Analysis
-
max time kernel
105s -
max time network
115s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-12-2024 13:11
Static task
static1
Behavioral task
behavioral1
Sample
4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe
Resource
win10v2004-20241007-en
General
-
Target
4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe
-
Size
78KB
-
MD5
425ca0a0d0e9bcca9812b5f48a56c955
-
SHA1
721290757978f2fddd1b3cc6f5f200344a20b38e
-
SHA256
4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1
-
SHA512
c9f86663fb8f3a700ef3357b505c97eec17a0ae45235cf693f5a6378c44e4d2e47e896753e9000cae59587db36961d7addb5cda8ee6bc61b43d697683a09f0a3
-
SSDEEP
1536:SvWV58/pJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti6d9/2K1Zgq:sWV58BJywQjDgTLopLwdCFJzF9/2Jq
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2152 tmpD72D.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2320 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 2320 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpD72D.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2320 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2320 wrote to memory of 2184 2320 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 31 PID 2320 wrote to memory of 2184 2320 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 31 PID 2320 wrote to memory of 2184 2320 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 31 PID 2320 wrote to memory of 2184 2320 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 31 PID 2184 wrote to memory of 2832 2184 vbc.exe 33 PID 2184 wrote to memory of 2832 2184 vbc.exe 33 PID 2184 wrote to memory of 2832 2184 vbc.exe 33 PID 2184 wrote to memory of 2832 2184 vbc.exe 33 PID 2320 wrote to memory of 2152 2320 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 34 PID 2320 wrote to memory of 2152 2320 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 34 PID 2320 wrote to memory of 2152 2320 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 34 PID 2320 wrote to memory of 2152 2320 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe"C:\Users\Admin\AppData\Local\Temp\4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\05mywqp1.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD78B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD78A.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2832
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpD72D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD72D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2152
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD58dc9b8f183e0f301d4e312468af95c39
SHA17b10aa0a4452562ca2e2bc3c334ed0cbbcc4fdbc
SHA256bf3e2773e4f465288fe2ba7b4b294fb34d7fcbc799d57d1c67ebbc02b4786fb1
SHA5128a6987fc683d4d974b7661b35cdabcd33d0b7686c1cfd4c2f54cc47215b9f1107e10003a2a063720975b12d90f250683b47e5a76de1b6bfe589de81d3f91c968
-
Filesize
266B
MD5998297b7d93600c58f51e4dac5ec4029
SHA1afa29133cd0d2c237e6b1ca988f8cc9c9e99eb22
SHA256f196e10087e82b61bc83fecf71cf0158fc78ab2a641d15dbefa16ed3c5357e01
SHA512ffdd0ca136077b8fcf2de1791ebb2deae4a34c4f8f2f1e4803d3db424eb55075dc4b004957dac494f196f02d77c84c4386c87470b26405307961b26d3cba6357
-
Filesize
1KB
MD5e4895543ea09b0a6c6f6688c49fcdf33
SHA1ea68db6f90e00224de6f4a09a4e3bf54b15e98f4
SHA256fa0d30791df282fc2d21155e6d1572ab4001028dd1bea946ac841d0ae0a6bee5
SHA5125c9bbe69258f49e1b81858a9ed949e9896e53bd5e04b1fa1418c0f972d56f20ea9a4a07388bdbb032cfe58eeace5aa7b1fd1c19d9cf9fc94b4eb1d800bf611fc
-
Filesize
78KB
MD505b586bc87bc820f226114f96ec385c4
SHA1fb2d8b02bc93fb66bf7150cc3bc3c5fb630b7b71
SHA256afa34a85237f3bd72ea111865fb2011c0cdede329bc5f5ef59712e6687cfb902
SHA512acefc4abb8f2a62a2a3830cd6e35152aedec1694180e10e98b041ea75e33219da2c54f5e9e2186f6aa21fdc2ed7b8a674adcb34075677d2d2aaea531b66907db
-
Filesize
660B
MD555e628690bc676eb2ac7897b1504844d
SHA1c70e6d6c7a1c09ebc9030dbab39c7000a3051eb9
SHA25652f8955c3c5479ea270d0bca9d1102850e769e64f21624f0ede2505ed17d1222
SHA5126aece805eb9f52823539acffc843305a3333dcad3411fea4d5a45ea4eb0b5ac2d1700184db38028411e8dc5f877ca716c6150ab657d78d06c98636839aff1c4e
-
Filesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7