Analysis

  • max time kernel
    105s
  • max time network
    115s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2024 13:11

General

  • Target

    4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe

  • Size

    78KB

  • MD5

    425ca0a0d0e9bcca9812b5f48a56c955

  • SHA1

    721290757978f2fddd1b3cc6f5f200344a20b38e

  • SHA256

    4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1

  • SHA512

    c9f86663fb8f3a700ef3357b505c97eec17a0ae45235cf693f5a6378c44e4d2e47e896753e9000cae59587db36961d7addb5cda8ee6bc61b43d697683a09f0a3

  • SSDEEP

    1536:SvWV58/pJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti6d9/2K1Zgq:sWV58BJywQjDgTLopLwdCFJzF9/2Jq

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe
    "C:\Users\Admin\AppData\Local\Temp\4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\05mywqp1.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD78B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD78A.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2832
    • C:\Users\Admin\AppData\Local\Temp\tmpD72D.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpD72D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2152

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\05mywqp1.0.vb

    Filesize

    14KB

    MD5

    8dc9b8f183e0f301d4e312468af95c39

    SHA1

    7b10aa0a4452562ca2e2bc3c334ed0cbbcc4fdbc

    SHA256

    bf3e2773e4f465288fe2ba7b4b294fb34d7fcbc799d57d1c67ebbc02b4786fb1

    SHA512

    8a6987fc683d4d974b7661b35cdabcd33d0b7686c1cfd4c2f54cc47215b9f1107e10003a2a063720975b12d90f250683b47e5a76de1b6bfe589de81d3f91c968

  • C:\Users\Admin\AppData\Local\Temp\05mywqp1.cmdline

    Filesize

    266B

    MD5

    998297b7d93600c58f51e4dac5ec4029

    SHA1

    afa29133cd0d2c237e6b1ca988f8cc9c9e99eb22

    SHA256

    f196e10087e82b61bc83fecf71cf0158fc78ab2a641d15dbefa16ed3c5357e01

    SHA512

    ffdd0ca136077b8fcf2de1791ebb2deae4a34c4f8f2f1e4803d3db424eb55075dc4b004957dac494f196f02d77c84c4386c87470b26405307961b26d3cba6357

  • C:\Users\Admin\AppData\Local\Temp\RESD78B.tmp

    Filesize

    1KB

    MD5

    e4895543ea09b0a6c6f6688c49fcdf33

    SHA1

    ea68db6f90e00224de6f4a09a4e3bf54b15e98f4

    SHA256

    fa0d30791df282fc2d21155e6d1572ab4001028dd1bea946ac841d0ae0a6bee5

    SHA512

    5c9bbe69258f49e1b81858a9ed949e9896e53bd5e04b1fa1418c0f972d56f20ea9a4a07388bdbb032cfe58eeace5aa7b1fd1c19d9cf9fc94b4eb1d800bf611fc

  • C:\Users\Admin\AppData\Local\Temp\tmpD72D.tmp.exe

    Filesize

    78KB

    MD5

    05b586bc87bc820f226114f96ec385c4

    SHA1

    fb2d8b02bc93fb66bf7150cc3bc3c5fb630b7b71

    SHA256

    afa34a85237f3bd72ea111865fb2011c0cdede329bc5f5ef59712e6687cfb902

    SHA512

    acefc4abb8f2a62a2a3830cd6e35152aedec1694180e10e98b041ea75e33219da2c54f5e9e2186f6aa21fdc2ed7b8a674adcb34075677d2d2aaea531b66907db

  • C:\Users\Admin\AppData\Local\Temp\vbcD78A.tmp

    Filesize

    660B

    MD5

    55e628690bc676eb2ac7897b1504844d

    SHA1

    c70e6d6c7a1c09ebc9030dbab39c7000a3051eb9

    SHA256

    52f8955c3c5479ea270d0bca9d1102850e769e64f21624f0ede2505ed17d1222

    SHA512

    6aece805eb9f52823539acffc843305a3333dcad3411fea4d5a45ea4eb0b5ac2d1700184db38028411e8dc5f877ca716c6150ab657d78d06c98636839aff1c4e

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    484967ab9def8ff17dd55476ca137721

    SHA1

    a84012f673fe1ac9041e7827cc3de4b20a1194e2

    SHA256

    9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

    SHA512

    1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

  • memory/2184-8-0x00000000745C0000-0x0000000074B6B000-memory.dmp

    Filesize

    5.7MB

  • memory/2184-18-0x00000000745C0000-0x0000000074B6B000-memory.dmp

    Filesize

    5.7MB

  • memory/2320-0-0x00000000745C1000-0x00000000745C2000-memory.dmp

    Filesize

    4KB

  • memory/2320-1-0x00000000745C0000-0x0000000074B6B000-memory.dmp

    Filesize

    5.7MB

  • memory/2320-2-0x00000000745C0000-0x0000000074B6B000-memory.dmp

    Filesize

    5.7MB

  • memory/2320-24-0x00000000745C0000-0x0000000074B6B000-memory.dmp

    Filesize

    5.7MB