Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2024 13:16

General

  • Target

    4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe

  • Size

    78KB

  • MD5

    425ca0a0d0e9bcca9812b5f48a56c955

  • SHA1

    721290757978f2fddd1b3cc6f5f200344a20b38e

  • SHA256

    4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1

  • SHA512

    c9f86663fb8f3a700ef3357b505c97eec17a0ae45235cf693f5a6378c44e4d2e47e896753e9000cae59587db36961d7addb5cda8ee6bc61b43d697683a09f0a3

  • SSDEEP

    1536:SvWV58/pJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti6d9/2K1Zgq:sWV58BJywQjDgTLopLwdCFJzF9/2Jq

Malware Config

Signatures

  • MetamorpherRAT

    Metamorpherrat is a hacking tool that has been around for a while since 2013.

  • Metamorpherrat family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe
    "C:\Users\Admin\AppData\Local\Temp\4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\35rgb9nn.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1144
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8383.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8382.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2716
    • C:\Users\Admin\AppData\Local\Temp\tmp8259.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp8259.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\35rgb9nn.0.vb

    Filesize

    14KB

    MD5

    15c023f4625a6dc998f9f506f11a1a03

    SHA1

    679e6a09607b98eb8df0dd3089c892233fd15d65

    SHA256

    40e44113f89273f3b1745a5ded36466a20bf5901f30f0cf51b7a9178b82cf4f3

    SHA512

    bc2ab27ddf90f7f460ca163d481ff6975fe99854ef87e007fd5cb6fc1812b5febbe8e4046217980ea5eb2eea2f9c7b44791b814756f23e20160f6e626d2a867e

  • C:\Users\Admin\AppData\Local\Temp\35rgb9nn.cmdline

    Filesize

    266B

    MD5

    b9a5d5c23f80f8d22546bcad9f8730b5

    SHA1

    85b8fea27aeac2e8eecba223857d45a69327d6c3

    SHA256

    3ae2703472823124b944ab05c96f8461129bcbd01049075f23dcfa3fe6fa0380

    SHA512

    41cf48e062392656ad86c220094530b731f3cbca888198fad49d8d18e64498a79e24f0847ce5f01741eed8204942af8e98b006765da50fd9eefe12dd600b6e6b

  • C:\Users\Admin\AppData\Local\Temp\RES8383.tmp

    Filesize

    1KB

    MD5

    f28068ff5216b5780fcb6719945f8ac4

    SHA1

    add48bcee8b488ee3bb43bb06c341cecb2376596

    SHA256

    c1d65a6f09ce59e552093a73fc629e46802e12eefa5b56b9053a2bfb23f5b5a5

    SHA512

    645187756b63179354803d8cbaeea34c256f37d2f3d15253cd5eb17382d3e91c7c262515ad06d35059a97bdd82f61e893a26c2b03f28fedfed579efb0ef99fa6

  • C:\Users\Admin\AppData\Local\Temp\tmp8259.tmp.exe

    Filesize

    78KB

    MD5

    c8e75db5da35ebd1f851dda76377d53d

    SHA1

    665e7a028d6f32752e23a14b0c91d892bbfb9cb8

    SHA256

    fdb9163127d9d3f02501700c7e92de8edf5bfa27adfcdf793b777119010c045c

    SHA512

    688f3534b9173929860d9ffe6443c5ba2617ee111616a24a274abc3300bffb6e7b86d3018305db9b8f03b31bd998710fd5b0a622955cfb1d130190b0f508702b

  • C:\Users\Admin\AppData\Local\Temp\vbc8382.tmp

    Filesize

    660B

    MD5

    6b6c0ee52149f4fc640a71557e7682df

    SHA1

    6c65ead8820df8d43610184193bc389d22673e35

    SHA256

    e37d7d364144a8ea558d7709cfc1c758f84dccc0963ef1ef882b64598d07059e

    SHA512

    4ce7eddeb26157faf2c7a238802738c635fb308ee4ddfa4a8308c8967a7507fe2bd6e1c47d84d360cfef625d50010239089862422061ec5a4aad8f2cbe77ba15

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    484967ab9def8ff17dd55476ca137721

    SHA1

    a84012f673fe1ac9041e7827cc3de4b20a1194e2

    SHA256

    9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

    SHA512

    1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

  • memory/1144-8-0x0000000074530000-0x0000000074ADB000-memory.dmp

    Filesize

    5.7MB

  • memory/1144-18-0x0000000074530000-0x0000000074ADB000-memory.dmp

    Filesize

    5.7MB

  • memory/1792-0-0x0000000074531000-0x0000000074532000-memory.dmp

    Filesize

    4KB

  • memory/1792-1-0x0000000074530000-0x0000000074ADB000-memory.dmp

    Filesize

    5.7MB

  • memory/1792-2-0x0000000074530000-0x0000000074ADB000-memory.dmp

    Filesize

    5.7MB

  • memory/1792-24-0x0000000074530000-0x0000000074ADB000-memory.dmp

    Filesize

    5.7MB