Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01-12-2024 20:11

General

  • Target

    1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe

  • Size

    78KB

  • MD5

    ae002c0f52fbeac0cb03c901b537c38b

  • SHA1

    d2f3f8527b33e67a8079b2fdce154eff5e883ba7

  • SHA256

    1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17

  • SHA512

    e0cc49dcd2e9870b9caaa638809f1e42fc0a04cd24e4e150f04daf396f92a9a375dda758e009c8991f9d8e30d27e43f5c1a5cd7fd85d51faddb2980c65b7782e

  • SSDEEP

    1536:zCHY6JIfpJywt04wbje37TazckwzW4UfSqRovPtoY0BQtS9/A1dJ:zCHYOIhJywQj2TLo4UJuXHhS9/+

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe
    "C:\Users\Admin\AppData\Local\Temp\1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2964
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\afqj6qls.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2984
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82A8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc82A7.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2708
    • C:\Users\Admin\AppData\Local\Temp\tmp8047.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp8047.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES82A8.tmp

    Filesize

    1KB

    MD5

    555f74c27dee4ea33096ad05e2c26238

    SHA1

    5a74fb51c1f291321e1c1317d57e04ca6c1e9fa2

    SHA256

    d5d4c9f0597932942b3a0f26b230d5d1940f2e62448cf562aff6b71f7c50201e

    SHA512

    351cbdb4519146aefefbbd491d8f5114ecac525822a6b6adea0bdc144aada8778909061efc74550ae43724b6f88b1eb5b97be8e85dfbaec53b9d880c9da56260

  • C:\Users\Admin\AppData\Local\Temp\afqj6qls.0.vb

    Filesize

    15KB

    MD5

    bb381fa36f0f79540921c59a800fb03e

    SHA1

    72349a2f3beb8a41ff69ccc18de80b295e224b04

    SHA256

    8ea4711ee73f1456d2d664df73ca6642dcaa2ebf0fdf920aebf88791d57d2d29

    SHA512

    d786aa0f484b3b6ec1d7b4dc0117083854013b00bb0c178a55af3b6841e49802582064626ee25f7c0205ba83614c8a244fa63deb8f9cabc400b6c13b788a8555

  • C:\Users\Admin\AppData\Local\Temp\afqj6qls.cmdline

    Filesize

    266B

    MD5

    0dcc61c4e799bb4dd5cfe2b76064d8a0

    SHA1

    ae5939eb2b7bfc62353c25793b6a1dd0304f894c

    SHA256

    0e191b2fde7af19379810e98c6158e41048bd0d20014a6ffbf6bb79e0523582d

    SHA512

    a78459b0e26995984103958569f700391034020e89af46e3d789b99502b41369adf32e46525994b63781ac034ee47fadfe2bbad7bf3108379de7577e0a7971ab

  • C:\Users\Admin\AppData\Local\Temp\tmp8047.tmp.exe

    Filesize

    78KB

    MD5

    bbbabe1271344ba9a01cf9cbfb12c0b3

    SHA1

    129d49b3af99b8e4da73ae4a152043745e916a0b

    SHA256

    96c532a4fc563a073411e714250f4aa5649ff2ddc9b6b177af33b470927bf2a6

    SHA512

    3da723dab70bf7378a29c88bbcb1c2c4c5a19b52dbcd8c45f20f996b0d5164e59e30a5874b1cb98affc48d5f81185f3e1d2300c0e95c65ad18fddbade1c0e62b

  • C:\Users\Admin\AppData\Local\Temp\vbc82A7.tmp

    Filesize

    660B

    MD5

    f677cc05f3d55dfeafbd6d8d070405af

    SHA1

    98a43823af3a5227368eba89171a3d7c95300c1a

    SHA256

    fc9d5753d7c6a7a6cf73d560471fcbb3b80c2bd351bbf15ecafba34589945860

    SHA512

    516e8a7d093d40e9f24cd4fbd8024039d5fcb65dc0de82bcf86c74eab7700924b675e0d30bc4ce389dd3141ed8d177f20518a5bdcd4cf3570d133f8964a0f678

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    8008b17644b64cea2613d47c30c6e9f4

    SHA1

    4cd2935358e7a306af6aac6d1c0e495535bd5b32

    SHA256

    fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55

    SHA512

    0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

  • memory/2964-0-0x0000000074B81000-0x0000000074B82000-memory.dmp

    Filesize

    4KB

  • memory/2964-1-0x0000000074B80000-0x000000007512B000-memory.dmp

    Filesize

    5.7MB

  • memory/2964-3-0x0000000074B80000-0x000000007512B000-memory.dmp

    Filesize

    5.7MB

  • memory/2964-24-0x0000000074B80000-0x000000007512B000-memory.dmp

    Filesize

    5.7MB

  • memory/2984-8-0x0000000074B80000-0x000000007512B000-memory.dmp

    Filesize

    5.7MB

  • memory/2984-18-0x0000000074B80000-0x000000007512B000-memory.dmp

    Filesize

    5.7MB