3178153ba9756209cac7ac09794f2c158a79ac1b4b5b44f6fc

    SHA512

    08734888d87087f5604bf2ec6d2d6cdab94d8334fc8c5da4103ec9d55c78a7bd44c1f26dc75c92c9a5ce9c86f8f67c5c15ef0253533f22477a28518694a51c16

  • C:\Users\Admin\AppData\Local\Temp\qqfcym_a.0.vb

    Filesize

    15KB

    MD5

    8283b31b6961eadb575e53ef4332b17a

    SHA1

    ac81e0389808326942901b69d868660f11043d57

    SHA256

    58e22c8b90b22f735237cde8ebf8a56c428919b0b97b17dc656aece6a42db453

    SHA512

    0a7b5b6899f6dd4ee6ed1b1c5fad1e678e57ccd385191f06a7dd6b7cc6bd7d41255f8d365d76238a3363281260aff96b767fee5e197624770b84b068962437ea

  • C:\Users\Admin\AppData\Local\Temp\qqfcym_a.cmdline

    Filesize

    266B

    MD5

    cc39bed97b9323f0571f85ad60a361ed

    SHA1

    f640d9f11fb45b4e08a5106b0cad0eb11a7c9cd7

    SHA256

    299592896e8fbe87933ace64251a0b7bb381aae397aa1642dad301db77e78a72

    SHA512

    477d8e57764e088f3e69d63b50f3beeed55fb6734f823016d5522e9cff18ed28ff2d496615b0291d7a718d9f9a9660fed498158bdcfdb7499f0060011f76a847

  • C:\Users\Admin\AppData\Local\Temp\tmp753F.tmp.exe

    Filesize

    78KB

    MD5

    da4c2cc160c87fde7b67fa4a66f87347

    SHA1

    87aa9e6a10dc139ff79ef916db40cd2bff29e87e

    SHA256

    a1a700c5a8512666a42d9acd9e69cf1569dba4404f197652bc17b2e0be64ff31

    SHA512

    8b1b1324efbfe4eec8bd57e4a5e60c64a7cfe16744a9a7eb8795dbd782e08feda4c2697b8ed801a00a2ffdcefd46825effe34fe14fa254b108cd8d40bd9f2be4

  • C:\Users\Admin\AppData\Local\Temp\vbc7723.tmp

    Filesize

    660B

    MD5

    f0064135b8d8ce1d288e740281514c1b

    SHA1

    dc0100168b0e40455b7a8c927a70dc33bfa83639

    SHA256

    995d3d05bf1623d12bd56137ccabc7fa2afeba7bcfdede04d6d209b442348cb4

    SHA512

    596b2c728d9ca93e399ecdcbd908f46484f19f5734e0a5167bf715626e2facf97782aaadb7134a1f0d4410c22f2b6ce811927e516c893cbfa86aad487961cc59

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    a26b0f78faa3881bb6307a944b096e91

    SHA1

    42b01830723bf07d14f3086fa83c4f74f5649368

    SHA256

    b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

    SHA512

    a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

  • memory/2324-0-0x0000000074D11000-0x0000000074D12000-memory.dmp

    Filesize

    4KB

  • memory/2324-1-0x0000000074D10000-0x00000000752BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2324-2-0x0000000074D10000-0x00000000752BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2324-23-0x0000000074D10000-0x00000000752BB000-memory.dmp

    Filesize

    5.7MB

  • memory/3060-9-0x0000000074D10000-0x00000000752BB000-memory.dmp

    Filesize

    5.7MB

  • memory/3060-18-0x0000000074D10000-0x00000000752BB000-memory.dmp

    Filesize

    5.7MB