Analysis
-
max time kernel
104s -
max time network
114s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 19:28
Static task
static1
Behavioral task
behavioral1
Sample
8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe
Resource
win10v2004-20241007-en
General
-
Target
8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe
-
Size
78KB
-
MD5
0292fd03e9b712d2a5612391e0126ba0
-
SHA1
5a45307ea5bb64ddc49457e51a8732bb786d110c
-
SHA256
8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3
-
SHA512
9f375620cccda4163b4c1e4d01f91a7ea29667b5a58a0cb230cbcb3f32e888015fcba5b66be842cd51ea51edd6d4b07beffa3304fa19914272d96e8f95925a41
-
SSDEEP
1536:NStHF3uaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtL19/uw1Hz:NStHFP3DJywQjDgTLopLwdCFJzL19/h
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Deletes itself 1 IoCs
pid Process 2680 tmpD587.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2680 tmpD587.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2848 8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe 2848 8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpD587.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2848 8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2084 2848 8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe 31 PID 2848 wrote to memory of 2084 2848 8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe 31 PID 2848 wrote to memory of 2084 2848 8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe 31 PID 2848 wrote to memory of 2084 2848 8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe 31 PID 2084 wrote to memory of 1576 2084 vbc.exe 33 PID 2084 wrote to memory of 1576 2084 vbc.exe 33 PID 2084 wrote to memory of 1576 2084 vbc.exe 33 PID 2084 wrote to memory of 1576 2084 vbc.exe 33 PID 2848 wrote to memory of 2680 2848 8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe 34 PID 2848 wrote to memory of 2680 2848 8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe 34 PID 2848 wrote to memory of 2680 2848 8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe 34 PID 2848 wrote to memory of 2680 2848 8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe"C:\Users\Admin\AppData\Local\Temp\8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g1vmf35g.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD6A1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD6A0.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:1576
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpD587.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD587.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8371245036afd52e23ac8cfd17b6e8b8f97a9c87fa57db795812d4809a77bee3N.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2680
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c39d64b3fbe7287ecfe189ad17d27578
SHA1809044198919993c82e23f4a9c2e16551ba0a8a7
SHA256ee4417b1fc3162af4ab35b1199f5cde6707ddc6e955563da79236ec72b9c57e5
SHA512c696fb76409cbbbc8819aa385e8af57f4f4333d7898513be060065fd24b793a02a8b1b9bf5083a52128d141d9819bc45353233a650354506a5bcb32e8d29020e
-
Filesize
15KB
MD5a331236fcd95c7a94dbf6e0b00ffd148
SHA156f76cc4d068848ac076bb28134eaf79a4eeea08
SHA2567b71485b9b1a2b6317f04a1caa11723ba34b3fe8db2c23d8da0ec274c2aec18f
SHA512de80f1ad10f18b2a7801c9b04f630ba2edba151a505d5f705e063cf8d29a273d7749607cedbe18abb59cc943e696c1cf1c9b420f9b77e6a57cdfdd4ed9cec22d
-
Filesize
266B
MD50e7bb26247d1bddf6f19e6b259af4e94
SHA10aa6194cfd821329abf84bca0d598739259ba678
SHA256b0e6a68180a1214f1b6b3360345849a32939587f94efdb14aec1265e1a70b4b9
SHA512d9d756394c99ec976b6a005b27a681b2b654e2e9c48773ed6ff2acf3a53ed12a47838c79c0d056dee5f69f92dbe5f7f9567b7e8a548cdcd616ac8e55925b3c91
-
Filesize
78KB
MD51f2e23352556aec01092c66b8c9d7d2c
SHA1b1a1e01afe077ba70023b0386fb0a2c356fce1e1
SHA2569577996d5d92eb75b14a8e6c4cedc8f867e4b4f647503790ff81a03f6d8d5abf
SHA5122abf1d441e706f33584154f1021e2ab77f6f512c878e77c536c75cc99b5f78d52cfba900628d58ec6407580a08c01c23493138a7f1a67ac5a5fe5ce90aca9b09
-
Filesize
660B
MD531290c8fff48a0a6a7c904f9f1dddc06
SHA106ba27282b560ef9440ab56aad16435d1afd3022
SHA256ef2d7e11ec7e2fed30089791bfa4e4a18edd1b06e7e6f97b3375451cf75b488c
SHA5121d67dabe4727dab77687099382161d356edd158fdbb4179f61fd557554a19530bb4beb77d2ac579e311b70aaa28e3cc9da366ff6d46062b59d1d23b176a03ec6
-
Filesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7