Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2024 19:11

General

  • Target

    03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe

  • Size

    78KB

  • MD5

    7b897c71632a4d68cc3cdcdc0657373f

  • SHA1

    e564b4af6dcc1350babf302a607fca45d00fa483

  • SHA256

    03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0

  • SHA512

    03c4a933fb35e5452601565b7fcb3dbdfb20dd17c42efa29a8ee22f818053f54522284a296d366ec6dbce5d2c1d1c06d997504f3b2ba25b9d5a79fbd819bdafe

  • SSDEEP

    1536:mVc5jKpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti61o9/Nx1ig:+c5jEJywQjDgTLopLwdCFJzu9/9

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe
    "C:\Users\Admin\AppData\Local\Temp\03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:268
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2o71r2id.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2060
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD9BD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD9BC.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2960
    • C:\Users\Admin\AppData\Local\Temp\tmpD884.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpD884.tmp.exe" C:\Users\Admin\AppData\Local\Temp\03a6146aadb65463a4a87024585434c27ebddddcd9ff545f53a829420f6597a0.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\2o71r2id.0.vb

    Filesize

    14KB

    MD5

    c8ae5c922c486546ebe4958f2c476fbd

    SHA1

    7c951b3c0084914fa610ed04bc3ab7e9e3834411

    SHA256

    d61f5794ab940149ab359925a468ad4b8869d53366f276392f8ff17e62618711

    SHA512

    3708149215bd818fdd6f6fc341c3a4dab2638f87f7294fedf87c0b675a4643ae573fd804de4b652ce002421a41bcfeafe5c417608ca356ac7eb1ff2b0f5c145a

  • C:\Users\Admin\AppData\Local\Temp\2o71r2id.cmdline

    Filesize

    266B

    MD5

    02cfd918d84c60cb3e42aab26a2905dd

    SHA1

    ce1951d6dcd781d17c271c9f45f937b4ea6791b5

    SHA256

    c3f349918bc798b090247d8ac19129850de57eddb6e5ab49944100b287a53dc9

    SHA512

    1b878c8b6dadda6747537200e5a00e01e7988d62d8bf8be6dc1d67576f90c4b2726cf1a9e4e2bb3c7e697f0fff40d11df9e6df41fe4e250f098b63101d9aa86d

  • C:\Users\Admin\AppData\Local\Temp\RESD9BD.tmp

    Filesize

    1KB

    MD5

    1ff71fc6c86ddec7cfa13f679afb17b5

    SHA1

    de56cfd7f3efcff6541a201f7ffe87171cf0db13

    SHA256

    df83bce46c09883b2e5b87c0b5786fe5d56228908ef7a3aa9b3c104f59829ceb

    SHA512

    b6034e6557165d9d958f88c286571816b8e4c50f80142f19a0eef4dfc13ce8310685ab43b9b0f574c69772304d66cd6f4f4a21413402463d4c8733b5922a0e0a

  • C:\Users\Admin\AppData\Local\Temp\tmpD884.tmp.exe

    Filesize

    78KB

    MD5

    5ec0aec8b2aaf8e0b1c0868a307ceeb6

    SHA1

    e68e8df8f4dd52a77fd4578e2282437b66504119

    SHA256

    fbd6e65939c29408f0534938da15da96357d351f5da57bd3a07fb7265d987b4b

    SHA512

    8a2072530512d353cb92433096d9460d5b2ae055fb5125dbacb12590854dd99c3686891678fca44bfae7f476dd3cfd540a26a406b2aead382b42e9617c9d9993

  • C:\Users\Admin\AppData\Local\Temp\vbcD9BC.tmp

    Filesize

    660B

    MD5

    fa6a6c33d5e46f994a03b61891ba855c

    SHA1

    93eed8330d98cea17875d368d0996297c567cb32

    SHA256

    90f273c54c294b31e6057bfd0f1b2dd5941bb4755cace17063345be4927dbfdd

    SHA512

    14d65c19431d57924dce0d48612c801326eec054c1a5a14c8055ee168bd18dd7ba1ce573173490edae07920ec35120462f176059e65353ee6e1c167238a31ce4

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    484967ab9def8ff17dd55476ca137721

    SHA1

    a84012f673fe1ac9041e7827cc3de4b20a1194e2

    SHA256

    9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

    SHA512

    1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

  • memory/268-0-0x0000000074261000-0x0000000074262000-memory.dmp

    Filesize

    4KB

  • memory/268-1-0x0000000074260000-0x000000007480B000-memory.dmp

    Filesize

    5.7MB

  • memory/268-2-0x0000000074260000-0x000000007480B000-memory.dmp

    Filesize

    5.7MB

  • memory/268-24-0x0000000074260000-0x000000007480B000-memory.dmp

    Filesize

    5.7MB

  • memory/2060-9-0x0000000074260000-0x000000007480B000-memory.dmp

    Filesize

    5.7MB

  • memory/2060-18-0x0000000074260000-0x000000007480B000-memory.dmp

    Filesize

    5.7MB