Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-12-2024 04:58
Static task
static1
Behavioral task
behavioral1
Sample
bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe
Resource
win10v2004-20241007-en
General
-
Target
bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe
-
Size
78KB
-
MD5
afc6fded921afb40f5e26ab338e8ad70
-
SHA1
0a2accb72355abc331bb8f569eebdfe61d41a38e
-
SHA256
bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930f
-
SHA512
73b03b7f756f5992024b787643a5cfdac64a88b9ef9cd28a70944ab82149fcf8c16fde01603a23fe3d4a1ccd605bd9bd96c9a9509395a5176f768016f2d11cfc
-
SSDEEP
1536:LtHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt869/C1Hd:LtHYnhASyRxvhTzXPvCbW2U869/e
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2220 tmpA083.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2524 bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe 2524 bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmpA083.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpA083.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2524 bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe Token: SeDebugPrivilege 2220 tmpA083.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2412 2524 bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe 30 PID 2524 wrote to memory of 2412 2524 bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe 30 PID 2524 wrote to memory of 2412 2524 bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe 30 PID 2524 wrote to memory of 2412 2524 bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe 30 PID 2412 wrote to memory of 2880 2412 vbc.exe 32 PID 2412 wrote to memory of 2880 2412 vbc.exe 32 PID 2412 wrote to memory of 2880 2412 vbc.exe 32 PID 2412 wrote to memory of 2880 2412 vbc.exe 32 PID 2524 wrote to memory of 2220 2524 bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe 33 PID 2524 wrote to memory of 2220 2524 bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe 33 PID 2524 wrote to memory of 2220 2524 bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe 33 PID 2524 wrote to memory of 2220 2524 bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe"C:\Users\Admin\AppData\Local\Temp\bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xfixjomq.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA14F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA14E.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2880
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpA083.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA083.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bd744035464adb6a18c301e6fef7888313617f988dafc0ae2d0151b3d143930fN.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ae1a85bb40cfcf18c8e144645dfa54a1
SHA1fbf523bd52d0cb27a94e59aaaa8c98d5ef7fce71
SHA256eca0ba690cb2111c2926572619bcca16c5f9828272608a2f57b8bdb8bbb20bb7
SHA512f962837c39b5310746d13ab1e4a2c589d869e6514950830f0159b81a97c1f1b7a53be634a3cd6b2214f31fc63a7460111bf07eae83a3eff7e7947649b56fd6a9
-
Filesize
78KB
MD57cb308bf97fccfd047d722d47278c3da
SHA18f07ac27b08fc0c09ab52a8b1fb75ad2bcf8c968
SHA256f5e07cbc74df521c80c72af28826ef368d1be22416fa1a7b6d46e43dc2d93583
SHA512814a120910a365a45084448655a41f4e653e652b82679f77209f6111e3aea8e4296079bb9eb808410373983c47d42881e5a9e56844ae1218e6d436af56e29eee
-
Filesize
660B
MD562ef224f48a720744785a54e93336c9f
SHA13f7980684fe97998f854c551b2236fe951165325
SHA256f9525713531c0d5a8089972ff8602bf0c3f2d8c1133ed8adbb361e8582c6664d
SHA512ec61d018fd8ffbfc690b98768b5f4d1076afdc9da02b5e6e334d1b893b39db32cde963d9ebb0d00cf865cfa5f8c414189cfce251c0817b0d4cc47b6aedc5cd11
-
Filesize
15KB
MD5b5da4cdce652eef9e9bcb72d4bd61125
SHA1976fb87500778b209495ecd0c0fbbe6804046004
SHA256bcea22aaf4fc64f42011421a4daaaf91edf1b53efd165d17eddbe0c6212ee120
SHA51245c60a60a7612fadbb7e639b87f614f0150d90b7c4948ef89d5b63bdcfaebf3905852ac1cc846ec29af769e8010ce0bfa386fae86fe032f64cc2db8214460a78
-
Filesize
266B
MD513d3cb6cd3a385e1f50a61655ad61529
SHA18221a74f2f2c85a0e16450a6afcd605d32eda502
SHA256f3759457f86889e4ed1ff385c6962b912ecb5e8258e37050a8e1206f837370b8
SHA5122dbc19921ac334d011edf08875d4a96c49d07d98e429f310bce3da6a3316f9c333a408c19274159edeef721c711bdb14033d28f8553c5712f171147ff79c58f0
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c