Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 19:11
Static task
static1
Behavioral task
behavioral1
Sample
03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe
Resource
win10v2004-20241007-en
General
-
Target
03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe
-
Size
78KB
-
MD5
7b897c71632a4d68cc3cdcdc0657373f
-
SHA1
e564b4af6dcc1350babf302a607fca45d00fa483
-
SHA256
03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0
-
SHA512
03c4a933fb35e5452601565b7fcb3dbdfb20dd17c42efa29a8ee22f818053f54522284a296d366ec6dbce5d2c1d1c06d997504f3b2ba25b9d5a79fbd819bdafe
-
SSDEEP
1536:mVc5jKpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti61o9/Nx1ig:+c5jEJywQjDgTLopLwdCFJzu9/9
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 896 tmpD884.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 268 03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe 268 03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpD884.tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 268 03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 268 wrote to memory of 2060 268 03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe 31 PID 268 wrote to memory of 2060 268 03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe 31 PID 268 wrote to memory of 2060 268 03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe 31 PID 268 wrote to memory of 2060 268 03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe 31 PID 2060 wrote to memory of 2960 2060 vbc.exe 33 PID 2060 wrote to memory of 2960 2060 vbc.exe 33 PID 2060 wrote to memory of 2960 2060 vbc.exe 33 PID 2060 wrote to memory of 2960 2060 vbc.exe 33 PID 268 wrote to memory of 896 268 03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe 34 PID 268 wrote to memory of 896 268 03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe 34 PID 268 wrote to memory of 896 268 03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe 34 PID 268 wrote to memory of 896 268 03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe"C:\Users\Admin\AppData\Local\Temp\03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2o71r2id.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD9BD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD9BC.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2960
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpD884.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD884.tmp.exe" C:\Users\Admin\AppData\Local\Temp\03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:896
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5c8ae5c922c486546ebe4958f2c476fbd
SHA17c951b3c0084914fa610ed04bc3ab7e9e3834411
SHA256d61f5794ab940149ab359925a468ad4b8869d53366f276392f8ff17e62618711
SHA5123708149215bd818fdd6f6fc341c3a4dab2638f87f7294fedf87c0b675a4643ae573fd804de4b652ce002421a41bcfeafe5c417608ca356ac7eb1ff2b0f5c145a
-
Filesize
266B
MD502cfd918d84c60cb3e42aab26a2905dd
SHA1ce1951d6dcd781d17c271c9f45f937b4ea6791b5
SHA256c3f349918bc798b090247d8ac19129850de57eddb6e5ab49944100b287a53dc9
SHA5121b878c8b6dadda6747537200e5a00e01e7988d62d8bf8be6dc1d67576f90c4b2726cf1a9e4e2bb3c7e697f0fff40d11df9e6df41fe4e250f098b63101d9aa86d
-
Filesize
1KB
MD51ff71fc6c86ddec7cfa13f679afb17b5
SHA1de56cfd7f3efcff6541a201f7ffe87171cf0db13
SHA256df83bce46c09883b2e5b87c0b5786fe5d56228908ef7a3aa9b3c104f59829ceb
SHA512b6034e6557165d9d958f88c286571816b8e4c50f80142f19a0eef4dfc13ce8310685ab43b9b0f574c69772304d66cd6f4f4a21413402463d4c8733b5922a0e0a
-
Filesize
78KB
MD55ec0aec8b2aaf8e0b1c0868a307ceeb6
SHA1e68e8df8f4dd52a77fd4578e2282437b66504119
SHA256fbd6e65939c29408f0534938da15da96357d351f5da57bd3a07fb7265d987b4b
SHA5128a2072530512d353cb92433096d9460d5b2ae055fb5125dbacb12590854dd99c3686891678fca44bfae7f476dd3cfd540a26a406b2aead382b42e9617c9d9993
-
Filesize
660B
MD5fa6a6c33d5e46f994a03b61891ba855c
SHA193eed8330d98cea17875d368d0996297c567cb32
SHA25690f273c54c294b31e6057bfd0f1b2dd5941bb4755cace17063345be4927dbfdd
SHA51214d65c19431d57924dce0d48612c801326eec054c1a5a14c8055ee168bd18dd7ba1ce573173490edae07920ec35120462f176059e65353ee6e1c167238a31ce4
-
Filesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7