Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 19:05
Static task
static1
Behavioral task
behavioral1
Sample
48c3579b97182b47c93a22a955d02c1e3c807aee80b69fd448598ecdcb9aba1cN.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
48c3579b97182b47c93a22a955d02c1e3c807aee80b69fd448598ecdcb9aba1cN.exe
Resource
win10v2004-20241007-en
General
-
Target
48c3579b97182b47c93a22a955d02c1e3c807aee80b69fd448598ecdcb9aba1cN.exe
-
Size
78KB
-
MD5
9f5f3f8296e435da13fe06d5cf844800
-
SHA1
f89ed084c8b7ef45bd9de95f89bace4601987a5c
-
SHA256
48c3579b97182b47c93a22a955d02c1e3c807aee80b69fd448598ecdcb9aba1c
-
SHA512
c9525c903d24b998cd76aa181d28bf83c91a19db15f27e388c102e3baec3e1363c345d547ab7667c50aca7aee8225af197e682a80f40eb1cadaa29d1d9f34862
-
SSDEEP
1536:Do4tHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtI9/51qE:k4tH/3ZAtWDDILJLovbicqOq3o+nI9/X
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Deletes itself 1 IoCs
pid Process 2756 tmp753F.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2756 tmp753F.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2324 48c3579b97182b47c93a22a955d02c1e3c807aee80b69fd448598ecdcb9aba1cN.exe 2324 48c3579b97182b47c93a22a955d02c1e3c807aee80b69fd448598ecdcb9aba1cN.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" tmp753F.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48c3579b97182b47c93a22a955d02c1e3c807aee80b69fd448598ecdcb9aba1cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp753F.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2324 48c3579b97182b47c93a22a955d02c1e3c807aee80b69fd448598ecdcb9aba1cN.exe Token: SeDebugPrivilege 2756 tmp753F.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2324 wrote to memory of 3060 2324 48c3579b97182b47c93a22a955d02c1e3c807aee80b69fd448598ecdcb9aba1cN.exe 29 PID 2324 wrote to memory of 3060 2324 48c3579b97182b47c93a22a955d02c1e3c807aee80b69fd448598ecdcb9aba1cN.exe 29 PID 2324 wrote to memory of 3060 2324 48c3579b97182b47c93a22a955d02c1e3c807aee80b69fd448598ecdcb9aba1cN.exe 29 PID 2324 wrote to memory of 3060 2324 48c3579b97182b47c93a22a955d02c1e3c807aee80b69fd448598ecdcb9aba1cN.exe 29 PID 3060 wrote to memory of 2676 3060 vbc.exe 31 PID 3060 wrote to memory of 2676 3060 vbc.exe 31 PID 3060 wrote to memory of 2676 3060 vbc.exe 31 PID 3060 wrote to memory of 2676 3060 vbc.exe 31 PID 2324 wrote to memory of 2756 2324 48c3579b97182b47c93a22a955d02c1e3c807aee80b69fd448598ecdcb9aba1cN.exe 32 PID 2324 wrote to memory of 2756 2324 48c3579b97182b47c93a22a955d02c1e3c807aee80b69fd448598ecdcb9aba1cN.exe 32 PID 2324 wrote to memory of 2756 2324 48c3579b97182b47c93a22a955d02c1e3c807aee80b69fd448598ecdcb9aba1cN.exe 32 PID 2324 wrote to memory of 2756 2324 48c3579b97182b47c93a22a955d02c1e3c807aee80b69fd448598ecdcb9aba1cN.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\48c3579b97182b47c93a22a955d02c1e3c807aee80b69fd448598ecdcb9aba1cN.exe"C:\Users\Admin\AppData\Local\Temp\48c3579b97182b47c93a22a955d02c1e3c807aee80b69fd448598ecdcb9aba1cN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qqfcym_a.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7724.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7723.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2676
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp753F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp753F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\48c3579b97182b47c93a22a955d02c1e3c807aee80b69fd448598ecdcb9aba1cN.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD534c0de624d5507a1c47e9a11e4b36836
SHA19ad39c15f98a69cb102c72537ccf1f51fb2937b3
SHA2560340a9f14b27bd3178153ba9756209cac7ac09794f2c158a79ac1b4b5b44f6fc
SHA51208734888d87087f5604bf2ec6d2d6cdab94d8334fc8c5da4103ec9d55c78a7bd44c1f26dc75c92c9a5ce9c86f8f67c5c15ef0253533f22477a28518694a51c16
-
Filesize
15KB
MD58283b31b6961eadb575e53ef4332b17a
SHA1ac81e0389808326942901b69d868660f11043d57
SHA25658e22c8b90b22f735237cde8ebf8a56c428919b0b97b17dc656aece6a42db453
SHA5120a7b5b6899f6dd4ee6ed1b1c5fad1e678e57ccd385191f06a7dd6b7cc6bd7d41255f8d365d76238a3363281260aff96b767fee5e197624770b84b068962437ea
-
Filesize
266B
MD5cc39bed97b9323f0571f85ad60a361ed
SHA1f640d9f11fb45b4e08a5106b0cad0eb11a7c9cd7
SHA256299592896e8fbe87933ace64251a0b7bb381aae397aa1642dad301db77e78a72
SHA512477d8e57764e088f3e69d63b50f3beeed55fb6734f823016d5522e9cff18ed28ff2d496615b0291d7a718d9f9a9660fed498158bdcfdb7499f0060011f76a847
-
Filesize
78KB
MD5da4c2cc160c87fde7b67fa4a66f87347
SHA187aa9e6a10dc139ff79ef916db40cd2bff29e87e
SHA256a1a700c5a8512666a42d9acd9e69cf1569dba4404f197652bc17b2e0be64ff31
SHA5128b1b1324efbfe4eec8bd57e4a5e60c64a7cfe16744a9a7eb8795dbd782e08feda4c2697b8ed801a00a2ffdcefd46825effe34fe14fa254b108cd8d40bd9f2be4
-
Filesize
660B
MD5f0064135b8d8ce1d288e740281514c1b
SHA1dc0100168b0e40455b7a8c927a70dc33bfa83639
SHA256995d3d05bf1623d12bd56137ccabc7fa2afeba7bcfdede04d6d209b442348cb4
SHA512596b2c728d9ca93e399ecdcbd908f46484f19f5734e0a5167bf715626e2facf97782aaadb7134a1f0d4410c22f2b6ce811927e516c893cbfa86aad487961cc59
-
Filesize
62KB
MD5a26b0f78faa3881bb6307a944b096e91
SHA142b01830723bf07d14f3086fa83c4f74f5649368
SHA256b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c