Analysis

  • max time kernel
    104s
  • max time network
    114s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2024 19:28

General

  • Target

    8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe

  • Size

    78KB

  • MD5

    0292fd03e9b712d2a5612391e0126ba0

  • SHA1

    5a45307ea5bb64ddc49457e51a8732bb786d110c

  • SHA256

    8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3

  • SHA512

    9f375620cccda4163b4c1e4d01f91a7ea29667b5a58a0cb230cbcb3f32e888015fcba5b66be842cd51ea51edd6d4b07beffa3304fa19914272d96e8f95925a41

  • SSDEEP

    1536:NStHF3uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtL19/uw1Hz:NStHFP3DJywQjDgTLopLwdCFJzL19/h

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe
    "C:\Users\Admin\AppData\Local\Temp\8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g1vmf35g.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2084
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD6A1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD6A0.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1576
    • C:\Users\Admin\AppData\Local\Temp\tmpD587.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpD587.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESD6A1.tmp

    Filesize

    1KB

    MD5

    c39d64b3fbe7287ecfe189ad17d27578

    SHA1

    809044198919993c82e23f4a9c2e16551ba0a8a7

    SHA256

    ee4417b1fc3162af4ab35b1199f5cde6707ddc6e955563da79236ec72b9c57e5

    SHA512

    c696fb76409cbbbc8819aa385e8af57f4f4333d7898513be060065fd24b793a02a8b1b9bf5083a52128d141d9819bc45353233a650354506a5bcb32e8d29020e

  • C:\Users\Admin\AppData\Local\Temp\g1vmf35g.0.vb

    Filesize

    15KB

    MD5

    a331236fcd95c7a94dbf6e0b00ffd148

    SHA1

    56f76cc4d068848ac076bb28134eaf79a4eeea08

    SHA256

    7b71485b9b1a2b6317f04a1caa11723ba34b3fe8db2c23d8da0ec274c2aec18f

    SHA512

    de80f1ad10f18b2a7801c9b04f630ba2edba151a505d5f705e063cf8d29a273d7749607cedbe18abb59cc943e696c1cf1c9b420f9b77e6a57cdfdd4ed9cec22d

  • C:\Users\Admin\AppData\Local\Temp\g1vmf35g.cmdline

    Filesize

    266B

    MD5

    0e7bb26247d1bddf6f19e6b259af4e94

    SHA1

    0aa6194cfd821329abf84bca0d598739259ba678

    SHA256

    b0e6a68180a1214f1b6b3360345849a32939587f94efdb14aec1265e1a70b4b9

    SHA512

    d9d756394c99ec976b6a005b27a681b2b654e2e9c48773ed6ff2acf3a53ed12a47838c79c0d056dee5f69f92dbe5f7f9567b7e8a548cdcd616ac8e55925b3c91

  • C:\Users\Admin\AppData\Local\Temp\tmpD587.tmp.exe

    Filesize

    78KB

    MD5

    1f2e23352556aec01092c66b8c9d7d2c

    SHA1

    b1a1e01afe077ba70023b0386fb0a2c356fce1e1

    SHA256

    9577996d5d92eb75b14a8e6c4cedc8f867e4b4f647503790ff81a03f6d8d5abf

    SHA512

    2abf1d441e706f33584154f1021e2ab77f6f512c878e77c536c75cc99b5f78d52cfba900628d58ec6407580a08c01c23493138a7f1a67ac5a5fe5ce90aca9b09

  • C:\Users\Admin\AppData\Local\Temp\vbcD6A0.tmp

    Filesize

    660B

    MD5

    31290c8fff48a0a6a7c904f9f1dddc06

    SHA1

    06ba27282b560ef9440ab56aad16435d1afd3022

    SHA256

    ef2d7e11ec7e2fed30089791bfa4e4a18edd1b06e7e6f97b3375451cf75b488c

    SHA512

    1d67dabe4727dab77687099382161d356edd158fdbb4179f61fd557554a19530bb4beb77d2ac579e311b70aaa28e3cc9da366ff6d46062b59d1d23b176a03ec6

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    484967ab9def8ff17dd55476ca137721

    SHA1

    a84012f673fe1ac9041e7827cc3de4b20a1194e2

    SHA256

    9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

    SHA512

    1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

  • memory/2084-9-0x0000000074B50000-0x00000000750FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2084-18-0x0000000074B50000-0x00000000750FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2848-0-0x0000000074B51000-0x0000000074B52000-memory.dmp

    Filesize

    4KB

  • memory/2848-1-0x0000000074B50000-0x00000000750FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2848-2-0x0000000074B50000-0x00000000750FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2848-24-0x0000000074B50000-0x00000000750FB000-memory.dmp

    Filesize

    5.7MB