Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2024 04:58

General

  • Target

    bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe

  • Size

    78KB

  • MD5

    afc6fded921afb40f5e26ab338e8ad70

  • SHA1

    0a2accb72355abc331bb8f569eebdfe61d41a38e

  • SHA256

    bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930f

  • SHA512

    73b03b7f756f5992024b787643a5cfdac64a88b9ef9cd28a70944ab82149fcf8c16fde01603a23fe3d4a1ccd605bd9bd96c9a9509395a5176f768016f2d11cfc

  • SSDEEP

    1536:LtHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt869/C1Hd:LtHYnhASyRxvhTzXPvCbW2U869/e

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe
    "C:\Users\Admin\AppData\Local\Temp\bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xfixjomq.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2412
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA14F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA14E.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2880
    • C:\Users\Admin\AppData\Local\Temp\tmpA083.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpA083.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESA14F.tmp

    Filesize

    1KB

    MD5

    ae1a85bb40cfcf18c8e144645dfa54a1

    SHA1

    fbf523bd52d0cb27a94e59aaaa8c98d5ef7fce71

    SHA256

    eca0ba690cb2111c2926572619bcca16c5f9828272608a2f57b8bdb8bbb20bb7

    SHA512

    f962837c39b5310746d13ab1e4a2c589d869e6514950830f0159b81a97c1f1b7a53be634a3cd6b2214f31fc63a7460111bf07eae83a3eff7e7947649b56fd6a9

  • C:\Users\Admin\AppData\Local\Temp\tmpA083.tmp.exe

    Filesize

    78KB

    MD5

    7cb308bf97fccfd047d722d47278c3da

    SHA1

    8f07ac27b08fc0c09ab52a8b1fb75ad2bcf8c968

    SHA256

    f5e07cbc74df521c80c72af28826ef368d1be22416fa1a7b6d46e43dc2d93583

    SHA512

    814a120910a365a45084448655a41f4e653e652b82679f77209f6111e3aea8e4296079bb9eb808410373983c47d42881e5a9e56844ae1218e6d436af56e29eee

  • C:\Users\Admin\AppData\Local\Temp\vbcA14E.tmp

    Filesize

    660B

    MD5

    62ef224f48a720744785a54e93336c9f

    SHA1

    3f7980684fe97998f854c551b2236fe951165325

    SHA256

    f9525713531c0d5a8089972ff8602bf0c3f2d8c1133ed8adbb361e8582c6664d

    SHA512

    ec61d018fd8ffbfc690b98768b5f4d1076afdc9da02b5e6e334d1b893b39db32cde963d9ebb0d00cf865cfa5f8c414189cfce251c0817b0d4cc47b6aedc5cd11

  • C:\Users\Admin\AppData\Local\Temp\xfixjomq.0.vb

    Filesize

    15KB

    MD5

    b5da4cdce652eef9e9bcb72d4bd61125

    SHA1

    976fb87500778b209495ecd0c0fbbe6804046004

    SHA256

    bcea22aaf4fc64f42011421a4daaaf91edf1b53efd165d17eddbe0c6212ee120

    SHA512

    45c60a60a7612fadbb7e639b87f614f0150d90b7c4948ef89d5b63bdcfaebf3905852ac1cc846ec29af769e8010ce0bfa386fae86fe032f64cc2db8214460a78

  • C:\Users\Admin\AppData\Local\Temp\xfixjomq.cmdline

    Filesize

    266B

    MD5

    13d3cb6cd3a385e1f50a61655ad61529

    SHA1

    8221a74f2f2c85a0e16450a6afcd605d32eda502

    SHA256

    f3759457f86889e4ed1ff385c6962b912ecb5e8258e37050a8e1206f837370b8

    SHA512

    2dbc19921ac334d011edf08875d4a96c49d07d98e429f310bce3da6a3316f9c333a408c19274159edeef721c711bdb14033d28f8553c5712f171147ff79c58f0

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    8fd8e054ba10661e530e54511658ac20

    SHA1

    72911622012ddf68f95c1e1424894ecb4442e6fd

    SHA256

    822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

    SHA512

    c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

  • memory/2412-8-0x0000000074FC0000-0x000000007556B000-memory.dmp

    Filesize

    5.7MB

  • memory/2412-18-0x0000000074FC0000-0x000000007556B000-memory.dmp

    Filesize

    5.7MB

  • memory/2524-0-0x0000000074FC1000-0x0000000074FC2000-memory.dmp

    Filesize

    4KB

  • memory/2524-1-0x0000000074FC0000-0x000000007556B000-memory.dmp

    Filesize

    5.7MB

  • memory/2524-2-0x0000000074FC0000-0x000000007556B000-memory.dmp

    Filesize

    5.7MB

  • memory/2524-24-0x0000000074FC0000-0x000000007556B000-memory.dmp

    Filesize

    5.7MB