Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01-12-2024 20:11
Static task
static1
Behavioral task
behavioral1
Sample
1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe
Resource
win10v2004-20241007-en
General
-
Target
1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe
-
Size
78KB
-
MD5
ae002c0f52fbeac0cb03c901b537c38b
-
SHA1
d2f3f8527b33e67a8079b2fdce154eff5e883ba7
-
SHA256
1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17
-
SHA512
e0cc49dcd2e9870b9caaa638809f1e42fc0a04cd24e4e150f04daf396f92a9a375dda758e009c8991f9d8e30d27e43f5c1a5cd7fd85d51faddb2980c65b7782e
-
SSDEEP
1536:zCHY6JIfpJywt04wbje37TazckwzW4UfSqRovPtoY0BQtS9/A1dJ:zCHYOIhJywQj2TLo4UJuXHhS9/+
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2712 tmp8047.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2964 1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe 2964 1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8047.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2964 1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2964 wrote to memory of 2984 2964 1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe 30 PID 2964 wrote to memory of 2984 2964 1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe 30 PID 2964 wrote to memory of 2984 2964 1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe 30 PID 2964 wrote to memory of 2984 2964 1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe 30 PID 2984 wrote to memory of 2708 2984 vbc.exe 32 PID 2984 wrote to memory of 2708 2984 vbc.exe 32 PID 2984 wrote to memory of 2708 2984 vbc.exe 32 PID 2984 wrote to memory of 2708 2984 vbc.exe 32 PID 2964 wrote to memory of 2712 2964 1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe 33 PID 2964 wrote to memory of 2712 2964 1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe 33 PID 2964 wrote to memory of 2712 2964 1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe 33 PID 2964 wrote to memory of 2712 2964 1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe"C:\Users\Admin\AppData\Local\Temp\1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\afqj6qls.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82A8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc82A7.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2708
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8047.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8047.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2712
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5555f74c27dee4ea33096ad05e2c26238
SHA15a74fb51c1f291321e1c1317d57e04ca6c1e9fa2
SHA256d5d4c9f0597932942b3a0f26b230d5d1940f2e62448cf562aff6b71f7c50201e
SHA512351cbdb4519146aefefbbd491d8f5114ecac525822a6b6adea0bdc144aada8778909061efc74550ae43724b6f88b1eb5b97be8e85dfbaec53b9d880c9da56260
-
Filesize
15KB
MD5bb381fa36f0f79540921c59a800fb03e
SHA172349a2f3beb8a41ff69ccc18de80b295e224b04
SHA2568ea4711ee73f1456d2d664df73ca6642dcaa2ebf0fdf920aebf88791d57d2d29
SHA512d786aa0f484b3b6ec1d7b4dc0117083854013b00bb0c178a55af3b6841e49802582064626ee25f7c0205ba83614c8a244fa63deb8f9cabc400b6c13b788a8555
-
Filesize
266B
MD50dcc61c4e799bb4dd5cfe2b76064d8a0
SHA1ae5939eb2b7bfc62353c25793b6a1dd0304f894c
SHA2560e191b2fde7af19379810e98c6158e41048bd0d20014a6ffbf6bb79e0523582d
SHA512a78459b0e26995984103958569f700391034020e89af46e3d789b99502b41369adf32e46525994b63781ac034ee47fadfe2bbad7bf3108379de7577e0a7971ab
-
Filesize
78KB
MD5bbbabe1271344ba9a01cf9cbfb12c0b3
SHA1129d49b3af99b8e4da73ae4a152043745e916a0b
SHA25696c532a4fc563a073411e714250f4aa5649ff2ddc9b6b177af33b470927bf2a6
SHA5123da723dab70bf7378a29c88bbcb1c2c4c5a19b52dbcd8c45f20f996b0d5164e59e30a5874b1cb98affc48d5f81185f3e1d2300c0e95c65ad18fddbade1c0e62b
-
Filesize
660B
MD5f677cc05f3d55dfeafbd6d8d070405af
SHA198a43823af3a5227368eba89171a3d7c95300c1a
SHA256fc9d5753d7c6a7a6cf73d560471fcbb3b80c2bd351bbf15ecafba34589945860
SHA512516e8a7d093d40e9f24cd4fbd8024039d5fcb65dc0de82bcf86c74eab7700924b675e0d30bc4ce389dd3141ed8d177f20518a5bdcd4cf3570d133f8964a0f678
-
Filesize
62KB
MD58008b17644b64cea2613d47c30c6e9f4
SHA14cd2935358e7a306af6aac6d1c0e495535bd5b32
SHA256fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55
SHA5120c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea