Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 19:22
Static task
static1
Behavioral task
behavioral1
Sample
ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe
Resource
win10v2004-20241007-en
General
-
Target
ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe
-
Size
78KB
-
MD5
88aae9275870cab6b6f3ad4ca7903be0
-
SHA1
9239596a234d770cb96047d5fa95e85cbd029711
-
SHA256
ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97
-
SHA512
859ca9dc2b071d0e5e823087c23968af4dcd91d1ff386577d043b3948986f03c6e292b67887afa901354679348b59e6942a8da9b30b601281a570cad59635399
-
SSDEEP
1536:C4V5jULT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtt6Vs9/e1Wp:C4V5jiE2EwR4uY41HyvY+s9/B
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2932 tmpA0A3.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 1240 ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe 1240 ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" tmpA0A3.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpA0A3.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1240 ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe Token: SeDebugPrivilege 2932 tmpA0A3.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1240 wrote to memory of 2256 1240 ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe 30 PID 1240 wrote to memory of 2256 1240 ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe 30 PID 1240 wrote to memory of 2256 1240 ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe 30 PID 1240 wrote to memory of 2256 1240 ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe 30 PID 2256 wrote to memory of 2060 2256 vbc.exe 32 PID 2256 wrote to memory of 2060 2256 vbc.exe 32 PID 2256 wrote to memory of 2060 2256 vbc.exe 32 PID 2256 wrote to memory of 2060 2256 vbc.exe 32 PID 1240 wrote to memory of 2932 1240 ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe 33 PID 1240 wrote to memory of 2932 1240 ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe 33 PID 1240 wrote to memory of 2932 1240 ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe 33 PID 1240 wrote to memory of 2932 1240 ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe"C:\Users\Admin\AppData\Local\Temp\ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fldnz9cd.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2B6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA2B5.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2060
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpA0A3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA0A3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ab370fd7f737e21fe302835517dca661e835a20ff42367e7e7a840bde6378b97N.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fa816749f65ab1aa9cc1ef878897df86
SHA119706cddea2180be65368367b4fa115d04db7766
SHA256424a43d8652fdf51629edadf3fdd410034b956fbfaf58cd7147744d053763055
SHA51282534d10f478697647755b7fb7622d50ea429d13fd3773c0612a7d742cdef5295cbaa7c62d655d5e815c4c7a3fe9b0d5aa140521438b006f567102fe5725a4c0
-
Filesize
14KB
MD528dcc064c6c314959d4c5e8f2cb0bd06
SHA1040329c2c6bf3aaf36526e008ca8ac5a56ee3fb6
SHA256d213f2453c324924c573748db554df0876bb00e4d52d34bc18e2ff974dcfb08d
SHA5123d1dc08e3ecdaca67c36f35ae3989143b308bfccbebf14621e64d6b9086bb707bee40d878455978b694a36b9dedffad0cb236c22d4c5e4f96df5ba5377fa5d5c
-
Filesize
266B
MD50b985023905c04cd9fe0018e2f1210ca
SHA1d0be13c763b9d4404f8da6440e17cc7f6b509c8e
SHA25634a63e4820ab583da2a6215e95c24337f908ebe028e12a843f0b8c86a9cddace
SHA512df5f47e09042837ddab0baf967ee2c73c6d52605151d3d8ab0fdfc51e11f9f5bbd52b1b3c1c27e5be47fc18f8e028455f456ccbbc0d37b6a662e00e9b7739ae0
-
Filesize
78KB
MD5979d03856564a5a34be5123882b1d681
SHA1a20c863eda1c92b685185e26c1fe2eaa19d4f229
SHA2565292d2b06bc23b8792bf0f6f7627637a9d4663c5f90cd456ee12381e9f80437e
SHA512d2fee565af3d9be4fbbaac8ce27fca242a58d89206587ea91d94adc68505436a8020e10929910fd9953c1b2a171be016ce8d0b04adb1b7e5dc5770293d620614
-
Filesize
660B
MD548bc7c1df5f72a91bc2e66b4ce2ae839
SHA1fe0c4fc9e758ec9cb397b4fed4cf84183cbe8fef
SHA2567044205c8999553d6993632be393a96b98be16dd0a250084b68cf7a9c1737e58
SHA512283bdde01efd62ba588da0e740f7c2cb9110602b3c228ba26d76dd1561279da6df6d27c041a0e165639c439e0e968f38e5286d13df357d99a9fcc066e2b09daf
-
Filesize
62KB
MD56870a276e0bed6dd5394d178156ebad0
SHA19b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA25669db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA5123b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809