Overview

overview

10

Static

static

3

3ec902b68d...cd.exe

windows7-x64

10

3ec902b68d...cd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2024 21:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe

  • Size

    78KB

  • MD5

    5f0c86b976c87080308f6fc2d3ebe4c8

  • SHA1

    5da80f5e8899e3fed0e77abf18c3a113815d356c

  • SHA256

    3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd

  • SHA512

    cb99ca70a12a446407bb18665660262d006eecc8e2081385213e25aa12b98288a6b9327eedba4136fd164e52ccff8f151c86e67bb0f1477d862b864f1996cfeb

  • SSDEEP

    1536:QhHFo6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qt89/4L1+:8HFoI3ZAtWDDILJLovbicqOq3o+n89/J

Score
10/10
metamorpherratdiscoverypersistenceratstealertrojan

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

    trojanratstealermetamorpherrat
  • Metamorpherrat family
    metamorpherrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe
    "C:\Users\Admin\AppData\Local\Temp\3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\au4lplvf.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3168
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD30F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc13B295CE6E974A95B387357F7D75CDEF.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4040
    • C:\Users\Admin\AppData\Local\Temp\tmpD215.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpD215.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3ec902b68d394c037bc79aa4b19fa1fdff03eb4172ef078f61203f4ca3b35acd.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3524

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESD30F.tmp
    Filesize

    1KB

    MD5

    d1251507172c0c6cf2d67827fa8e9f9a

    SHA1

    eb904b4f52820cc37cce34faeba79aede95b1023

    SHA256

    aec373156f23532919a2141a781b3a9266531a3eb877748e4366c4cf554ebbaa

    SHA512

    388b4f489cebccc1d8d8ba6ed1db89d4091b2d179f0ec35cadbe1690a922e38a231918d5adce25bda6601d86f66e8324ac65312b68d28afd030d0ea436162a68

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\au4lplvf.0.vb
    Filesize

    15KB

    MD5

    602af3daa5e0f4a39861a42996e84ca0

    SHA1

    49f5c3d0d55f3fc31b21a3d4f2f8ac3df05febd2

    SHA256

    83642274bba1cbd9c0c78d5de1b314d0b6b93100c2af416acb3070a9155d80ae

    SHA512

    ee5e09617ac7584fc3ad7e0837817cf7dd49f4609b0cfc8ace79fc5290959eb0144bc74a4a1cd818049e3e87de54b27e07d1263462e2dbdbf8adb5e39d2b7ab7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\au4lplvf.cmdline
    Filesize

    266B

    MD5

    0164fb8cc2d90f60fa20f657cd837ec2

    SHA1

    4606b875ae0bf33b682e75bb8ff8d443c809ee60

    SHA256

    ca7036e34540f8ff12e186a5ea57beb0929b0e112779ca9b80daa86c7909b7ff

    SHA512

    3898dac4517eca735971a03f2f3651c4676026a781847ec5692bd4feee5792d81bef4bfa442e68bb6a2057a69abdae8117c7ce0098b06c3dee53979d83e0561c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpD215.tmp.exe
    Filesize

    78KB

    MD5

    ab8dd5d748fc54bbbd288f95b47a5cf2

    SHA1

    98d023d137aa66a5d5572de92105621c9bd0be0e

    SHA256

    2436232b073788b817a8c12b818faf204084423925fc7d2e82dab399109d4a3e

    SHA512

    38afda60dbff717f3d79b4b1a002e5b206dc0f2c403a321f43133e6b16b2f521798b31d35155ffa00674678908b04de76b816989f91a3655808fae34967cbf59

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbc13B295CE6E974A95B387357F7D75CDEF.TMP
    Filesize

    660B

    MD5

    e3b1429076de9940853c62629faab1e8

    SHA1

    163b6837f7821dc3e86e2d645778b082aaadd3d0

    SHA256

    c530b6d45adb324e430184dca2f09299ab8e6d4e57fb3f9b704ed0823f56cd1e

    SHA512

    5b854f76b7e5b7a046b5a25866157aaa81862830dd00d53a67a66baa1ffdda798a35727889b7777cb5f50cbd727fdfd590833315afabf4c7dfbee94c962a453b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources
    Filesize

    62KB

    MD5

    a26b0f78faa3881bb6307a944b096e91

    SHA1

    42b01830723bf07d14f3086fa83c4f74f5649368

    SHA256

    b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

    SHA512

    a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

    Download Submit

  • memory/2672-22-0x0000000075550000-0x0000000075B01000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2672-2-0x0000000075550000-0x0000000075B01000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2672-1-0x0000000075550000-0x0000000075B01000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2672-0-0x0000000075552000-0x0000000075553000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3168-8-0x0000000075550000-0x0000000075B01000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3168-18-0x0000000075550000-0x0000000075B01000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3524-23-0x0000000075550000-0x0000000075B01000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3524-24-0x0000000075550000-0x0000000075B01000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3524-25-0x0000000075550000-0x0000000075B01000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3524-26-0x0000000075550000-0x0000000075B01000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3524-27-0x0000000075550000-0x0000000075B01000-memory.dmp

    Filesize

    5.7MB

    Download