Analysis
-
max time kernel
115s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
03-12-2024 15:34
Static task
static1
Behavioral task
behavioral1
Sample
d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe
Resource
win10v2004-20241007-en
General
-
Target
d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe
-
Size
78KB
-
MD5
c3188ef20600f037fa5bec196cfa86d0
-
SHA1
4f90a91d9c70bb6b67a1d0257f0bd83aa3e4ef02
-
SHA256
d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5d
-
SHA512
56bf2c793e6299c3c1f8d929d99003082f3fbc9f9b96e16ba3da657ae63eb40491b2eb56f86c0b83bb95a8fb608bb03e93e60ecbbd25236a157fd535bb9877f4
-
SSDEEP
1536:o5jS5XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96+9/9t1m6:o5jSpSyRxvhTzXPvCbW2UZ9/9p
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2068 tmpC3EB.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2136 d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe 2136 d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" tmpC3EB.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC3EB.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2136 d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe Token: SeDebugPrivilege 2068 tmpC3EB.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2136 wrote to memory of 1684 2136 d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe 30 PID 2136 wrote to memory of 1684 2136 d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe 30 PID 2136 wrote to memory of 1684 2136 d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe 30 PID 2136 wrote to memory of 1684 2136 d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe 30 PID 1684 wrote to memory of 2428 1684 vbc.exe 32 PID 1684 wrote to memory of 2428 1684 vbc.exe 32 PID 1684 wrote to memory of 2428 1684 vbc.exe 32 PID 1684 wrote to memory of 2428 1684 vbc.exe 32 PID 2136 wrote to memory of 2068 2136 d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe 33 PID 2136 wrote to memory of 2068 2136 d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe 33 PID 2136 wrote to memory of 2068 2136 d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe 33 PID 2136 wrote to memory of 2068 2136 d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe"C:\Users\Admin\AppData\Local\Temp\d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cfl_zfi0.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4B7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC4B6.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2428
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC3EB.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC3EB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d6e74ffe587bfd14453207922782c45d95ac62c9176389fa66bb86698b192b5dN.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD587fba16ead844a8b2334176cdf11ad5d
SHA11335dfa287cb44855402c52f93ba4376e4a2f383
SHA2569243c9ee526cb032bef9e4e4fa9f4365b7c3a77f25e9052c0cfa02e0f7c1fa8b
SHA512f557f14560e67fe010baadd4623ff4f1277a1cececc2216ec079a6dbeffb3b41151f7bf2650a9628f9dd26e3164e9a933134d9d1ce2cf2427798b1571be83bd8
-
Filesize
14KB
MD534cffd756fcc5e09b730378f7b877271
SHA18d4315ec061e0d8555ae5510db715843d5d918ff
SHA2564c374e40b396404d6cc70856d41805059f2750fdb04dd57cf122e7e781a2e042
SHA512aab180390c75bf37dde758dfcdd3dae209d129ec29fb2a845f6d53296b7d99568f447283684b8344b8a4b221f6ad792cee4e01aad1e1e54fc0318fd10bf3cf12
-
Filesize
266B
MD537ccee6fa9d4a1669572363f047fb6f5
SHA1e7a617bb2f250f22759bb4fbad79c1368f73ff43
SHA256a5ca9be4812cc1baf0d018476f1f371b0bb8fc698d721e3c975c086147ff1d0b
SHA512006ea6eb4afababe591c6f96f19ed1967d166f6ad385e2d49f529213a9972c965164e44eac004d3b9c4e277f58760f31d4f4bcf2ec903a85ee1fac2855ab8194
-
Filesize
78KB
MD57461cf99cdd584364dac321aa192da70
SHA1f020ddfe468e266ab69dcd4d0c6e8f82a3eee2b9
SHA25653d1a43301a0ae2504f50c01d386f74c0d830607b99d917d70dba7847c1e408f
SHA5129d0b1577942738e8fb4265f03c0c6403c13218101b3279de67c6ec3ffb26660566584edd65c9b3058a7d98bd2f1edbaf8797c3a4008d78403f16725236d66123
-
Filesize
660B
MD51b497b29fd75560f11ea0d01594e8fa5
SHA1fe038da1ca9abc592f2b8481e44d58737f3c8ac9
SHA256db291966b9a3f83aadb65872fbd9f0bb812a9c64042dd4ab3f1fdb0ecef8f7c6
SHA5125e6789429ce5484255e0c763f7bf271fcaeec66f0aa82fde62dc583e6e85f438716c4db25aefa174efd250c8eec581a377a3f507f426b356935d3653e6c5a916
-
Filesize
62KB
MD58fd8e054ba10661e530e54511658ac20
SHA172911622012ddf68f95c1e1424894ecb4442e6fd
SHA256822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c