Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-12-2024 13:16
Static task
static1
Behavioral task
behavioral1
Sample
4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe
Resource
win10v2004-20241007-en
General
-
Target
4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe
-
Size
78KB
-
MD5
425ca0a0d0e9bcca9812b5f48a56c955
-
SHA1
721290757978f2fddd1b3cc6f5f200344a20b38e
-
SHA256
4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1
-
SHA512
c9f86663fb8f3a700ef3357b505c97eec17a0ae45235cf693f5a6378c44e4d2e47e896753e9000cae59587db36961d7addb5cda8ee6bc61b43d697683a09f0a3
-
SSDEEP
1536:SvWV58/pJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti6d9/2K1Zgq:sWV58BJywQjDgTLopLwdCFJzF9/2Jq
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2728 tmp8259.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 1792 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 1792 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8259.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1792 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1792 wrote to memory of 1144 1792 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 30 PID 1792 wrote to memory of 1144 1792 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 30 PID 1792 wrote to memory of 1144 1792 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 30 PID 1792 wrote to memory of 1144 1792 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 30 PID 1144 wrote to memory of 2716 1144 vbc.exe 32 PID 1144 wrote to memory of 2716 1144 vbc.exe 32 PID 1144 wrote to memory of 2716 1144 vbc.exe 32 PID 1144 wrote to memory of 2716 1144 vbc.exe 32 PID 1792 wrote to memory of 2728 1792 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 33 PID 1792 wrote to memory of 2728 1792 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 33 PID 1792 wrote to memory of 2728 1792 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 33 PID 1792 wrote to memory of 2728 1792 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe"C:\Users\Admin\AppData\Local\Temp\4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\35rgb9nn.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8383.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8382.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2716
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8259.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8259.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2728
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD515c023f4625a6dc998f9f506f11a1a03
SHA1679e6a09607b98eb8df0dd3089c892233fd15d65
SHA25640e44113f89273f3b1745a5ded36466a20bf5901f30f0cf51b7a9178b82cf4f3
SHA512bc2ab27ddf90f7f460ca163d481ff6975fe99854ef87e007fd5cb6fc1812b5febbe8e4046217980ea5eb2eea2f9c7b44791b814756f23e20160f6e626d2a867e
-
Filesize
266B
MD5b9a5d5c23f80f8d22546bcad9f8730b5
SHA185b8fea27aeac2e8eecba223857d45a69327d6c3
SHA2563ae2703472823124b944ab05c96f8461129bcbd01049075f23dcfa3fe6fa0380
SHA51241cf48e062392656ad86c220094530b731f3cbca888198fad49d8d18e64498a79e24f0847ce5f01741eed8204942af8e98b006765da50fd9eefe12dd600b6e6b
-
Filesize
1KB
MD5f28068ff5216b5780fcb6719945f8ac4
SHA1add48bcee8b488ee3bb43bb06c341cecb2376596
SHA256c1d65a6f09ce59e552093a73fc629e46802e12eefa5b56b9053a2bfb23f5b5a5
SHA512645187756b63179354803d8cbaeea34c256f37d2f3d15253cd5eb17382d3e91c7c262515ad06d35059a97bdd82f61e893a26c2b03f28fedfed579efb0ef99fa6
-
Filesize
78KB
MD5c8e75db5da35ebd1f851dda76377d53d
SHA1665e7a028d6f32752e23a14b0c91d892bbfb9cb8
SHA256fdb9163127d9d3f02501700c7e92de8edf5bfa27adfcdf793b777119010c045c
SHA512688f3534b9173929860d9ffe6443c5ba2617ee111616a24a274abc3300bffb6e7b86d3018305db9b8f03b31bd998710fd5b0a622955cfb1d130190b0f508702b
-
Filesize
660B
MD56b6c0ee52149f4fc640a71557e7682df
SHA16c65ead8820df8d43610184193bc389d22673e35
SHA256e37d7d364144a8ea558d7709cfc1c758f84dccc0963ef1ef882b64598d07059e
SHA5124ce7eddeb26157faf2c7a238802738c635fb308ee4ddfa4a8308c8967a7507fe2bd6e1c47d84d360cfef625d50010239089862422061ec5a4aad8f2cbe77ba15
-
Filesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7